The federal government puts a strong emphasis on not only government agencies but also many of their contractors and subcontractors complying with standards supplied by the National Institute of Standards and Technology (NIST). The reasons for compliance are vast—securing an organization’s infrastructure, protecting sensitive data, governing information exchange, and building a foundation for compliance with other federal regulations.
NIST compliance is vital for any non-federal organization in Washington DC that handles, transmits or processes controlled unclassified information (CUI). One of the most important documents related to CUI (with which you should be familiar) is the NIST Special Publication (SP) 800-171, Revision 1, a set of directives controlling CUI.
What can I do to become NIST compliant?
The idea of compliance, however, can seem nebulous and even unattainable, especially when you are dealing with more than 100 information security requirements. While it is true being NIST compliant in Washington DC is an ongoing process that requires continual evaluation, management and implementation of security controls, organizations can begin the process by taking a few tangible, focused steps.
1. Do a full assessment
After becoming familiar with NIST SP 800-171, take a hard look at your organization’s systems, including hardware and software; environments; and information exchange procedures. Evaluate these items against applicable NIST requirements and use a variety of tools, including Subject Matter Expert interviews, to assess current compliance. Keep in mind the network systems that are used regularly with CUI include email; file sharing and collaboration platforms; enterprise content management platforms; FTP; storage systems based physically on the premises or in the cloud; and employee endpoints, including smartphones, laptops and tablets. As you complete this assessment, be sure to document the findings within a structured template to standardize the process and keep all team members on the same page. This also gives you a reliable record of your organization’s compliance strategy.
2. Locate and classify data
Another manageable task you can undertake as an organization is identifying the systems within your network that hold CUI, according to an article by Federal Computer Week. The locations of such data could include local storage, cloud storage, endpoints, and portable hard drives. You also will need to identify which of your contracts must comply with NIST requirements, as well as categorize which specific files fall under CUI. Separate them from data that does not qualify. Having your contracts and data categorized in this way can help your organization demonstrate NIST compliance in the event of an audit, according to Federal Computer Week.
3. Encrypt data as necessary
Whether CUI is being stored or transmitted, it should be encrypted to make it more secure. This is an instruction repeated throughout NIST 800-171 because it is critically important to give your organization more control over CUI, as well as the systems both holding and sending the data. When the data is at rest, it should be secured through FIPS validated encryption. The best part of encrypting all CUI is that doing so enables compliance and adds an extra layer of security, but does not hinder the ability of authorized users to access or share files through familiar systems like email, FTP, and more secure file-sharing services.
4. Implement training for staff
Employees within your organization need to be educated on the best practices for secure information governance and exchange. This training should not merely take place during the onboarding process but also be conducted periodically among existing employees, especially with new cyber-security threats regularly surfacing. As a result of this training, employees should be able to identify external threats and insider threats—including suspicious emails, unsanctioned technology, and unauthorized parties downloading CUI onto external storage devices. They also should be made fully aware of the security risks associated with their day-to-day activities and responsibilities.
5. Limit and monitor use
Generally, not all employees do or should have the same level of access to CUI. You can implement controls that prevent any actors other than authorized employees from viewing, sharing, and downloading files containing sensitive data. Federal Computer Week also advises setting expiration dates on any folders and files that contain CUI, which helps prevent people from unnecessarily accessing the sensitive information after it no longer being used for a project. Along a similar vein, non-government organizations and contractors need to stay on top of who is accessing CUI, as well as how they are using the data. You can implement methods for tracking information exchange and tracing the actions of individual users. By tracking activity, you not only can hold users accountable and pinpoint when and where they interacted with the data, but this also gives organizations the ability to detect anomalies if they occur.
Complying with NIST standards and guidelines may not be an easy task, but it is vital. Not only are organizations required to be NIST compliant for the sake of their government contracts or projects, but they also have their responsibility to adhere to best practices for information exchange to contribute to the security of CUI. Breaking down the process into steps or phases can help organizations with assessment, implementing controls, encrypting data, training staff, and many other responsibilities. Organizations also benefit by working with firms that provide managed IT services, consulting and other solutions. They have extensive knowledge about and experience helping organizations become NIST Compliant in Washington DC and can take your organization’s compliance strategy to the next level.