NIST 800-171: Time to Make a Change (Part 1)
In December of 2016, the world met the twenty-first century’s Rasputin.
However, while this Rasputin was much different than the one the twentieth century knew, they did have two things in common: they were both Russian and they both infiltrated powerful networks with a wealth of information. The twentieth century Rasputin infiltrated the Russian Royal family whereas the twenty-first century Rasputin infiltrated the networks of sixty universities as well as federal, state, and local U.S. government agencies.
The Rasputin that we know now was able to breach so many networks and have the impact that he did through SQL injection. For those who do not know, an SQL injection is when a hacker is able to gain access to databases that may be sitting on the backend of a website through the placement of “queries” or, SQL instructions.
The consequences of such an attack include unauthorized access to information, deletion/manipulation of important information, or the attainment of administrative rights resulting in the ability to perform privileged actions.
Ultimately, it is because of hackers like Rasputin, the U.S. needed to change the way it went about protecting information.
It all began with the topic of Controlled Unclassified Information, otherwise known as CUI. CUI is defined as any information that is shared or transmitted between the government and a non-government entity such as a contractor or, university. Because sensitive, yet unclassified information such as health documents, proprietary information, legal proceedings, technical research, and personal identifiable information (PII) is often exchanged amongst the two entities, some form of protection was needed to be implemented.
In 2010, President Obama established Executive Order 13556 to address and standardize how the government handles unclassified information. Furthermore, in May of 2016, the Defense Federal Acquisition Regulation Supplement, also known as DFARS, adopted the standard referred to as NIST 800-171. DFARS is a defense-specific regulation and its contents must be adhered to by those contracted by the Department of Defense (DoD) or, those who receive funding from them. NIST 800-171 is the publication used to determine DFARS compliance.
NIST 800- 171, also known by its title “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”, provides a regulatory framework with guidelines on how to manage, control, and protect the CUI in non-federal networks and systems. It is comprised of 109 controls from 14 different families such as access control, awareness and training, incident response, media protection, and security assessment.
Organizations who fail to reach compliance could potentially experience contract challenges, loss of award and/or funding, or become ineligible to compete for future federal government contracts. Inaccurately reporting the status of compliance also has the potential to result in fraud charges and criminal penalties. However, the ultimate consequence of not achieving full compliance will be when a Rasputin, or many others out there like him, leverage the network vulnerabilities and not only steal valued information, but leave the victim organization with a mess that is very expensive and difficult to come back from.
NIST 800-171 was therefore established to not only keep sensitive information secure, but to also protect private organizations and ultimately, the government.
Read more in Part 2 about the specific costs organizations end up facing if their networks are compromised.