The National Institute of Standards and Technology (NIST) has developed a robust framework known as the NIST 800-171 guidelines for “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” recently updated on May 10, 2023 which serves as a cornerstone for enhancing system security and ensuring compliance. These guidelines, including the specific NIST 800-171 security requirements, provide organizations with a comprehensive framework for implementing effective security controls and hardening measures. By adhering to the NIST hardening standards outlined in the recently updated SP 800-171 Rev. 3 guidelines, organizations can establish a strong security foundation and protect sensitive information from unauthorized access, disclosure, or loss. In this article we’re going to discuss NIST hardening standards by exploring the 17 families of NIST security requirements from the most recent update.
NIST 800-171 Guidelines:
The SP 800-171 Rev. 3 (NIST SP 800-171r3) guidelines are designed to protect Controlled Unclassified Information (CUI) within non-federal information systems. They provide organizations, particularly defense contractors and entities handling CUI in contractual agreements with the U.S. government, with a structured framework for strengthening their security posture. Compliance with the NIST 800-171 guidelines not only safeguard sensitive information but also demonstrates an organization’s commitment to data protection, bolstering its reputation and potential for future government contracts.
Exploring the 17 families of NIST security requirements
Access Control (AC):
The AC category focuses on account management for system, account types and applications.
Source Controls:
AC-3 ACCESS ENFORCEMENT
AC-17 REMOTE ACCESS
Awareness and Training (AT):
Provide security literacy training to system users. Organizations provide basic and advanced levels of literacy training to system users and measures to test the knowledge level of users. Organizations determine the content of literacy training and awareness based on specific organizational requirements, the systems to which personnel have authorized access, and work environments.
Source Controls:
AT-2 LITERACY TRAINING AND AWARENESS
Audit and Accountability (AU):
AU refers to a business maintaining a record of who is performing actions in the environment, when and how, down to the individual user level. This family focuses on your record keeping of access to your IT systems and your ability to identify any unauthorized access.
Source Controls:
AU-2 EVENT LOGGING
Configuration Management (CM):
CM requests organizations to establish and maintain baseline configurations for their systems, and to track changes to those configurations over time. This includes maintaining an inventory of hardware and software assets, as well as documenting the configuration settings for each system.
Source Controls:
CM-2 BASELINE CONFIGURATION
Identification and Authentication (IA):
IA addresses the processes and mechanisms for uniquely identifying and authenticating a system user, and associate that unique identification with processes acting on behalf of those users. The unique identification and authentication of users applies to all system accesses.
Source Controls:
IA-2 IDENTIFICATION AND AUTHENTICATION (ORGANIZATIONAL USERS)
IA-11 RE-AUTHENTICATION
Incident Response (IR):
IR focuses on establishing effective incident response capabilities, including detection, reporting, analysis, containment, and recovery procedures.
Source Controls:
IR-4 INCIDENT HANDLING
IR-8 INCIDENT RESPONSE PLAN
Maintenance (MA):
MA encompasses ongoing care and support of information systems, including system updates, vulnerability management, and configuration changes. Approving, controlling, monitoring, and reviewing maintenance tools address security-related issues associated with the tools that are used for diagnostic and repair actions on the system.
Source Controls:
MA-3 MAINTENANCE TOOLS (MA-3, MA-3(1), MA-3(2), MA-3(3))
Media Protection (MP):
MP emphasizes safeguarding physical and digital media containing CUI through access control, marking, storage, transportation, and proper disposal.
Source Controls:
MP-4 MEDIA STORAGE
Personnel Security (PS):
PS addresses personnel screening, training, and supervision to mitigate the risk of insider threats and unauthorized disclosures.
Source Controls:
PS-3 PERSONNEL SCREENING
Physical Protection (PE):
PE involves protecting physical assets by developing, approving and maintaining a list of individuals with authorized access. Physical access authorizations apply to employees and visitors.
Source Controls:
PE-2 PHYSICAL ACCESS AUTHORIZATIONS
Risk Assessment (RA):
RA entails identifying, analyzing, evaluating and managing risks to organizational assets, and individuals resulting from the operation of an information system. Used to identify and prioritize risks to the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI) that is processed, stored, or transmitted by an information system.
Source Controls:
RA-3 RISK ASSESSMENT (RA-3, RA-3(1), SR-6)
Security Assessment and Monitoring (CA):
CA focuses on evaluating the effectiveness and desired outcome of security controls and overall security posture through assessments, documentation, and vulnerability remediation.
Source Controls:
CA-2 CONTROL ASSESSMENTS
System and Communications Protection (SC):
SC aims to protect information systems and communications through boundary protection, encryption, and network monitoring.
Source Controls:
SC-7 BOUNDARY PROTECTION
System and Information Integrity (SI):
SI outlines the security requirements for ensuring the confidentiality, integrity, and availability of information systems and data. A key requirement in this category is the need to identify, report, and correct system flaws in a timely manner.
Source Controls:
SI-2 FLAW REMEDIATION
Planning (PL):
PL discusses the security requirements for ensuring that information systems are developed and maintained in a secure manner. A key requirement is to develop and maintain a system security plan that that provides protection from malicious code at designated locations within organizational systems.
Source Controls:
AC-1, AT-1, AU-1, CA-1, CM-1, IA-1, IR-1, MA-1, MP-1, PE-1, PL-1, PS-1, 2141 RA-1, SA-1, SC-1, SI-1, SR-1
System and Services Acquisition (SA):
SA involves the process of acquiring, developing, and maintaining information systems and services in a secure and reliable manner. This includes activities such as system development, procurement, testing, and deployment, with a focus on minimizing risks, verifying the integrity of acquired systems, and ensuring their secure operation throughout their lifecycle.
Source Controls:
SA-8 SECURITY AND PRIVACY ENGINEERING PRINCIPLES
Supply Chain Risk Management (SR):
SR ensures that the entire supply chain, including external entities, follow appropriate security measures to protect CUI from unauthorized access, tampering, or compromise. This is done by developing a plan for managing supply chain risks associated with the development,
manufacturing, acquisition, delivery, operations, maintenance, and disposal of the system,
system components, or system services establish a process or processes for identifying and addressing weaknesses or deficiencies in the supply chain elements and processes.
Source Controls:
SR-2 SUPPLY CHAIN RISK MANAGEMENT PLAN
NIST hardening standards:
NIST hardening standards refer to the guidelines and best practices for specific configuration settings and controls to mitigate vulnerabilities. For instance, NIST SP 800-53 recommends implementing strong access controls, such as two-factor authentication and role-based access, to restrict unauthorized access. It also mandates the use of encryption protocols like Transport Layer Security TLS for securing network communications. Additionally, NIST SP 800-171 specifies requirements for secure configuration management, including disabling unnecessary services, applying patches promptly, and configuring systems to enforce strong password policies. These standards also emphasize the importance of auditing and monitoring, requiring organizations to implement centralized logging, intrusion detection systems, and security event monitoring to detect and respond to potential security incidents.
CalCom Hardening Suite (CHS) automates NIST hardening standards and is a valuable tool that simplifies and streamlines the process of implementing and maintaining NIST security framework. A centralized platform assesses system compliance with NIST standards, identify gaps, and automates the implementation of recommended security configurations. The software automates the learning and evaluation of systems, identifies vulnerabilities, and suggests appropriate remediation actions to align with NIST standards. By leveraging such software, organizations can effectively streamline the hardening process, reduce human errors, and maintain a strong security posture in accordance with NIST hardening standards.
