“It’s not scary, it’s just security,” may seem like the understatement of the year. But really, security doesn’t have to be scary. Yes, there are over 100 controls, and yes, they can appear overwhelming. But compliance with NIST 800-171 is attainable. Over the next several weeks I will be writing a mini-series on NIST 800-171 and will take the tech talk out of the compliance, and make it, well – not scary. And, by the end of this mini-series, I will have made the case as to why NIST 800-171 is not only important but why it is attainable.
As a whole, cybersecurity in most organizations tends to be subpar at best. Most companies focus their limited technology budget on keeping the lights on, and they may throw in a couple bells and whistles that either an internal IT leader or perhaps a Managed Service Provider has recommended. Implementing a cybersecurity plan generally comes in last place on the budget hierarchy, right behind lead generation, product delivery enhancements, staff resourcing, office furniture replacement, enhanced caffeination mechanisms (remember the new coffee machine?), and maybe a snack or two for the kitchen. We tell ourselves that this makes sense – after all, big guys have all the data, and why would someone target us, right?
Wrong. As a small or mid-size business, you are the target. Our adversaries know that cybersecurity is often last on our list of must-haves, and therefore know to target the weak security controls instituted by many small and mid-sized businesses. In a 2016 study published by Net Diligence which was based on cybersecurity insurance claims from 17 different insurance underwriters, they found the median cost of a data breach for small businesses to be $60,000; that’s a lot of coffee and granola bars! By placing a low priority on cybersecurity, we have limited our ability to secure our data, and our adversaries are taking advantage of this weakness.
The Department of Defense (DoD) estimates that the total value of data lost to our adversaries is $60 Billion per year. Per Year! We’re essentially funding the R&D of our adversaries through weak cyber security. Obviously, that is not acceptable.
NIST 800-171 was created to stop it.
In 2016 NIST released NIST 800-171 with the intent to provide a cybersecurity framework that protects data not covered under a “Classified” label, but which still could prove dangerous for American interests should it be obtained by an adversary. While these bits of data may not be individually damaging, this Controlled Unclassified Information (CUI) is still important to secure.
The reason CUI is still important is that when aggregate data is assembled a larger picture is developed, one that the DoD has an interest in protecting from adversaries. An unfortuanate example of is the Sea Dragon breach from last year. To protect CUI, NIST 800-171 covers 14 families of security controls and over 100 controls within those 14 families. The good news is many of these are standard best practices. The 14 families are as follows:
That feels like a lot; right? Don’t worry; as we promised, it’s just security. You don’t need to be scared. Take a minute and ask yourself a few questions:
If you answered “yes” to these three, congratulations! You can put checkmarks in three of your compliance boxes. If you said “no” to any of these, please disconnect from your network, turn off your computer, and call us!
Here are a few more questions:
If you answered “yes” to these three questions, you likely satisfy several more controls. See? it’s not scary, it’s just security. The good news is that many of the NIST 800-171 controls are covered in what most would consider to be industry best practices, and therefore are likely already implemented in your environment. Covering these controls is the easiest way to achieve a standard of compliance. There are other controls that require a feature set that goes beyond the standard baseline configurations. These controls go beyond regular password updates to restricting access to in-boundary data, ensuring the proper events are being logged, and enforcing how data can flow within your organization. As you start down the path of addressing these types of controls, experienced cybersecurity expertise really becomes imperative. Yes, it’s even more important than the new coffee maker.
This is where C3 can help. In today’s market, most companies understand there is a need for cybersecurity, but are unsure how to maximize a thin technology budget. We specialize in helping companies implement technical controls that are in line with NIST 800-171 as well as other compliance standards, with a practical approach that fits your organization and its unique set of needs.
Look for more updates on cybersecurity and NIST 800-171 in the weeks to come; in the meantime, if you want to learn more, you can find me at email@example.com or message me on Twitter @C3ISIT.
Scott Whitehouse is a Senior Systems Consultant at C3 Integrated Solutions, a full-service IT provider based in Arlington, VA that specializes in securing our nation’s Defense Industrial Base through cloud-based solutions and industry leading partners. Scott is part of C3’s Projects Team and focuses on Microsoft Office 365 Engineering, including Intune, EM+S, and Compliance.