NIST合规

确保明升体育app下载客户保持合规状态和强大的控制环境, LBMC使用以下步骤执行明升体育app下载NIST评估:

• 开始叫 -讨论合同后勤, 验证要测试的控件, 确认现场日程安排, 审查证据请求流程, 并回答任何参与前的问题
• 文档评审
• 与责任人的面谈 for the control implementations to gain an understanding of the current 过程ing environment.
• 进行绩效审核 NIST规定的控制和现场巡视.
• 听取审计报告并出具最终审计报告

If you are like the thousands of other government contractors struggling to understand compliance and how many resources it will take to become compliant, 要知道你并不孤单!  别担心，很可能你已经在很大程度上遵守了规则.

网络安全 breaches are a common threat that seems almost normal in this day and age.  然而, 明升体育app下载政府, 以及NIST的安全专业知识, 继续寻求更安全和有效的方法来保护明升体育app下载数据. 在确定组织应实现的信息安全级别时, 您的数据被泄露的风险应该是驱动因素.  不那么显而易见的, lower risk organizations are targets for the theft of confidential government information, 联邦政府现在正在采取额外的措施来保护他们的安全.

A primary target for hackers are non-federal organizations that have access to federal data including citizen’s higher education, 税, 还有医疗记录. This type of information is of high value to malicious users looking to either directly exfiltrate this information or establish a foothold as a jumping off point to larger federal agency targets.  Additional organizations of interest are higher learning institutions that leverage government data for research, 发展, 和/或政府补助.  尽管传输中的数据必须受到联邦加密要求的保护, the larger question that comes to mind is – What controls should be in place to also protect the data once it reaches the intended recipient?  这就是NIST 800 - 171发挥作用的地方. This standard was implemented to help fill the gaps of protecting Controlled Unclassified Information (CUI) on non-federal information systems.

CUI被定义为“信息即法律”, 监管, 或者政府范围内的政策要求保护或传播控制, 不包括根据13526号行政命令分类的信息, 国家安全机密信息, 十二月二十九日, 或者任何前驱或后继顺序, 或者1954年的原子能法案, 经修订(第13556号行政命令)".  那么，这个冗长而复杂的政府定义到底是什么意思呢?

如果你是政府支持的承包商, 例如, that has access to federal information systems or government data that isn’t labeled as classified, 或者是使用医疗保险数据进行统计研究的大学, you may have access to CUI as part of your contract and therefore obligated to protect it.  Any contractor that supports federal information systems and has access to CUI is potentially impacted by NIST SP 800-171, CUI并不一定局限于原始数据记录. 它也适用于收集的数据, 存储, 并记录在联邦信息系统的支持下. This includes project management, technical writing, system 发展, and consulting.

在高水平上, the NIST SP 800-53 security standard is intended for internal use by the Federal 政府 and contains controls that often do not apply to a contractor’s internal information system. NIST SP 800-53 provides federal organizations with the top-level requirements and is more specific to providing security and privacy controls for federal information systems and organizations.

另一方面, NIST SP 800-171 applies to internal contractor information systems and provides a standardized set of requirements for all CUI security needs to allow non-federal organizations to follow statutory and regulatory requirements by consistently implementing CUI safeguards. 另外, many of the NIST SP 800-171 controls are about general best security practices for policy, 过程, 安全配置IT, 这意味着在很多方面, NIST SP 800-171 is viewed as less complicated and easier to understand than its NIST SP 800-53 counterpart.

NIST SP 800-171 is unique in that it is tailored to eliminate FIPS 200 and NIST SP 800-53 requirements that are:

1. 具体到政府拥有的系统
2. 与CUI无关，或
3. 期望在没有规格说明的情况下得到满足(i.e.、政策及程序控制).

NIST SP 800-171 includes just over a hundred controls broken across 14 control families and is more concise in nature, 使非联邦组织的实现不那么复杂.

One of the unique characteristics of the NIST SP 800-171 is the flexibility non-federal organizations have in defining how requirements are implemented. 这些需求并不强制要求任何特定的技术解决方案, 允许承包商, 如果他们选择, 使用他们现有的系统来保护信息, 而不是试图使用政府特定的方法. This is great news for organizations that already have existing mature systems and will likely mean that they will not have to “rip and replace” their existing security program.

Security requirements in NIST SP 800-171 are designed to protect CUI residing in contractor information systems while generally reducing the burden placed on contractors to maintain federal-centric 过程es and requirements.  合规 with NIST SP 800-171 should be viewed as an opportunity to be good stewards of government data as well as an opportunity for these organizations to compete for federal opportunities that others may not qualify for.