Achieve NIST 800-53, Revision 5 compliance with Endpoint Protector for data loss prevention and USB device control. As a federal agency, or an organization operating under the authority of the United States government, understanding the role of NIST 800-53, Revision 5, within your security operations is critical. Unfortunately, given its breadth, no one solution will fulfill all NIST 800-53, Revision 5, and NIST Cybersecurity Framework requirements for information security. Instead, federal agencies will need to combine multiple technologies, and processes, to meet their stated goals. This blog post outlines the security controls that can be achieved with Endpoint Protector by CoSoSys, and is designed to help federal agencies in their evaluation of software solutions to achieve NIST 800-53, Revision 5 compliance. If you are a federal government contractor or supplier and have been asked to meet the requirements documented in the NIST 800-171, Revision 2 publication, or other NIST SP, visit our NIST Compliance page. Navigating the NIST Framework
Navigating the NIST Framework
Understanding the hierarchy of NIST can, at first glance, appear complex. At its root, NIST 800-53 compliance, Revision 5, lays out security standards around five core NIST Framework ‘Functions’: Identify, Protect, Detect, Respond, Recover. These functions cover the basic requirements; from how an organizations prepares its systems to identify risk, though to how it responds and recovers. Within these Functions are 888 different Controls that span both technology and processes. For ease, these controls are divided between 20 Control Families: These include (but are not limited to), Access Control, Configuration Management, Contingency Planning, Incident Response, Media Protection, Personnel Security, Physical and Environmental Protection, Program Management, Risk Assessment, Security Assessment and Authorization, System and Communications Protection, System and Information Integrity, Supply Chain Risk Management, and Privacy and Security Controls for Information Systems and Organizations.
Where can Endpoint Protector be applied?
Endpoint Protector provides particular support for the Protect, and the Detect functions, by providing a range of endpoint protection tools, such as data loss prevention (DLP), device control, and encryption to achieve information security.
- Protect (PR): Implement security controls to reduce cyber risk, including technical, administrative, and physical controls, as well as training and planning.
- Detect (DE): Detect and respond to cyber threats by implementing monitoring and detection systems and procedures, and continuous security monitoring.BOXOUT
Five core functions of NIST 800-53, Revision 5,
- Identify (ID): Understand and manage cyber risk by identifying assets, vulnerabilities, threats, impacts, and risk to prioritize resources.
- Protect (PR): Implement security controls to reduce cyber risk, including technical, administrative, and physical controls, as well as training and planning.
- Detect (DE): Detect and respond to cyber threats by implementing monitoring and detection systems and procedures, and continuous security monitoring.
- Respond (RS): Respond to and contain cyber incidents by having incident response plans and procedures in place.
- Recover (RC): Restore normal operations after a cyber incident by having backup and recovery plans, disaster recovery, and business continuity planning in place.
Applying Endpoint Protector to the Protect (PR) and Detect (DE) Functions
Endpoint Protector can help your organization to meet multiple NIST 800-53, Revision 5 security requirements. In particular, helping you to control the use of removable media, and helping you to protect against data leaks as part of an ongoing information security strategy. Based on analysis of organizations using Endpoint Protector to meet their NIST obligations, the following are the top five NIST 800-53 controls that can be met with Endpoint Protector’s Device Control and Content Aware Protection features. Within the Protect Function, Endpoint Protector offers particular support for the Data Security (DS) category. This is defined as; information and records (data) are managed consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information. The following sub-categories and controls can be achieved partially / or in full by Endpoint Protector depending on organizational goals.
| Category | Data Security (DS) | |||
| Sub-Categories | PR.DS-1: Data-at-rest is protected PR.PT-2: Removable media is protected | |||
| Control Family | MP: Media Protection | |||
| Controls & Control Enhancements | MP-7: Media Use MP-7 restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations may look to prohibit their use, or limit the use of portable storage devices to only approved devices or certain user groups. Endpoint Protector’s Device Control solution allows organizations to manage the use of USB drives and other portable storage devices connected to employee endpoints, ensuring compliance with the NIST removable media policy.. | |||
| Applied Baselines | ☑Low | ☑Moderate | ☑High | ☐Privacy |
| Endpoint Protector’s Application | Endpoint Protector’s Device Control solution allows the organization to manage the use of USB drives, and other portable storage devices connected to employee endpoints. This includes USB Flash drives, external HDDs, SD Cards, and even storage media connected via Bluetooth (e.g. smartphones). Use of external storage media can be blocked at a company level, or controls put in place to allow access at group/team, or individual level. Permissions can also be assigned only to approved storage media (e.g. IT approved USB drives). File Shadowing functionality extends information security controls to your security program by allowing security administrators to monitor, and report on, all sensitive data transfers made to external storage at an individual employee level. | |||
| Threats Protected | ☑Tampering | ☑Information Disclosure | ||
| Category | Data Security (DS) | |||
| Sub-Categories | PR.DS-2: Data-in-transit is protected | |||
| Control Family | System and Communications Protection | |||
| Controls & Control Enhancements | SC-8: Protect the confidentiality of transmitted information & SC-8(1): Cryptographic Or Alternate Physical Protection. The information system implements cryptographic mechanisms to prevent unauthorized disclosure of information and/or detects changes during transmission unless otherwise protected by defined alternative physical safeguards. | |||
| Applied Baselines | ☐Low | ☑Moderate | ☑High | ☐Privacy |
| Endpoint Protector’s Application | For organizations that require the use of portable media for the movement of data, Endpoint Protector’s Enforced Encryption functionality removes the need for specialist (and expensive) hardware-based solutions, and instead applies AES 256bit encryption to files sent to any USB storage device approved for use by the organization. | |||
| Threats Protected | ☑Tampering | ☑Information Disclosure | ||
| Category | Data Security (DS) | |||
| Sub-Categories | PR.DS-5: Protections against data leaks are implemented | |||
| Control Family | System and Communications Protection | |||
| Controls & Control Enhancements | SC-7 Boundary Protection Monitor and control communications at external managed interfaces to the system and at key internal managed interfaces within the system.SC-7(10) Prevent Exfiltration: Prevent the exfiltration of information; and conduct exfiltration tests. | |||
| Applied Baselines | ☑Low | ☑Moderate | ☑High | ☑Privacy |
| Endpoint Protector’s Application | Endpoint Protector Device Control and Content Aware Protection allows security teams to protect sensitive data from being exfiltrated at the employee endpoint (interface) in accordance with SC-7 and SC-7(10). This is sometimes to referred to as “Insider Threats”. This spans potential exfiltration of data through hardware devices (e.g. USB drives, external HDDs, Bluetooth connected devices, printers, and more); and also through software applications, e.g. email, Slack, file uploads etc. Precise control over the exfiltration or transfer of documents can be achieved at a company, group/team, or individual level, and by the content type. Content-level controls can be built around defined confidential data (such as Personally Identifiable Information (PII) or Payment Card Information (PCI DSS)), or by custom policies to protect unique assets such as Intellectual Property (IP) or source code. | |||
| Threats Protected | Information Disclosure | |||
| Category | Data Security (DS) | |||
| Sub-Categories | PR.DS-5: Protections against data leaks are implemented | |||
| Control Family | System and Communications Protection | |||
| Controls & Control Enhancements | SI-4 System Monitoring Strategically within the system, collect essential information to track specific types of transactions of interest to the organization; Monitor the system to detect: Attacks and indicators of potential attacks in accordance with monitoring objectives.SI-4(19): Risk for Individuals: (*not part of any baselines) Have the ability to monitor individuals who have been identified as posing an increased level of risk | |||
| Applied Baselines | ☑Low | ☑Moderate | ☑High | ☐Privacy |
| Endpoint Protector’s Application | Endpoint Protector can be configured for system monitoring at an individual endpoint / employee level to support SC-4 and SC-14(19). Passive monitoring can be achieved with log data to track the movement, and potential exfiltration attempt, of defined confidential data types. Proactive monitoring of individuals who present an increased risk (SC-14(19)), can be further enhanced with File Shadowing creating copies of all transferred files – allowing security administrators to inspect the exact contents of a file. | |||
| Threats Protected | Information Disclosure | |||
DETECT (DE) Within the Detect Function, Endpoint Protector offers particular support for the Security Continuous Monitoring and Anomalies and Events Categories. Security Continuous Monitoring specifies that information systems and assets are monitored to identify cybersecurity events and verify the effectiveness of protective measures. Anomalies and Events requires that Anomalous activity is detected and the potential impact of events is understood. In both cases, Endpoint Protector’s lightweight agent not only acts as the control point for enforcing policies, but as a mechanism to report on and potentially harmful activity. The following sub-categories and controls can be achieved partially / or in full by Endpoint Protector depending on organizational goals.
| Category | Security Continuous Monitoring (CM) | |||
| Sub-Categories | DE.CM-3 – Personnel activity is monitored to detect potential cybersecurity events. DE.CM-7: Monitoring for unauthorized personnel, connections, devices, and software is performed. DE.AE-3: Anomalous activity is detected and the potential impact of events is understood. | |||
| Control Family | Assessment, Authorization, and Monitoring | |||
| Controls & Control Enhancements | CA-7 – Continuous Monitoring Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy | |||
| Applied Baselines | ☑Low | ☑Moderate | ☑High | ☑Privacy |
| Endpoint Protector’s Application | Where Endpoint Protector is deployed on an endpoint, security administrators are able to report on attempted / blocked data transfers that breach documented data protection policies, even when the endpoint is offline and not connected to a network. Passive monitoring can be achieved with log data to track the movement, and potential exfiltration attempt, of defined confidential data types. Proactive monitoring of endpoints can be further enhanced with File Shadowing, creating copies of all transferred files – allowing security administrators to inspect the exact contents of a file. | |||
What is Controlled Unclassified Information?
It’s important to understand the types of data that your organization will be handling. Both NIST 800-53, Revision 5 and NIST 800 171, Revision 2 cover CUI – or Controlled Unclassified Information. Some examples of CUI include:
- Export-controlled information, such as technical data related to defense articles, software, and technology.
- Financial information, including tax return information, financial account numbers, and credit reports, and ither data covered by PCI-DSS.
- Law enforcement information, such as criminal investigations, sensitive security information, and intelligence information.
- Personal information, such as social security numbers, medical records, and personally identifiable information (PII).
- Controlled technology, including information related to nuclear facilities, biological agents, and chemical weapons.
- Transportation information, such as hazardous materials transportation information and transportation security information.
- Sensitive information related to government contracts, procurement, and acquisition.
These are just a few examples of the types of information that may be considered CUI. It’s important to note that the specific categories and definitions of CUI may vary depending on your organization, the federal information systems you are working within, and the regulatory framework involved. Fortunately, Endpoint Protector’s Content Aware Protection module allows you to control and stop the exfiltration of any data types. For those looking to secure Personal Identifiable Information (PII), Personal Healthcare Information (PHI), or payment card information, Endpoint Protectors predefined libraries of data can help your security team to quickly build templated policies. More advanced policies can also be built against IP, source code, or any other type of data, with policies tailored to different user groups, and applied to different exit points on the employee endpoint.
Key considerations
- Multi-OS – Endpoint Protector allows you to build policies to protect Windows, macOS and Linux machines, from a single admin console. This is vital for organizations that want to consolidate policy management and reduce the number of security platforms being maintained.
- Protect offline activity – It’s important to remember that many cloud based solutions don’t offer endpoint protection when the employee goes offline. This would be noted as a particular risk against your NIST compliance audit.
- Because Endpoint Protector uses a lightweight agent, policies remain in place regardless of the endpoints connectivity status, or employee location. Any attempted policy violation is reported back to your administrators when connectivity to the endpoint is restored.
- Deployment – Endpoint protector can be deployed in multiple ways to meet any existing security and data compliance requirements that your organization might have in place. This includes on-premise / virtual appliance, or cloud-based (either within your own cloud service, or hoisted by us).
- Organizations should look to understand the Control Baseline required to cover their systems by determining the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. Not all of the controls listed in this post apply to all Control Baseline requirements (low-impact, moderate-impact, and high-impact), as well as the privacy control baseline.This document is for informational purposes only. The National Institute of Standards and Technology does not endorse any commercial products or companies. Organizations are solely responsible for determining the appropriateness of using Endpoint Protector by CoSoSys to achieve their security requirements and NIST SP compliance.
Download our free ebook on
Data Loss Prevention Best Practices
Helping IT Managers, IT Administrators and data security staff understand the concept and purpose of DLP and how to easily implement it.
