Data Loss Prevention
for NIST Compliance
Table of Contents
- NIST SP 800-53, Revision 5 vs NIST 800-171, Revision 2
- Who has to comply?
- Examples of CUI
- NIST compliance with Endpoint Protector
- Considerations for your organization
NIST SP 800-53, Revision 5 vs NIST 800-171, Revision 2
The NIST Cybersecurity Framework (CSF) provides a common language for expressing and discussing cybersecurity risk. NIST has produced more than 200 special publications covering many aspects of cybersecurity risk management for different industries and use cases. The most widely recognized and used is NIST 800-53 (Revision 5), a set of specific security and privacy controls for federal information systems and organizations.
A subset of controls has also been published for non-federal entities (e.g. a supplier or contractor) that shares, collects, processes, stores or transmits “Controlled Unclassified Information (CUI)” on behalf of a federal government agency. This is called NIST 800-171 (Revision 2).
Who has to comply?
NIST SP 800-53,
Federal agencies and organizations operating under the authority of the United States government. Some contractors or suppliers may also be asked to comply, depending on the data type.
Any organization that handles Controlled Unclassified Information (CUI) on behalf of the U.S. federal government or operates as a contractor, subcontractor, or service provider for the US government
Examples of CUI
CUI refers to sensitive but unclassified information that requires safeguarding and protection, as its unauthorized disclosure could cause damage to national security, economic interests, or personal privacy. Some examples of CUI include:
- Export-controlled information, such as technical data related to defense articles, software, and technology.
- Financial information, including tax return information, financial account numbers, and credit reports.
- Law enforcement information, such as criminal investigations, sensitive security information, and intelligence information.
- Personal information, such as social security numbers, medical records, and personally identifiable information (PII).
- Controlled technology, including information related to nuclear facilities, biological agents, and chemical weapons.
These are just a few examples of the types of information that may be considered CUI. It's important to note that the specific categories and definitions of CUI may vary depending on the organization, the industry, and the regulatory framework involved.
NIST compliance with Endpoint Protector
Given its breadth, no one solution will fulfill all NIST SP 800-53, Revision 5 or NIST 800-171, Revision 2 requirements. Instead, organizations should look to combine multiple technologies, and processes, to meet their stated goals.
Here are some examples of where Endpoint Protector by CoSoSys can be applied to meet the needs outlined in specific NIST Framework Categories and Sub-Categories. For in-depth documentation, please check out our article on NIST Cybersecurity Framework.
Control the use of removable storage media
Use Endpoint Protector’s Device Control solution to manage the use of USB drives, and other portable storage devices connected to employee endpoints. This includes USB Flash drives, external HDDs, SD Cards, and even storage media connected via Bluetooth (e.g. smartphones). Learn more about Endpoint Protector Device Control.
Protect against data leaks
Use Endpoint Protector Device Control and Content Aware Protection to protect data from being exfiltrated at the employee endpoint (interface). This spans potential exfiltration of CUI through hardware devices (e.g. USB drives, external HDDs, Bluetooth connected devices, printers, and more); and also through software applications, e.g. email, Slack, file uploads etc. Learn more about Endpoint Protector Content Aware Protection.
Encrypt data transported via removable media
For organizations that require the use of portable media for the movement of data (e.g. USB flash drives), Endpoint Protector’s Enforced Encryption functionality removes the need for specialist (and expensive) hardware-based solutions, and instead applies AES 256bit encryption to files sent to any USB storage device approved for use by the organization.
Considerations for your organization
Remember, given its breadth, no one solution will fulfill all NIST Cybersecurity Framework requirements. Instead, organizations should look to combine a multiple technologies, and processes, to meet their stated goals.
Organizations should also look to understand the Control Baseline required to cover their systems by determining the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. Not all of the controls listed here apply to all Control Baseline requirements (low-impact, moderate-impact, and high-impact), as well as the privacy control baseline. Organizations should conduct a thorough evaluation of Endpoint Protector to ensure it meets your own unique compliance needs and organizations are solely responsible for determining the appropriateness of using Endpoint Protector by CoSoSys to achieve their NIST compliance.