Call Us!
Sales: (604) 239-4283
|
Get Support
|
info@compunet.ca
IT Support For Vancouver Law Firms IT Services For Vancouver Law Firms Vancouver Legal IT Services
  • Managed It Services
  • Cybersecurity
  • Cloud Solutions
Close
Legal IT Support in Vancouver
  • Architecture
    • IT Management
    • Cloud Solutions
    • Software Support
    • Cybersecurity Solutions
  • Law Firms
    • Technology Management
    • Digital Transformation
    • Software Support
    • Cloud Services
    • IT Security
    • Cybersecurity Management
    • Ransomware Prevention
  • Accounting
    • Managed IT Services
    • Cloud Services
    • Ransomware Removal
    • Ransomware Protection
  • Engineering
    • Managed IT
    • Cloud
    • IT Security
    • Ransomware Removal
  • Cybersecurity Services
    • Microsoft MFA
    • Microsoft 365 Secure
    • Microsoft Office Protect
    • Network Security
    • Endpoint Protection
    • Dark Web Protection
  • About Us
    • How We Work
    • Why Choose Us
    • Case Studies
    • Our Blog
    • Is This You?
    • Five-Star Feedback
    • Careers
    • Referral Program
  • Where We Serve
    • Greater Vancouver
    • Burnaby
    • Langley
    • Surrey
    • North Vancouver
    • New Westminster
    • Richmond
  • Contact Us
    105-135 East 15th Street
    North Vancouver, BC V7L 2P7
    (604) 986-8170 info@compunet.ca
    Get Support

NIST Compliance: How to Address Challenging Components 

New guidelines governing the transmission, storage and use of protected data create compliance challenges for companies and contractors looking to do business with federal and state agencies. Companies wanting to continue to do business with certain federal departments and agencies have just a few months to ensure that their cybersecurity protocols are up to par. […]

Start A Conversation

New guidelines governing the transmission, storage and use of protected data create compliance challenges for companies and contractors looking to do business with federal and state agencies.

Email Compliance

Companies wanting to continue to do business with certain federal departments and agencies have just a few months to ensure that their cybersecurity protocols are up to par.

That’s because of the December 31st deadline for companies to demonstrate compliance with new guidelines prepared by the National Institute of Standards and Technology (NIST). The NIST is a non-regulatory federal agency that focuses on driving innovation and economic competitiveness for U.S.-based companies in science and technology industries.

The NIST establishes technologies, standards, and metrics that allow federal agencies to comply with guidelines that protect information systems and data. It establishes the standards that federal agencies need to follow for security controls for information systems.

Specifically, the NIST guidelines require contractors, businesses or individuals that work with or for federal or state agencies to have documented system controls in place for dealing with controlled unclassified information (CUI). Federal agencies often share this type of information with business partners and collaborators and the new guidelines are intended to keep that data safeguarded.

14 Categories of Controls

The guidelines require those working with federal agencies to demonstrate compliance with 14 different categories of process and control.

  1. Access Control. This guideline ensures partners limit system access to authorized users only.
  2. Awareness and Training. Companies must ensure that employees are aware of risks to information security and provide adequate training to minimize risk.
  3. Audit and Accountability. System logs, which track access to critical information and processes, are essential. These guidelines ensure the proper creation, protection, retention, and review of those logs.
  4. Configuration Management. Baseline system configurations need to be recorded, as do change management protocols that are robust and focus on protection.
  5. Identification and Authentication. Identification is a critical component of system security and prevents unauthorized access. These requirements govern how central and multi-factor authentication and access to system resources is managed.
  6. Incident Response. In the case of an issue with access, theft or corruption of data, companies need operational procedures that guide detection, analysis, containment, recovery, and response, as well as preparational procedures.
  7. These requirements ensure that there are standard maintenance protocols to ensure upgrades and corrective actions do not compromise data.
  8. Media Protection. Any media containing CUI needs to be sanitized and destroyed properly.
  9. Personnel Security. Companies need to have systems and procedures in place that screen individuals before they are granted access to systems containing CUI.
  10. Physical Protection. In addition to controlling digital access, companies also must ensure that physical access to system hardware and storage is limited and security measures are in place.
  11. Risk Assessment. Doing work with federal agencies requires organizations to conduct an assessment of the operational risks that exist to the transmission, processing, and storage of CUI.
  12. Security Assessment. Companies need to assess the security controls in place and have plans to address deficiencies to limit
  13. System and Communication Protection. Organizations must demonstrate using secure design principles for system architecture and software development life cycles.
  14. System and Information Security. Monitoring tools must be in place to alert companies of system vulnerabilities and flaws.

Within those 14 broad categories are more than 100 specific controls that must be documented and in place by the end of 2017.

Hear From Our
Happy Clients

Read Our Reviews

Risk of Non-Compliance

For any company that processes, stores or transmits the potentially sensitive information governed by the NIST guidelines, the risks of non-compliance are significant. Federal and state agencies can sever contracts with non-compliant partners. Companies wanting to establish compliance need to act quickly to meet the federal deadline.

Companies need to ask more questions, including:

  • What vulnerabilities exist within our systems and processes?
  • How will we address those vulnerabilities?
  • What training is necessary for our staff, vendors, and clients?
  • How will we maintain compliance on an ongoing basis?

While all the NIST compliance elements are critical, there are some that are more challenging for many companies. Here’s a closer look at three of the most complicated aspects of the guidelines.

Encryption.  Encryption comes to play in two of the 14 categories:  Access Control and Identification and Authentication.

Under Access Control, the guidelines state that wireless access to systems needs to be protected using encryption methods. In addition, any data used or stored on mobile devices must also be encrypted.  An Identification and Authentication guideline calls for the storage and transmission of passwords must also be encrypted.

Companies will need to use validated cryptography tools. Their system designs may be flawed, requiring third-party assistance to ensure proper encryption procedures.

Incident Response and Reporting.  In addition to the operational procedures detailed above, the NIST guidelines require companies to track, document and report incidents to the proper authorities or authorized personnel both within and external to the organization. Testing must also be done regularly to ensure compliance with the defined guidelines.

For example, Department of Defense guidelines covers even a potential compromise.  Within 72 hours of a potential issue being identified, a contractor must review evidence and report on the findings of that review to the agency.  These mandates mean that companies need to have a well-defined plan and response team ready to activate and execute promptly.

Continuous Monitoring.  While continuous monitoring is not one of the 14 broad categories, there are 10 different controls that require ongoing monitoring and investigation.  This area shows up in remote access sessions, user-installed software, physical location and infrastructure, visitor activity, use of mobile code, voice over internet protocol (VoIP) tools, and inbound and outbound communication traffic.

The volume of required monitoring can trip up companies seeking compliance, driving some organizations to outsource the monitoring required by the NIST guidelines.

Companies that want to maintain good working relationships with agencies will need some assistance to ensure compliance prior to the December 31st deadline and on an ongoing basis. Without documentation and procedures in place, companies that rely on work with key agencies will find themselves on the outside looking in.

Contents

  • 1 14 Categories of Controls
    • 1.1 Hear From Our Happy Clients
  • 2 Risk of Non-Compliance

Schedule Your No Obligation Initial Consultation Now

Complete this short form and schedule your no obligation 10-minute introductory phone call with Compunet Information. A member of our team will reach out immediately.

Latest Blog Posts

The Looming Threat Of Ransomware In 2024
The Looming Threat Of Ransomware In 2024
Read More
How To Turn Off Outlook Read Receipts For Enhanced Security
How To Turn Off Outlook Read Receipts For Enhanced Security
Read More
What Is Social Engineering?
What Is Social Engineering?
Read More
Read The Compunet Blog
  • Architecture
    • IT Management
    • Cloud Solutions
    • Software Support
    • Cybersecurity Solutions
  • Legal
    • Technology Management
    • Digital Transformation
    • Software Support
    • Cloud Services
    • IT Security
    • Cybersecurity Management
    • Ransomware Prevention
  • Accounting
    • Managed IT Services
    • Cloud Services
    • Ransomware Removal
    • Ransomware Protection
  • Engineering
    • Managed IT
    • Cloud
    • IT Security
    • Ransomware Removal
  • Cybersecurity Services
    • Microsoft MFA
    • Microsoft 365 Secure
    • Microsoft Office Protect
    • Network Security
    • Endpoint Protection
    • Dark Web Protection
Compunet infonech

Compunet InfoTech offers Managed IT Support & Hosted IT Services For Vancouver & Surrounding Areas. Serving Vancouver, Burnaby, Richmond, Surrey, Coquitlam and New Westminster.

105-135 East 15th Street
North Vancouver, BC V7L 2P7

(604) 986-8170
info@compunet.ca

  • About Us
  • Why Choose Us?
  • Media Center
  • Vancouver IT Consulting News
  • Testimonials
  • Greater Vancouver
  • Burnaby
  • North Vancouver
  • Langley
  • Surrey
  • New Westminster

© 2023 Compunet InfoTech. All Rights Reserved.

Sitemap
|
Privacy Policy
|
Website Accessibility
Attention North Vancouver Businesses: Are You Worried About Your IT Services Provider?

Get A Free Second Opinion Today from Compunet.

Our comprehensive assessment includes:

  • A thorough analysis of your current IT company’s performance
  • A customized action plan to tackle all operational issues
  • A detailed budget and project plan for seamless execution

Don’t let IT issues hold back your business. Gain the clarity you need to get your IT on the right track. With our no-obligation, risk-free assessment, you have nothing to lose. Contact Compunet now.

Interested?
Schedule Your Initial Consultation with Compunet Today.

Schedule Your Initial Consultation With The Compunet Team.

Fill in your information below to get started today.