NIST SP 800-171 Compliance
This blog introduces a fourteen piece series intended to describe how Ascolta Greenfield environments achieve National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Revision 1, Protecting Controlled Unclassified Information in Non-federal Systems,compliance.
People, Process and Technology
📷Implementing an effective security program requires a balanced application of security control measures covering aspects of the people that use the system, the processes and policies that govern the system, and the technology that is the system. The Greenfield environment provides coverage for the technology-based controls to the greatest extent possible, and relies on clients for minor configuration settings and adherence to policies to ensure continued compliance. For the people and process controls, Greenfield relies almost exclusively on the customers organization and behavior, and provides easy to follow and implement templates and instructions on how to implement these controls.
Where'd did the Controls come from?
From NIST SP 800-1717, the security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) in non-federal systems and organizations has a well-defined structure that consists of basic and derived security requirements. The basic security requirements are obtained from Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems, which provides high-level and fundamental security requirements for federal information and systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST SP 800-53A Revision 4, Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans. Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline, the requirements and controls were tailored to eliminate requirements, controls, or parts of controls that are:Uniquely federal (i.e., primarily the responsibility of the federal government);Not directly related to protecting the confidentiality of CUI; orExpected to be routinely satisfied by non-federal organizations without specification.The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST Special Publication 800-53, with respect to the protection of the confidentiality of CUI in non-federal systems and organizations.
So what are the controls?
There are fourteen families of security controls in NIST SP 800-171. In the coming blog posts we'll provide insight on how Greenfield insures compliance with each of the 110 controls that make up the fourteen families. The table below lists the families, and as blogs are added will link to each.
Control FamiliesAccess ControlMedia ProtectionAwareness and TrainingPersonnel SecurityAudit and AccountabilityPhysical ProtectionConfiguration ManagementRisk AssessmentIdentification and AuthenticationSecurity AssessmentIncident ResponseSystem and Communications ProtectionMaintenanceSystem and Information Integrity📷
Security practitioners more familiar with the NIST SP 800-53A controls that provide measures to protect the Confidentiality, Integrity and Availability of information may be asking where's the rest of the story? The focus of NIST SP 800-171 is on protecting CUI, therefore the controls focus almost exclusively on confidentiality. However, the Greenfield system utilizes the controls and guidance from 800-53 to build our system and is striving towards full 800-53 compliance. For more information on Greenfield, or to contact a sales rep please visit our web page at ascolta.com.