Due to increased cyberattacks on the US government supply chain DHS has now mandated protecting Controlled Unclassified Information (CUI) using NIST 800-171. While at first this may seem like a daunting task with a bit of planning implementing NIST 800-171 is very manageable.
The Big Picture: US Government Suppliers Are Being Attacked
Over the past few years the number of cyberattacks on US government suppliers has increased to the point that it’s now difficult to find a company that hasn’t detected in-bound traffic from China or Russia on their monitoring systems. Remote scans on Internet-facing servers is now commonplace. Phishing attacks leading to credential theft and data exfiltration has occured at companies that never considered themselves a target. More worrying, anyone who can exflitrate data can also install malware. During a time of conflict it would be very easy for a foreign adversary to cripple companies that supply essential products to frontline warfighters.
The increased level of cyberattacks has now made cybersecurity a national security priority on par with counter-terrorism. On December 18 2017 the White House released the National Security Strategy (NSS) that dedicated a large portion of the document to cybersecurity. NSS also pointed out the importance of the US National Security Innovation Base. The two topics are related as America’s competitive advantage comes from the tens of thousands of companies that supply innovative products and services to the US government. Thus it is not surprising that the US government supply chain is now being targeted by America’s enemies.
NIST 800-171: Cyberattack Countermeasure Strategy
In response to increased cyberattacks on US government suppliers DHS has mandated NIST 800-171 to protect Controlled Unclassified Information (CUI). The good news is that while NIST 800-171 is rigourous companies can reduce the implementation cost and complexity by limiting where, who and how CUI is accessed. Here's a few suggestions you may wish to consider to make protecting CUI easier:
1/ Limit CUI Distribution And Authorized Personnel. Section 3.1 outlines a number of access control requirements that form the first line of defense agianst cyberattacks - thus it's critical to make sure you implement everything here as its foundational. A key design feature of Section 3.1 is how multiple layers of security controls are used to mitigate network and inside attacks.
Suppliers can save themselves a lot of grief by migrating CUI to the smallest number of application and file servers. Additionally by limiting access to CUI on a need-to-know basis companies can save on monitoring and compliance tasks.
Tip: Anyone who expresses uncertainty on whether they need access to CUI doesn’t!
2/ Select Device Encryption/Monitoring Solutions That Work With Access Control. 800-171 also incorporates countermeasures for malware that can steal data from user devices or propagate to application servers. Thus 800-171 requires encryption of CUI on compute devices (3.8) as well as process-level monitoring (3.11, 3.13).
Suppliers can streamline encryption and device monitoring tasks by selecting solutions that work with their access control solution. For example, if you're using AD for authentication and authorization, selecting encryption solution that also utilizes AD for document encryption makes sense.
Tip: Limiting authorized CUI devices to PCs and Macs (i.e. no mobile) will make your life easier.
3/ Create A Secure Enclave. Locking down an entire organization to protect CUI is costly, complex and very difficult. As an alternative, consider creating a Secure Enclave to protect CUI. A Secure Enclave is a self-contained environment that combines trusted access control with trusted compute. A key aspect of a Secure Enclave is that it is invisible to cyberattackers even if they get inside your perimeter. Additionally, all of the security controls in a Secure Enclave are interlocked with each other making it difficult for cyberattackers to breach systems without detection.
Vidder offers a trusted access control solution that integrates multiple security controls into a single solution that can be deployed in a data center or cloud. Viddder's solution verifies authorization before providing access to protected assets. It also features layer 4 application connectivity and device-level process monitoring that blocks malware and inside attackers for performing privileged functions.
Tip: A cloud-based Secure Enclave is a very cost effective CUI solution compared to securing a data center.
Hopefully this blog post has given you a few ideas to simplify protecting CUI. If your organization handles CUI and you have any questions about this article please contact Vidder to schedule a free, no obligation 30 minute consultation.