Businesses that work with the Department of Defense (DoD) as contractors or vendors need to meet specific cybersecurity regulations. The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. One of the 14 Families of Requirements for NIST 800-171 compliance is access control.
What is Access Control in Terms of NIST 800-171?
Access Control ensures that access to Controlled Unclassified Information (CUI) and the networks and systems that store and process CUI are defined, limited and controlled. This family governs who has access to the company’s scoped environment, how they can access the scoped environment, (phone, wireless, VPN, etc.) and role based access to ensure the appropriate level of access to information.
Access control works to limit and monitor access to systems, services, and assets. The rules that govern this access must be defined with specific policies and procedures that, in conjunction with appropriate technical implementations, create a comprehensive access control system. Below are the specific requirements surrounding adequate Access Control to achieve NIST 800-171 Compliance. Access Control consists of 2 Basic Requirements and 20 Derived Requirements.
- 3.1.1 Limit access to systems to only authorized users, processes, or devices.
- 3.1.2 Limit access to systems to only functions that authorized users may execute.
- 3.1.3 Control flow of Controlled Unclassified Information (CUI) through approval.
- 3.1.4 Logically separate individuals’ duties to avoid harmful non-collusive actions.
- 3.1.5 Employ the “least privilege” principle for all accounts (including privileged ones).
- 3.1.6 Utilize non-privileged accounts for all functions that do not require privileges.
- 3.1.7 Prevent the execution of privileged functions from users without privileges
- 3.1.8 Limit the amount of times any user can attempt to log in unsuccessfully.
- 3.1.9 Notify stakeholders of privacy and security rights per applicable CUI rules.
- 3.1.10 Utilize session locks and pattern-hiding displays after periods of inactivity.
- 3.1.11 Define conditions upon which access sessions are automatically terminated.
- 3.1.12 Closely monitor and tightly control all access sessions conducted remotely.
- 3.1.13 Protect the confidentiality of remote access sessions using cryptographic keys.
- 3.1.14 Ensure all remote access sessions are routed through access control points.
- 3.1.15 Authorize all remote access of security-relevant data and privileged commands.
- 3.1.16 Authorize all wireless access privileges before enabling wireless connections.
- 3.1.17 Utilize authentication and encryption to protect all wireless access sessions.
- 3.1.18 Control all mobile device connections to networks containing sensitive data.
- 3.1.19 Encrypt all CUI for processing on any mobile devices or computing platforms.
- 3.1.20 Verify and control the amount and variety of connections to external systems.
For a guide on secure wireless networks review SP 800-97.To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC.
NeQter Labs can assist you with building the foundation for your cyber security and compliance program. By combining SIEM, vulnerability scanning, inventory and documentation into a single platform, NeQter allows you to get a jump start on your DFARS-7012/NIST 800-171/CMMC compliance project. Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here.