The National Institute of Standards and Technology (NIST) has developed a guide to assist businesses with adherence to Defense Federal Acquisition Register Supplement (DFARS) standards. The thirteenth of the 14 Families of Requirements for NIST 800-171 compliance is communication protection.
What is System and Communication Protection in Terms of NIST 800-171?
A business is required to have practices that control unintended data access via shared resources, create clear boundaries between publicly accessible and internal information, and ensure the security of remote access and devices.
The System and Communication Protection family of requirements mandates the monitoring, control, and protection of communications at external and key internal environment boundaries through the use of security tools (such as a firewall). It also requires parsing access based on role-based requirements, following “deny all, permit by exception” guidelines, and establishes protocol guidelines to control and monitor the use of remote, collaborative, mobile, and VoIP sessions. Role-based access control will address a bulk of this family; For example, an enterprise-grade firewall will inherently meet other guidelines through common configurations and practices (implicit deny-all policies, encrypted tunnels, etc.). System and communication protection consists of 2 Basic Security requirements and 14 Derived Security requirements.
Basic Security Requirements
- 3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems
- 3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
Derived Security Requirements
- 3.13.3 Separate user functionality from system management functionality.
- 3.13.4 Prevent unauthorized and unintended information transfer via shared system resources
- 3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
- 3.13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
- 3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).
- 3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
- 3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
- 3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems
- 3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
- 3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device
- 3.13.13 Control and monitor the use of mobile code.
- 3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
- 3.13.15 Protect the authenticity of communications sessions
- 3.13.16 Protect the confidentiality of CUI at rest
To learn more about NIST SP 800-171 Compliance please visit NIST.SP.800-171r2.pdf and be sure to review the assessment guide:SP 800-171A, Assessing Security Requirements for CUI | CSRC. NeQter Labs can assist you with building the foundation for your cyber security and compliance program. By combining SIEM, vulnerability scanning, inventory and documentation into a single platform, NeQter allows you to get a jump start on your DFARS-7012/NIST 800-171/CMMC compliance project. Our extensive partner network ensures that no matter what, we can assist you with all your compliance needs. Contact us here.