I worked in health care at around the same time the HIPAA compliance became a thing. It was a tense time and the reality is that very few people read the compliance guidance or the audit protocol to actually understand what was being asked of them.
I recall several heated meetings with upper management where I (the organizations compliance manager) started explaining to them the details of the requirement and they simply couldn’t process to expense and work load associated with it.
I have noticed a very similar event with DFARS / NIST as the manufacturing world has been coming around to the idea that they “must” now treat their information systems like federal systems if they are working with controlled unclassified information.
The experience as been almost an analog of HIPAA wherein the advice given by the companies trying to make money off of the whole deal are saying you only need a POAM and SSP to be compliant.
The reality is though is that this 100% wrong and companies that heed that advice are really setting themselves up for failure.
To give an illustration of what I mean we will take a look at one security requirement of NIST 800-171 and I will show you how you need more documentation, policies, and procedures than you have been told by your paid professionals. I will then give you reason why you are not being told you need additional documentation, policies, and procedures. Then I will explain to you what you can do internally to safeguard your business from the audits that have started
So here we go, let’s take a look at NIST 800-171 3.4.1 Baseline configurations.
3.4.1 Reads “Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”
This all seems pretty straight forward. Build a baseline for hardware, software, firmware, and documentation. But it isn’t that simple.
If you read the content of 800-171 revision 1 a couple of important items stick out right away and call into question the simplicity of the above control.
Looking at page 3 chapter one of SP 800-171r1 we see the section on “The tailoring criteria” (which is described in chapter two) that the criteria ‘allows for and facilitates the equivalent safeguarding measure within nonfederal systems.’
It goes on to state that nonfederal systems are allowed to isolate those systems that contain CUI physically and logically to lower the overall risk to that data by designating systems, storage, and transmission of that data. The idea is that if that data is in isolation the cost and expense both financially and as a part of management are greatly dimensioned.
So again this seems rather promising. Until… You realize that you are receiving CUI based information over email, shared file links, from sites like Exostar, etc… Meaning that all of the CUI flows into your regular network. This means that your regular network needs to be protected under NIST 800-171 because you are unable to control the flow of CUI.
The alternative is that you create a separate emails service, file service, and network and that all of your clients send that data to that seperate domain structure.
This becomes cost ineffective and also presents a considerable management overhead; in time and additional licensing and equipment.
So the idea of security domains becomes impractical and we are back to the idea of securing the entire network.
Moving on to Chapter Two – Where everything starts to get super crazy.
Chapter two discusses the fundamentals of meeting 800-171 in pretty broad but deliberate detail. One of the first red flags that tells me that you need more than a POAM and SSP is on the third bullet under 2.1 Bassic Assumptions.
It more or less states a couple realities.
- You network needs to be secured under ‘no less’ than moderate impact score according to FIPS 199
- You need to understand what FIPS 199 is and what it asks you to do.
We will get back to NIST 800-171 but for now we need to look at FIPS 199 and the FIPS 199 workbook.
This will be done in our next episode!