Compliance Q&A: 10 things you need to know about DFARS/NIST 800-171 compliance

If you missed the recent NIST/DFARS 800-171 webinar, or would simply rather digest the information in written form, I’ve compiled all the key talking points covered during the Avecto/McAfee session into a neat Q&A format.

This blog covers key questions around the necessary steps in achieving compliance with the latest Defense Federal Acquisition Regulation Supplement (DFARS) and the National Institute of Standards & Technology (NIST) Special Publication 800-171.

Why is this so important? Well, those who fail to comply will likely lose government contracts, whereas organizations able to demonstrate compliance at an early stage may be in a better position to secure additional wins.

Let’s take a closer look at how you can avoid compliance failure, saving your company a lot of time and money in the process…

1. What exactly is the definition of DFAR and NIST SP 800-171 regulations, who does it affect, and why is it such a big focus?

Back in December, 2015, the U.S. (DOD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS) that gives government contractors a deadline to implement the requirements of the (NIST) Special Publication.

NIST is a measurement standards lab and a non-regulated part of the department of commerce. In terms of their contribution to Cyber Security – they’ve created a framework that many private sector organizations follow to prevent, detect and respond to attacks.

The requirements that have been put together are really aimed to protect the Controlled Unclassified Information (CUI) when it resides in non-federal systems and organizations.

This means that if you’re a government contractor, failure to meet these requirements could result in the loss of your contracts and make you ineligible to bid on new ones.

2. What does the NIST SP 800-171 guidance require a contractor to do in order to be in compliance?

This draft is designed to ensure that external organizations are meeting a minimum-security level so that Controlled Unclassified Info (CUI) data that resides within their environment is safe from malicious actors.

CUI is classified as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies”.

The DFARS requirements that have been included are effective and relevant as they are not based on vendor marketing budgets.

Climbing the compliance mountain needn't be a struggle with Defendpoint.

3. What might be the impact to those contractors who fail to comply?

Those who fail to comply will likely lose government contracts, whereas organizations able to demonstrate compliance at an early stage may be in a better position to secure additional wins.

Cyber Incidents have risen by nearly 40% in the last 3 years at of cost of an estimated $400 billion. What everybody unanimously agrees upon is that the DOD needs assistance from its contractors to be successful in its mission and that they’d be making no changes to the December 31st deadline.

4. What are the specific controls that must be implemented because of this order?

The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems.

The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.

Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline (i.e., the minimum level of protection required for CUI in federal information systems and organizations), the requirements and controls are tailored to eliminate requirements, controls, or parts of controls that don’t apply.

5. How does privilege management and application control align or map to the 800-171 controls/guidance?

Privilege Management and Application Control map to many of the different controls within the guidelines – and it’s hardly surprising given the proven effectiveness of the two security controls when combined with the visibility it provides.

To summarize, Privilege Management allows admin rights to be applied to applications as needed, rather than giving the user too much access. Application Control is the part that allows us to allow list or block list an application from running at all.

The great thing about these two technologies together is that they’re great “bang-for-the-buck”. Between them, they overlap to address controls in Access Control, Audit & Accountability, Configuration Management, Maintenance, and System & Information Integrity.

The privilege management part of Defendpoint addresses Access Control, Configuration Management as well as System & Information Integrity.

6. Why are these areas so challenging for cyber defenders?

Defendpoint ultimately allows users to do their job effectively, without constantly hitting roadblocks like User Account Control, but prevents them from making system wide changes, removing corporate applications and security software which in turn allows organizations to build and maintain a trusted endpoint.

7. How does Defendpoint interoperate with the McAfee Portfolio capabilities?

The great news for McAfee customers is that Defendpoint is totally integrated into McAfee ePO which means no new infrastructure to get started.

For those McAfee customers that have adopted it – it even leverages the Data Exchange Layer (TIE/DXL) to correlate Threat Intelligence for things that are executing throughout the environment. From policy management, agent roll out and reporting – it’s all done through ePO.

"Taking away admin rights isn’t just limited to DFARS compliance, removing users access to admin accounts has been a solid industry recommendation for many years."

This fully integrated solution offers customers a single-pane-of-glass management console and architecture for operational ease. This helps to simplify implementations, getting projects completed in weeks – not months!

Because we’re using familiar tools and principles, it means that the ongoing management of Defendpoint is minimized and simplified - usually with little to no training for IT staff.

8. What would you recommend as a best practice for measuring and reporting success?

Auditing and accountability is one of the families in this DFARS 800-171 mandate.

A key challenge that organizations need to address is to consider what actually needs auditing.

Under DFARS compliance, you’re specifically required to audit any of unlawful, unauthorized, or inappropriate information system activity. This doesn’t mean recording every time somebody in the finance department opened calculator.

We recommend that you create a baseline of what is normal activity and record everything else – but of course this is all in the context of evaluating what this means to the CUI data that your organization holds.

Here’s a couple of very simple ones that are relevant for everyone. You need to be able to track:

• How many users are logging in with Admin, and how many are Standard Users?
• What are they doing when they are logged in?
• What applications are being installed by users?
• Which applications require extra privileges to run?

These data points (at a minimum) are essential to collate, because another of the DFARS mandates is that you must report any incidents directly to the DND, with as much supporting info as possible.

In summary, make sure the data you’re capturing is useful and relevant. And another point, review it often… not just when you think something is wrong.

9. How are other customers using the Avecto solution to address the NIST 800-171 requirements?

Many organizations we’ve helped explained that they felt they had a pretty good handle of managing most of their users, apart from the developers. It’s these advanced users that need a lot of access that are causing them to be non-compliant.

These are the users that legitimately need the extra access for certain tasks and applications, but there’s no native way of providing that fine-grained access in a way that fits within the mandate, and there’s even less options for tracking what they’re doing.

A lot of organizations we speak to have tried to remove their excess access but have failed. Taking away admin rights isn’t just limited to DFARS compliance, removing users access to admin accounts has been a solid industry recommendation for many years.

Secure all of your endpoints and become DFARS compliant, without hindering productivity.

We had one small aerospace organization who hadn’t been able to take away elevated access from their engineers and support staff that were manufacturing a small number parts for a government fighter jet.

They were in danger of not being able to bid on contracts in the future which was a direct threat to their bottom line, so they had to deal with these users quickly and effectively.

Using the Defendpoint Quick Start policy, they were able to take away their users elevated account overnight while making sure all their core tasks worked exactly the same as they did previously.

They were then able to put in a comprehensive exception handling process so that the users never felt restricted.

The key for them was the minimal overheads required once implemented because they ran a very lean shop. What they ended up with is a solution that requires less than 4hrs a month of ongoing management.

10. If there was one piece of advice to offer to an organization looking to get compliant in time for the deadline, what would you suggest?

It’s not too late! You still have time to act and set down a plan of action that will get you past the 31st of December deadline – Avecto and McAfee can help you do exactly that, by identifying where the key gaps in your compliance are and make an immediate plan to address them.

Need further help? Get in touch to discuss your specific requirements.