Updated NIST Compliance Requirements Are Looming
Federal security regulation, like much of the federal government, is in the midst of yet another new period of transition. Part of the change comes from the presidential handoff to an administration with a distinctly different agenda from its predecessor, but the real driver has been the failure of some government agencies to protect highly sensitive data.
The data breach at the Office of Personnel Management, among the most substantial security failures in recent history, was believed to originate from a breach of KeyPoint Government Solutions, a third-party federal contractor used by federal agencies to conduct background checks. The breach allowed hackers to access credentials needed to gain entry to the system with sensitive employee data held by the Office of Personnel Management, according to former OPM Director Katherine Archuleta.
In the aftermath of this and other major security breaches, the Department of Defense (DoD) introduced new compliance requirements for contractors that are designed to hold them accountable for implementation of security controls.
A revision to the Defense Federal Acquisition Regulation Supplement (DFARS) that governs DoD procurement practices now requires contractors to meet security standards defined under the NIST Special Publication (SP) 800-171r1 by Dec. 31, 2017.
Initially derived from NIST SP 800-53, the revised SP 800-171r1 contains a total of 109 compliance controls in 14 security control families. Among these, several controls stand out as potential obstacles for DoD contractors. Three requirements may prove particularly challenging.
- Continuous Monitoring: Initially, NIST SP 800-171r1 requirements do not appear to require continuous monitoring since no specific control is defined. However, at least 10 controls are clearly connected to ongoing data monitoring and investigation. Contractors who overlook the requirement for monitoring and knowledge management capabilities will have a hard time complying with these controls. One option, particularly for contractors with limited internal security infrastructure, would be to outsource monitoring to a managed security
- Incident Response and Reporting: Contractors are required to report any incident that may result in a compromise of an information system. If evidence of a potential compromise surfaces, the contractor must review the evidence and report the review findings to the DoD within 72 hours. Complying with the reporting requirement necessitates a well-defined plan as well as ongoing, efficient execution. Enlisting an experienced security consultant to help develop tailored incident response plans or provide managed security services to deliver dynamic, outsourced incident response capabilities may be a viable option for contractors.
- Encryption: DFARS compliance will oblige contractors to encrypt data at rest, using FIPS-validated cryptography and securely manage cryptographic keys. Many times organizations believe they have encrypted their data, but encounter flaws in the design structure, which can be overcome with expert third-party support.
These controls represent only a small portion of the full NIST 800-171r1 requirements, but they provide a glimpse of the level of work organizations may have to deal with in coming months.