NIST Requirements: What Contractors Should Know - SureID Blog
single,single-post,postid-1811,single-format-standard,eltd-core-1.0,flow-ver-1.3.1,,eltd-smooth-page-transitions,ajax,eltd-grid-1480,eltd-blog-installed,page-template-blog-standard,eltd-header-type2,eltd-sticky-header-on-scroll-down-up,eltd-default-mobile-header,eltd-sticky-up-mobile-header,eltd-menu-item-first-level-bg-color,eltd-dropdown-default,eltd-light-header,wpb-js-composer js-comp-ver-,vc_responsive
SureID Blog / Company Updates  / NIST Requirements: What Contractors Should Know

NIST Requirements: What Contractors Should Know

Hackers are getting smarter every day. Cyber threats and security breaches have progressed to the point where passwords are no longer viable. This makes organizations vulnerable to sophisticated phishing attempts and other targeted attacks. That is why the federal government now requires all contractors to comply with NIST SP 800-171 guidelines for multi-factor authentication—or risk losing their contracts.

NIST SP 800-171 guidelines comprise 14 “Security Requirement Families” that include minimum standards and best practices.

As “minimum” standards, they attempt to set the base against which efforts and requirements are made. What follows is a brief overview of the requirements contractors need to employ to meet each of the standards:

  1. Access Control
  • Limit information system access to authorized users
  • Separate the duties of individuals to reduce the risk of malevolent collusion
  • Limit unsuccessful login attempts
  • Require encryption and authentication of various devices (including mobile devices), and route remote access through managed access control points
  1. Awareness and Training
  • Educate managers, systems administrators and users about security risks associated with their activities and applicable policies, standards and procedures
  • Provide security awareness training on recognizing and reporting potential indicators of insider threat
  1. Audit and Accountability
  • Use automated mechanisms to integrate and correlate audit and reporting processes
  • Support on-demand analysis and reporting
  1. Configuration Management
  • Limit the types of programs users can install
  • Control and monitor all user-installed software
  1. Identification and Authentication
  • Prevent reuse of identifiers for a defined period
  • Disable identifiers after a defined period of inactivity
  • Enforce minimum password complexity, i.e., “smart passwords”
  1. Incident Response
  • Develop and test an incident response plan
  1. Maintenance
  • Ensure equipment removed off-site is sanitized of any UCTI
  • Require multifactor authentication to establish nonlocal maintenance sessions
  1. Media Protection
  • Protect (i.e., physically control and securely store) information system media (paper and digital) containing UCTI
  • Sanitize or destroy information system media containing UCTI before disposal or release for reuse
  1. Personnel Security
  • Screen individuals prior to authorizing access to systems containing UCTI
  1. Physical Protection
  • Maintain audit logs of physical access
  • Control and manage physical access devices
  1. Risk Assessment
  • Scan for and remediate vulnerabilities in the information system and applications
  1. Security Assessment
  • Periodically assess and monitor the security controls for effectiveness in their applications
  • Develop and implement plans of action designed to correct deficiencies and reduce/eliminate vulnerabilities
  1. System and Communications Protection
  • Separate user functionality from information system management functionality
  • Implement cryptographic mechanisms to prevent unauthorized disclosure of UCTI during transmission
  • Control and monitor the use of Voice over Internet Protocol technologies
  1. System and Information Integrity
  • Update malicious code protection mechanisms when new releases are available
  • Identify unauthorized use of the information system

In the coming weeks, we’ll take a closer look at each of these requirements so contractors are ready when the NIST mandate takes effect next year.

No Comments

Post a Comment