How federal government contractors can achieve NIST 800-171, Revision 2, compliance with Endpoint Protector for data loss prevention and USB device control. NIST has produced more than 200 special publications covering many aspects of cybersecurity risk management for different industries and use cases. One of these, NIST 800-171 , Revision 2, applies to any organization that handles Controlled Unclassified Information (CUI) on behalf of the U.S. federal government or operates as a contractor, subcontractor, or service provider for the US government. If your organization is working in this capacity, and sharing, collecting, processing, storing, or transmitting CUI on behalf of a federal government agency, understanding the role of NIST 800-171 , Revision 2, within your security operations is critical. Unfortunately, given its breadth, no one solution will fulfil all NIST 800-171 compliance, Revision 2, and NIST (National Institute of Standards and Technology) Cybersecurity Framework requirements. Instead, organizations will need to combine multiple technologies and processes to meet their stated goals.
Navigating the NIST Framework
Understanding the hierarchy of NIST can, at first glance, appear complex. At its root, NIST 800-171 compliance, Revision 2, is built around the five core NIST Framework ‘Functions’: Identify, Protect, Detect, Respond, Recover. These functions cover the basic requirements; from how an organizations prepares its systems to identify risk, though to how it responds and recovers. Within these Functions are 110 different Controls that span both technology and processes. For ease, these controls are divided between 14 Control Families of security requirements: access control, audit, and accountability, awareness and training, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection and system and information integrity.
Where can Endpoint Protector be applied?
Endpoint Protector provides particular support for the Protective Technology (PT) function. This involves managing technical security solutions to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements. Endpoint Protector can help organizations achieve this by providing a range of endpoint protection tools, such as data loss prevention (DLP), device control, and encryption.
- Identify (ID): Understand and manage cyber risk by identifying assets, vulnerabilities, threats, impacts, and risk to prioritize resources.
- Protect (PR): Implement security controls to reduce cyber risk, including technical, administrative, and physical controls, as well as training and planning.
- Detect (DE): Detect and respond to cyber threats by implementing monitoring and detection systems and procedures and continuous security monitoring.
- Respond (RS): Respond to and contain cyber incidents by having incident response plans and procedures in place.
- Recover (RC): Restore normal operations after a cyber incident by having backup and recovery plans, disaster recovery, and business continuity planning in place.
Applying Endpoint Protector to the Protect (PR) Function
Endpoint Protector can help your organization meet multiple NIST 800-171 compliance, Revision 2 requirements. In particular, enabling you to control the use of removable media and helping you to protect your sensitive data against data leaks. Based on analysis of organizations using Endpoint Protector to meet their NIST obligations, the following are the top three NIST 800-171 controls that can be met with Endpoint Protector’s Device Control and Content Aware Protection features. Note: If your organization also needs to meet the requirements documented in the wider NIST SP 800-53, Revision 5 publication, a set of specific security and privacy controls for federal information systems and organizations, then visit our NIST Compliance page.
|Category||Protective Technology (PT)|
|Sub-Category||PR.PT-2: Removable media is protected|
|Control Family||MP: Media Protection|
|Controls & Control Enhancements||3.8.7: Control the use of removable media on system components This requirement restricts the use of certain types of media on systems. For example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls to control the use of system media. Organizations may also limit the use of portable storage devices to only approved devices, including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices and implementing this restriction by disabling or removing the capability to write to such devices.|
|Endpoint Protector’s Application||Endpoint Protector’s Device Control solution allows the organization to manage the use of USB drives and other portable storage devices connected to employee endpoints. This includes USB Flash drives, external HDDs, SD Cards, and even storage media connected via Bluetooth (e.g. smartphones). Use of external storage media can be blocked at a company level, or controls put in place to allow access at group/team or individual level. Permissions can also be assigned only to approved storage media (e.g. IT approved USB drives). File Shadowing functionality also allows security administrators to monitor and report on all data transfers made to external storage at an individual employee level.|
|Category||Data Security (DS)|
|Sub-Category||PR.DS-5: Protections against data leaks are implemented|
|Control Family||System and Communications Protection|
|Controls & Control Enhancements||3.13.1: Monitor, control, and protect communications at the external boundaries and key internal boundaries of organizational systems. Safeguarding communications can be achieved by monitoring, controlling, and protecting them at boundary components and by restricting or prohibiting interfaces in organizational systems.|
|Endpoint Protector’s Application||Endpoint Protector Device Control and Content Aware Protection allow security teams to protect data from leaks and from being exfiltrated at the employee endpoint (interface). This spans potential exfiltration of data through hardware devices (e.g. USB drives, external HDDs, Bluetooth-connected devices, printers, and more); and also through software applications, e.g. email, Slack, file uploads, etc. Precise control over the exfiltration or transfer of documents can be achieved at a company, group/team, or individual level and by the content type. Content-level controls can be built around defined confidential data (such as Personally Identifiable Information (PII) or Payment Card Information (PCI)) or by custom policies to protect unique assets such as Intellectual Property (IP) or source code.|
|Category||Data Security (DS)|
|Sub-Category||PR.DS-5: Protections against data leaks are implemented|
|Control Family||Personnel Security|
|Controls & Control Enhancements||3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers. Protecting CUI during and after personnel actions may include returning system-related property and conducting exit interviews. System-related property includes hardware authentication tokens, identification cards, system administration technical manuals, keys, and building passes. For termination actions, timely execution is essential for individuals terminated for cause. In certain situations, organizations consider disabling the system accounts of individuals that are being terminated prior to the individuals being notified.|
|Endpoint Protector’s Application||Endpoint Protector Device Control and Content Aware Protection allow security teams to protect data from being exfiltrated at the employee endpoint (interface) and to monitor at-risk employees for potential exfiltration of CUI (Controlled Unclassified Information). This is a common threat for organizations, with leavers often looking to make copies of work they have contributed to. While this action may not be malicious in intent, the exfiltration of confidential data would represent a significant breach. Proactive monitoring of individuals who present an increased risk can be further enhanced with File Shadowing creating copies of all transferred files – allowing security administrators to inspect the exact contents of a file. This spans potential exfiltration of data through hardware devices (e.g. USB drives, external HDDs, Bluetooth-connected devices, printers, and more); and also through software applications, e.g. email, Slack, file uploads, etc.|
What is Controlled Unclassified Information?
It’s important to understand the types of data that your organization will be handling. NIST 800-171, Revision 2 covers CUI – or Controlled Unclassified Information. Some examples of CUI include:
- Export-controlled information, such as technical data used in articles by the Department of Defense (DoD), software, and technology companies.
- Financial information, including tax return information, financial account numbers, and credit reports.
- Law enforcement information, such as criminal investigations, sensitive security information, and intelligence information.
- Personal information, such as social security numbers, medical records, and Personal Identifiable Information (PII).
- Controlled technology, including information related to nuclear facilities, biological agents, and chemical weapons.
- Transportation information, such as hazardous materials transportation information and transportation security information.
- Sensitive information related to government contracts, procurement, and acquisition.
These are just a few examples of the types of information that may be considered CUI. It’s important to note that the specific categories and definitions of CUI may vary depending on your organization, the industry, the type of federal information being handled, and the regulatory framework involved. Fortunately, Endpoint Protector’s Content Aware Protection module allows you to control and stop the exfiltration of any data type. For those looking to secure Personal Identifiable Information (PII), Personal Healthcare Information (PHI), or payment card information, Endpoint Protectors’ predefined libraries of data can help your security team quickly build templated policies. More advanced policies can also be built against IP, source code, or any other type of data, with policies tailored to different user groups and applied to different exit points on the employee endpoint.
- Multi-OS – Endpoint Protector allows you to build policies to protect Windows, macOS, and Linux machines from a single admin console. This is vital for organizations that want to consolidate policy management and reduce the number of security platforms being maintained.
- Protect offline activity – It’s important to remember that many cloud-based solutions don’t offer endpoint protection when the employee goes offline. This would be noted as a particular risk against your NIST compliance audit.
- Because Endpoint Protector uses a lightweight agent, policies remain in place regardless of the endpoint’s connectivity status or employee location. Any attempted policy violation is reported back to your administrators when connectivity to the endpoint is restored.
- Deployment – Endpoint Protector can be deployed in multiple ways to meet any existing security and data compliance requirements that your organization might have in place. This includes on-premise / virtual appliances or cloud-based (either within your own cloud service or hosted by us).
- Organizations should look to understand the Control Baseline required to cover their systems by determining the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. Not all of the controls listed in this post apply to all Control Baseline requirements (low-impact, moderate-impact, and high-impact), as well as the privacy control baseline.
This document is for informational purposes only. NIST does not endorse any commercial products or companies. Organizations are solely responsible for determining the appropriateness of using Endpoint Protector by CoSoSys to achieve their NIST compliance.
Download our free ebook on
A comprehensive guide for all businesses on how to ensure GDPR compliance and how Endpoint Protector DLP can help in the process.