NIST合规
LBMC 网络安全 has been in the IT security and compliance business for over 20 years. 在此期间,我们在FISMA/NIST 800-53方面积累了丰富的经验. 现在我们已经将专业知识扩展到NIST 800 - 171认证. All non-federal agencies that access Controlled Unclassified Information (CUI) and DoD Covered Defense Information require 800-171 certification.
进行NIST评估的步骤
To ensure that our clients maintain a compliant state and strong control environment, LBMC使用以下步骤执行明升体育app下载NIST评估:
- 开始叫 -讨论合同后勤, 验证要测试的控件, 确认现场日程安排, 审查证据请求流程, 并回答任何参与前的问题
- 文档评审
- 与责任人的面谈 for the control implementations to gain an understanding of the current 过程ing environment.
- 进行绩效审核 NIST规定的控制和现场巡视.
- 听取审计报告并出具最终审计报告
我的业务是否需要遵守NIST?
If you are like the thousands of other government contractors struggling to understand compliance and how many resources it will take to become compliant, 要知道你并不孤单! 别担心,很可能你已经在很大程度上遵守了规则.
网络安全 breaches are a common threat that seems almost normal in this day and age. 然而, 明升体育app下载政府, 以及NIST的安全专业知识, 继续寻求更安全和有效的方法来保护明升体育app下载数据. When determining the level of information security your organization should implement, 您的数据被泄露的风险应该是驱动因素. 不那么显而易见的, lower risk organizations are targets for the theft of confidential government information, and the federal government now is taking additional steps to safeguard their security.
A primary target for hackers are non-federal organizations that have access to federal data including citizen’s higher education, 税, 还有医疗记录. This type of information is of high value to malicious users looking to either directly exfiltrate this information or establish a foothold as a jumping off point to larger federal agency targets. Additional organizations of interest are higher learning institutions that leverage government data for research, 发展, 和/或政府补助. 尽管传输中的数据必须受到联邦加密要求的保护, the larger question that comes to mind is – What controls should be in place to also protect the data once it reaches the intended recipient? 这就是NIST 800 - 171发挥作用的地方. This standard was implemented to help fill the gaps of protecting Controlled Unclassified Information (CUI) on non-federal information systems.
CUI被定义为“信息即法律”, 监管, 或者政府范围内的政策要求保护或传播控制, 不包括根据13526号行政命令分类的信息, 国家安全机密信息, 十二月二十九日, 或者任何前驱或后继顺序, 或者1954年的原子能法案, 经修订(第13556号行政命令)". 那么,这个冗长而复杂的政府定义到底是什么意思呢?
如果你是政府支持的承包商, 例如, that has access to federal information systems or government data that isn’t labeled as classified, 或者是使用医疗保险数据进行统计研究的大学, you may have access to CUI as part of your contract and therefore obligated to protect it. Any contractor that supports federal information systems and has access to CUI is potentially impacted by NIST SP 800-171, CUI并不一定局限于原始数据记录. 它也适用于收集的数据, 存储, 并记录在联邦信息系统的支持下. This includes project management, technical writing, system 发展, and consulting.
NIST 800 - 171与NIST 800-53的区别
在高水平上, the NIST SP 800-53 security standard is intended for internal use by the Federal 政府 and contains controls that often do not apply to a contractor’s internal information system. NIST SP 800-53 provides federal organizations with the top-level requirements and is more specific to providing security and privacy controls for federal information systems and organizations.
另一方面, NIST SP 800-171 applies to internal contractor information systems and provides a standardized set of requirements for all CUI security needs to allow non-federal organizations to follow statutory and regulatory requirements by consistently implementing CUI safeguards. 另外, many of the NIST SP 800-171 controls are about general best security practices for policy, 过程, 安全配置IT, 这意味着在很多方面, NIST SP 800-171 is viewed as less complicated and easier to understand than its NIST SP 800-53 counterpart.
NIST SP 800-171 is unique in that it is tailored to eliminate FIPS 200 and NIST SP 800-53 requirements that are:
- 具体到政府拥有的系统
- 与CUI无关,或
- 期望在没有规格说明的情况下得到满足(i.e.、政策及程序控制).
NIST SP 800-171 includes just over a hundred controls broken across 14 control families and is more concise in nature, 使非联邦组织的实现不那么复杂.
One of the unique characteristics of the NIST SP 800-171 is the flexibility non-federal organizations have in defining how requirements are implemented. 这些需求并不强制要求任何特定的技术解决方案, 允许承包商, 如果他们选择, 使用他们现有的系统来保护信息, 而不是试图使用政府特定的方法. This is great news for organizations that already have existing mature systems and will likely mean that they will not have to “rip and replace” their existing security program.
Security requirements in NIST SP 800-171 are designed to protect CUI residing in contractor information systems while generally reducing the burden placed on contractors to maintain federal-centric 过程es and requirements. 合规 with NIST SP 800-171 should be viewed as an opportunity to be good stewards of government data as well as an opportunity for these organizations to compete for federal opportunities that others may not qualify for.
并非所有NIST报告都是平等创建的
Our team members have extensive experience on your side of the desk in a variety of industries with security and compliance mandates. This client-side experience means that we understand how data moves between a user entity’s network and its service organizations. We help you achieve compliance while providing the insights your leaders and stakeholders need to make better business decisions.
无论您是刚刚开始NIST认证, 或者已经从另一家供应商那里遵守了多年的规定, LBMC网络安全可以帮助您在复杂的环境中保持NIST合规性.