NIST合规

To ensure that our clients maintain a compliant state and strong control environment, LBMC performs our NIST assessments using the following steps:

• 开始叫 – To discuss engagement logistics, verify controls to be tested, confirm onsite scheduling, review evidence request 过程es, and answer any pre-engagement questions
• 文档评审
• Interviews with individuals responsible for the control implementations to gain an understanding of the current 过程ing environment.
• Conduct a performance review audit of NIST specified controls and an onsite walk-around.
• Debrief and issuance of the final audit report

If you are like the thousands of other government contractors struggling to understand compliance and how many resources it will take to become compliant, know that you are not alone!  Don’t worry, odds are you are already in compliance to a large degree.

网络安全 breaches are a common threat that seems almost normal in this day and age.  然而, 明升体育app下载政府, along with the security expertise of NIST, continue to seek more secure and efficient ways to safeguard our data. When determining the level of information security your organization should implement, the risks of your data being compromised should be the driving factor.  不那么显而易见的, lower risk organizations are targets for the theft of confidential government information, and the federal government now is taking additional steps to safeguard their security.

A primary target for hackers are non-federal organizations that have access to federal data including citizen’s higher education, 税, 还有医疗记录. This type of information is of high value to malicious users looking to either directly exfiltrate this information or establish a foothold as a jumping off point to larger federal agency targets.  Additional organizations of interest are higher learning institutions that leverage government data for research, 发展, 和/或政府补助.  Although data in transit must be protected per federal encryption requirements, the larger question that comes to mind is – What controls should be in place to also protect the data once it reaches the intended recipient?  That is where NIST 800 - 171 becomes relevant. This standard was implemented to help fill the gaps of protecting Controlled Unclassified Information (CUI) on non-federal information systems.

CUI is defined as “information that law, 监管, or government-wide policy requires safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, 十二月二十九日, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended (Executive Order 13556)”.  So what does this long and complex government definition really mean?

If you are a government support contractor, 例如, that has access to federal information systems or government data that isn’t labeled as classified, or a university using Medicare data for statistical research, you may have access to CUI as part of your contract and therefore obligated to protect it.  Any contractor that supports federal information systems and has access to CUI is potentially impacted by NIST SP 800-171, and CUI isn’t necessarily limited to raw data records. It also applies to data that is collected, 存储, and documented in support of federal information system. This includes project management, technical writing, system 发展, and consulting.

在高水平上, the NIST SP 800-53 security standard is intended for internal use by the Federal 政府 and contains controls that often do not apply to a contractor’s internal information system. NIST SP 800-53 provides federal organizations with the top-level requirements and is more specific to providing security and privacy controls for federal information systems and organizations.

另一方面, NIST SP 800-171 applies to internal contractor information systems and provides a standardized set of requirements for all CUI security needs to allow non-federal organizations to follow statutory and regulatory requirements by consistently implementing CUI safeguards. 另外, many of the NIST SP 800-171 controls are about general best security practices for policy, 过程, and configuring IT securely, and this means in many regards, NIST SP 800-171 is viewed as less complicated and easier to understand than its NIST SP 800-53 counterpart.

NIST SP 800-171 is unique in that it is tailored to eliminate FIPS 200 and NIST SP 800-53 requirements that are:

1. specific to government-owned systems
2. 与CUI无关，或
3. expected to be satisfied without specifications (i.e., policy and procedure controls).

NIST SP 800-171 includes just over a hundred controls broken across 14 control families and is more concise in nature, making it less complex to implement for non-federal organizations.

One of the unique characteristics of the NIST SP 800-171 is the flexibility non-federal organizations have in defining how requirements are implemented. The requirements do not mandate any particular technological solutions, 允许承包商, 如果他们选择, to protect information using the systems they already have in place, rather than trying to use government-specific approaches. This is great news for organizations that already have existing mature systems and will likely mean that they will not have to “rip and replace” their existing security program.

Security requirements in NIST SP 800-171 are designed to protect CUI residing in contractor information systems while generally reducing the burden placed on contractors to maintain federal-centric 过程es and requirements.  合规 with NIST SP 800-171 should be viewed as an opportunity to be good stewards of government data as well as an opportunity for these organizations to compete for federal opportunities that others may not qualify for.