NIST computer scientist urges documentation of information systems
Records of protocols and user access are essential to obtain DOD contracts
Patricia Toth, supervisory computer scientist at the National Institute of Standards and Technology
Companies interested in contracting with the federal government in the defense and homeland security supply chain must have documented cybersecurity protocols in place, including distinguishing which employees have access to making changes in the systems, says Patricia Toth, supervisory computer scientist at the National Institute of Standards and Technology.
Toth was the featured speaker at the DFARS Cybersecurity Conference, held on June 29 at Nashua Community College. The event was co-sponsored by the New Hampshire Government Contracting Assistance Center and NH Manufacturing Extension Partnership to better inform companies of a Dec. 31 deadline for NIST Standard Protocol 800-171.
As part of NIST’s Computer Security Division, Toth was one of the architects for 171.
Small businesses that have contracted with the U.S. Department of Defense were familiar with the traditional 853 standard protocol, which requires confidentiality of information shared.
“In developing 171, what we did was took the set of security controls from 853 and pulled out all the ones dealing with confidentiality, set aside the ones dealing with integrity and accessibility, and that’s how we got the 110 controls that are currently in 800-171,” explained Toth. “If you go back to 853, there’s 300 different controls, so this is a smaller subset. Some people call it 53 light, so we have made some progress in making this easier for you to comply with.”
171 focuses on the control of sensitive but unclassified information, also referred to as SBU. Toth told companies to look for markings such as “no foreign dissemination” or “official use only” to determine what information fell under this definition and must be protected.
“And the reason why we want you to protect it is, overtime all of this information was flowing out to DOD across the manufacturing community, and there was no standard process of how to protect it,” said Toth to an audience of 160 business people. “So there were folks like yourselves, small business people, manufacturers, federal contractors, universities, colleges, state and local government, all of these people had this type of information but it wasn’t be protected consistently across all of these areas, so 171 attempts to build in that consistency and have a set of protocols in place so the government can be assured this type of information is being protected everywhere.”
Most companies will have some of these safeguards in place already. Toth said about 60 percent of small businesses currently working with the federal government already have 171 in place, but need a training plan and documentation. She also called the requirement flexible, encouraging companies to explain how their controls are as effective as the controls recommended in 171.
“So fairly easy requirements, it’s just the documentation you may need to work on,” said Toth.
Companies must identify who is in charge of the information system, document inventory of all hardware systems and update it when configurations are made, plus analyze the impact of changes to the system before they are made, define system boundaries, provide annual cybersecurity training, train new employees on information system protocols, document employee access to the system – not everyone should have access to sensitive material or be able to make system changes – and have a protection plan in place.
“As your company grows, you need to start looking at your information systems a little differently. You need to build in some of that maturity,” said Toth. “You need to do that separation of duties and implementing a lease provision, defining goals within your users and what they’re allowed access to.”
She stressed a system security plan is the most important requirement within 171, and informing the DOD of how the company planned to put in place the 109 other controls would still make the company compliant.
Companies seeking assistance building a security assessment could access the ICS-CERT tool on the Department of Homeland Security's website, though Toth warned some small businesses found it clunky.
“What DOD wants is that documentation of how you’re going to get there,” said Toth.
“If you do all of those things, it doesn’t mean you’re secure. There’s no guarantee with this. We know one of your employees could click on that link and introduce some kind of malware onto your systems. What this is demonstrating is you’re making an effort to improving the security of resistance,” said Toth. But again she reminded the crowd, “If you haven’t started 171 compliance, do it now. It’s not necessarily difficult, but it can be time consuming.”