Requirements of NIST ComplianceWhat is NIST and what does it do?NIST is a non-regulatory government agency focused on developing guidelines that make science and technology companies more economically competitive. As the international community looks to standardize information security requirements, NIST provides insight into potential directions for US legislation. Understanding the NIST requirements, and aligning your security controls to them may be the first step in rapid compliance with future regulations.
What is NIST Special Publication 800-53?NIST 800-53 offers guidance for creating privacy and security policies and controls. At the highest level, the standard gives you a roadmap for creating IT asset assessments based on risk tolerance. At the most basic level, its ten primary activities require creating policies, establishing oversight, ensuring communication, defining controls, creating time frames, selecting audit/assessor teams, and storing documentation.
What is NIST Special Publication 800-171?NIST 800-171 focuses on CUI which it defines as information that a law, regulation, or government policy requires have information security controls. The most accessible description of NIST 800-171 is that it is 800-53 Lite. While 800-53 contains 20 prescriptive controls, 800-171 incorporates 14 requirements.
With this in mind, understanding the similarities and differences between the two NIST special publications helps companies understand which is right for them.
Step 1: Create a NIST Compliance Risk Management Assessment
NIST 800-53 outlines precise controls as well as supplemental guidance to help create an appropriate risk assessment. Meanwhile, NIST 800-171 only provides a few sentences describing the risk assessment process. To understand the process of a risk assessment, companies seeking to meet NIST 800-171 compliance need to review 800-53.
800-171 states that companies must periodically assess organizational operation risk, assets, and individuals who pose a risk to information systems that process, store, or transmit CUI. To meet these requirements, the special publication suggests vulnerability scans and remediating vulnerabilities.
Meanwhile, 800-53 focuses on addressing purpose, scope, roles, responsibilities, management commitment, coordination among internal stakeholders, and compliance that ensures consistency with laws Executive Order, directives, regulations, policies, standards an guidelines. Additionally, 800-53 requires procedures that facilitate implementation of the risk assessment policy and the risk assessment controls.
While 800-171 maps its requirements to 800-53, NIST 800-171 does not integrate the same level of detail. NIST 800-53 details control baselines for the risk assessment process. Additionally, 800-53 lists which controls require assurance. For example, 800-171 does not incorporate supply chain risk assessment which 800-53 lists explicitly. Moreover, NIST 800-53 lists precise a requirement that companies provide assurance over the risk privileged access poses, the update frequency of vulnerability scanning, and automated trend analysis.
While smaller companies working with CUI may not need to go into the same level of depth as companies working with the DOD, 800-53 gives companies seeking to be 800-171 compliant directions for achieving compliance.
Step 2: Create NIST Compliant Access Controls
Similar to the risk assessment section, NIST 800-171 provides a high-level overview compared to NIST 800-53 to help companies meet compliance requirements. However, unlike with risk assessments, NIST 800-171 offers companies a quick tutorial for compliance. If companies find themselves needing more detail, they can supplement their understanding using 800-53. However, unlike the risk assessment process, the straightforward prescriptions for access controls in both special publications provide the appropriate levels of detail.
For example, NIST 800-171 lists the following as access controls:
3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
For most smaller companies, this directive clearly defines the goal of the control. Keep people’s roles separate so that people can’t work together to try to steal information and use the principle of least access necessary to do a job when creating access controls.
Meanwhile, NIST 800-53 requires,
(6) ACCOUNT MANAGEMENT | DYNAMIC PRIVILEGE MANAGEMENT
Implement the following dynamic privilege management capabilities: [Assignment: organization defined list of dynamic privilege management capabilities].
Supplemental Guidance: In contrast to conventional access control approaches which employ static system accounts and predefined user privileges, dynamic access control approaches rely on run time access control decisions facilitated by dynamic privilege management such as attribute based access control (ABAC). While user identities remain relatively constant over time, user privileges typically change more frequently based on ongoing mission or business requirements and operational needs of organizations. Dynamic privilege management can include, for example, immediate revocation of privileges from users, as opposed to requiring that users terminate and restart their sessions to reflect any changes in privileges. Dynamic privilege management can also include those mechanisms that change user privileges based on dynamic rules as opposed to editing specific user profiles. Examples include automatic adjustments of user privileges if they are operating out of their normal work times, their job function or assignment changes, or if systems are under duress or in emergency situations. This control enhancement also includes the effects of privilege changes, for example, the changes to encryption keys used for communications.
Related Controls: AC-16
To simplify the requirement, companies seeking NIST 800-53 compliance should find fluid access control management processes. Instead of simply applying the “static” control approach of “least privilege,” NIST 800-53 suggests that companies focus not just on the individual, but the individual’s work location and work time to limit access. In this manner, NIST 800-53 focuses more heavily on tracking users for abnormal access as well as limiting abnormal access to protect information.
Thus, for companies seeking to become NIST compliant, focusing on access control capabilities matters when deciding which type of compliance requirements they can meet.
Step 3: Prepare to manage audit documentation
Both NIST 800-53 and 800-171 require audit programs. Similar to the previous requirements, NIST 800-171 provides a streamlined requirement whereas 800-53 goes into depth.
For NIST 800-171 compliant organizations, the requirements are straightforward. Companies need to maintain information system audit records to prove ongoing monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activities. Additionally, the records need to prove the organization can trace actions to unique users.
800-171 lists seven additional steps companies can take for putting together appropriate audit documentation. Each of these steps, however, make logical sense. For example, suggested requirements include, but are not limited to, alerts should an audit process fail, correlation of audit review to determine suspicious activity, establishing appropriate time stamps, and limiting audit functions to a small set of privileged users.
For most smaller organizations NIST 800-171 provides everything they need to know. However, in several cases, referring to NIST 800-53 provides the needed detail to help clear up the confusion. For example, NIST 800-53 explains that audit processing failures include, but are not limited to:
software and hardware errors; failures in the audit capturing mechanisms; and audit storage capacity being reached or exceeded. Organizations may choose to define additional actions for audit processing failures based on the type of failure, the location of the failure, the severity of the failure, or a combination of such factors. This control applies to each audit data storage repository (i.e., distinct system component where audit records are stored), the total audit storage capacity of organizations (i.e., all audit data storage repositories combined), or both.