Blog Post

How to Set Up Your Supply Chain Management to Comply with Special Publication NIST 800-171 Compliance

If you’re a contractor or sub-contractor to governmental agencies and organizations, you’ve probably heard of the government’s new mandate by the National Institute of Standards and Technology, NIST Special Publication 800-171 titled Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations.

This special publication was created with the objective to protect information and communications technology (ICT) systems operated by the federal government and its contractors from cyber threats and attacks within the supply chain.

This mandate was designed to protect sensitive government information from being destroyed, compromised, or stolen while residing in or transiting through ICT systems as it’s shared between federal agencies and vendors.

It’s a very important piece of document & email security compliance in this day and age where cyber attacks are becoming more and more prevalent.

Image source: The Fiscal Times

Failure to adhere to the standards outlined in SP 800-171 may affect new and current federal contracts, and it’s the suppliers’ responsibility under the law to ensure compliance. In fact, all vendors that supply the Department of Defense (DoD) are required to become fully compliant by December 2017.


NIST SP 800-171 Compliance for Supply Chain Management

Chapter 3 of the document outlines the 14 families of security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations.

In this article, we’ll highlight the sections pertaining to the protection of documents, emails, and information to ensure that they’re secure both during storage and transit, and how to stay compliant:

1. Access Control

Section 3.1 requires suppliers to limit information system access to authorized users, processes acting on behalf of authorized users or devices, as well as the types of transactions and functions that authorized users are permitted to execute. The flow of CUI should be controlled in accordance with approved authorizations.

Vendors also need to prevent non-privileged users from executing privileged functions and audit the execution of such functions.

To stay compliant, you can follow a process to ensure that only personnel with the right credential can open a protected email or document to ensure that protected content is only accessible to identified and authorized personnel. Your system should maintain a complete audit trail to track all administrative actions taken.

You should set up your system such that administrators can control the creation and distribution of policies that govern controlled access to protected information.

When you select your platform, it’s worth noting that DLP (Data Loss Prevention) and CASB (DLP in the cloud) currently do not provide in-use protection.

2. Awareness and Training

Section 3.2 of the document requires that managers, systems administrators, and users of organizational information systems be made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.

To stay compliant, you need a platform that provides alerts, reports, and data tracking of all protected content to record all instances that the documents are being accessed, shared, edited, or stored.

The system should also support the delegation of administration to maintain a separation of duties for the creation, distribution, and management of security policies.

3. Audit and Accountability

Section 3.3 of NIST SP 800-171 requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.

Vendors must ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.

Suppliers should use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes so they can investigate and respond to indications of inappropriate, suspicious, or unusual activity in a timely manner.

To stay compliant, you need a system that provides administrators with an easy-to-use dashboard that offers real-time alerts, reports, and data tracking on all protected content.

4. Configuration Management

Section 3.4 requires vendors to employ the principle of least functionality by configuring the information system to provide only essential capabilities.

Suppliers should also apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software — which help prevent unauthorized personnel from using screen scraping and screen sharing applications to extract information from protected content.

To adhere to the regulations, select a platform in which administrators can designate rights of access of protected content by individuals or groups based on specific roles within the organization for greater security and more flexibility.

5. Identification and Authentication

Section 3.5 of NIST SP 800-171 requires the ability to identify information system users, processes acting on behalf of users, or devices. Your system should be able to authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.

To comply with this requirement, select a platform that allows for authentication, e.g. via PKI technology.


How to Choose a Cloud-Platform for Your Supply Chain Management

With the December 2017 deadline fast approaching, it can be overwhelming if you had to implement all these security measures on your own — which could require a large team of IT professionals and a sizable budget.

Thankfully, a reputable service provider who has experience working with government agencies and contractors will have the knowledge and expertise to help you set up a security protocol that’s compliant with NIST SP 800-0171.

This kind of “duty of care” is not only necessary to stay compliant but also applicable to most supply chain use cases so you can protect yourself as a manufacturer and supplier. For instance, it helps you safeguard your intellectual properties and other confidential information during the back-and-forth in the normal course of doing business.

Here are a few criteria for selecting your platform provider:

  • Understands the security protocols required for federal agencies and contractors.
  • Has extensive experience working with government agencies, contractors, and sub-contractors.
  • Ensures that all content is protected and encrypted both during transit and storage
  • Provides a dashboard so administrators can easily monitor all activities on all protected content in real-time and get alerted of suspicious access immediately.
  • Offers a complete audit trail to track all actions taken.
  • Offers protection on the actual documents and emails – not simply controlling access from individual devices.
  • Allows administrators to set up different levels of access to ensure that personnel can only access information relevant to their roles.
  • Provides on-going customer support to help you stay compliant with any new standard required by the government.

Here at GigaTrust™, we offer GigaCloud™, our Software as a Service (SaaS) solution for secure endpoint email and document collaboration. GigaCloud provides numerous features and functions to enterprise and government users. With GigaCloud, a redundant infrastructure is provided to persistently protect content (at rest, in transit, and in use) no matter how or where the content travels or is stored. The complexity disappears. All that is required for the user is to have installed the GigaCloud endpoint security software and they are up and running.

A specific feature of GigaCloud that readily addresses the NIST 800-171 requirements is our Data OverWatch Service which provides protection, measurement, auditing, tracking, and analytics of data content to our customers who supply government agencies.

Our team of experts is available to help you install and implement a secure data-sharing system so your company can become NIST SP 800-0171 compliant before the December 2017 deadline.