NIST Compliance

确保明升体育app下载客户保持合规状态和强大的控制环境, LBMC使用以下步骤执行明升体育app下载NIST评估:

• Kickoff Call -讨论合同后勤, 验证要测试的控件, 确认现场日程安排, 审查证据请求流程, 并回答任何参与前的问题
• Documentation Review
• 与责任人的面谈 for the control implementations to gain an understanding of the current processing environment.
• 进行绩效审核 NIST规定的控制和现场巡视.
• 听取审计报告并出具最终审计报告

If you are like the thousands of other government contractors struggling to understand compliance and how many resources it will take to become compliant, 要知道你并不孤单!  别担心，很可能你已经在很大程度上遵守了规则.

Cybersecurity breaches are a common threat that seems almost normal in this day and age.  However, our government, 以及NIST的安全专业知识, 继续寻求更安全和有效的方法来保护明升体育app下载数据. 在确定组织应实现的信息安全级别时, 您的数据被泄露的风险应该是驱动因素.  Less-obvious, lower risk organizations are targets for the theft of confidential government information, 联邦政府现在正在采取额外的措施来保护他们的安全.

A primary target for hackers are non-federal organizations that have access to federal data including citizen’s higher education, tax, and healthcare records. This type of information is of high value to malicious users looking to either directly exfiltrate this information or establish a foothold as a jumping off point to larger federal agency targets.  Additional organizations of interest are higher learning institutions that leverage government data for research, development, and/or government grants.  尽管传输中的数据必须受到联邦加密要求的保护, the larger question that comes to mind is – What controls should be in place to also protect the data once it reaches the intended recipient?  这就是NIST 800-171发挥作用的地方. This standard was implemented to help fill the gaps of protecting Controlled Unclassified Information (CUI) on non-federal information systems.

CUI被定义为“信息即法律”, regulation, 或者政府范围内的政策要求保护或传播控制, 不包括根据13526号行政命令分类的信息, 国家安全机密信息, December 29 2009, 或者任何前驱或后继顺序, 或者1954年的原子能法案, 经修订(第13556号行政命令)".  那么，这个冗长而复杂的政府定义到底是什么意思呢?

如果你是政府支持的承包商, for example, that has access to federal information systems or government data that isn’t labeled as classified, 或者是使用医疗保险数据进行统计研究的大学, you may have access to CUI as part of your contract and therefore obligated to protect it.  Any contractor that supports federal information systems and has access to CUI is potentially impacted by NIST SP 800-171, CUI并不一定局限于原始数据记录. 它也适用于收集的数据, stored, 并记录在联邦信息系统的支持下. This includes project management, technical writing, system development, and consulting.

At a high level, the NIST SP 800-53 security standard is intended for internal use by the Federal Government and contains controls that often do not apply to a contractor’s internal information system. NIST SP 800-53 provides federal organizations with the top-level requirements and is more specific to providing security and privacy controls for federal information systems and organizations.

On the other hand, NIST SP 800-171 applies to internal contractor information systems and provides a standardized set of requirements for all CUI security needs to allow non-federal organizations to follow statutory and regulatory requirements by consistently implementing CUI safeguards. Additionally, many of the NIST SP 800-171 controls are about general best security practices for policy, process, 安全配置IT, 这意味着在很多方面, NIST SP 800-171 is viewed as less complicated and easier to understand than its NIST SP 800-53 counterpart.

NIST SP 800-171 is unique in that it is tailored to eliminate FIPS 200 and NIST SP 800-53 requirements that are:

1. 具体到政府拥有的系统
2. not related to CUI, or
3. 期望在没有规格说明的情况下得到满足(i.e.、政策及程序控制).

NIST SP 800-171 includes just over a hundred controls broken across 14 control families and is more concise in nature, 使非联邦组织的实现不那么复杂.

One of the unique characteristics of the NIST SP 800-171 is the flexibility non-federal organizations have in defining how requirements are implemented. 这些需求并不强制要求任何特定的技术解决方案, and allow contractors, if they choose, 使用他们现有的系统来保护信息, 而不是试图使用政府特定的方法. This is great news for organizations that already have existing mature systems and will likely mean that they will not have to “rip and replace” their existing security program.

Security requirements in NIST SP 800-171 are designed to protect CUI residing in contractor information systems while generally reducing the burden placed on contractors to maintain federal-centric processes and requirements.  Compliance with NIST SP 800-171 should be viewed as an opportunity to be good stewards of government data as well as an opportunity for these organizations to compete for federal opportunities that others may not qualify for.