Posted on

Information System Maintenance and Compliance for CUI Protection

Information System Maintenance & Compliance for CUI Protection

Maintenance Required

If you’re a small business working on a government contract that includes requirements for protection of controlled unclassified information CUI, it’s important to remember that remaining compliant is a continuous process. National Institute of Standards and Technology Special Publication 800-171 contains the guidelines for establishing and maintaining the required security processes and controls inherent in many contract terms. These requirements include maintaining and updating the systems used in support of the contract efforts.

NIST SP 800-171 Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Firmware, Software and Operating System Updates

Maintaining the security, trust and reliability of your information systems includes ensuring firmware, operating system and software updates are identified and applied to address newly identified weaknesses and vulnerabilities. The NIST SP 800-171 controls are grouped into families to help focus activities and efforts to implement and maintain an appropriate cybersecurity life cycle. Keeping systems up-to-date includes considerations from at least these three families:

  • 3.4 Configuration Management
  • 3.12 Security Assessment
  • 3.14 System and Information Integrity

Configuration management information helps by ensuring applicable systems and software are included in inventory and tracking systems so we know which require updating. For businesses that embrace bring-your-own-device (BYOD) and remote work strategies, these complications must be considered and included in asset inventories.

Security assessment informs maintenance through awareness of what updates are available, and where priorities lie based on risk.

System and information integrity benefits from these maintenance actions by minimizing risk and vulnerabilities to the data and systems requiring protection.

Establish a Maintenance Schedule

 As with other business processes, security and compliance activities are continuous and cyclic; applying system updates and patches must be performed on a schedule commensurate with the risk and changes published by operating system and software vendors. For example, Microsoft has an established monthly release for important security updates which normally occurs on the second Tuesday of each month.

Microsoft’s Monthly Patch Approach Explained

A maintenance and update plan that includes monthly updates may not be sufficient to meet all security update needs. Some updates are release outside of established schedules based on their impact and severity. Your maintenance schedules must incorporate the possibility of ad-hoc updates in addition to following an established schedule. Security cognizant personnel should identify those vendor and industry sources that provide early indicators of upcoming patches relevant to your inventories.

At Assured Bridge, our information system maintenance and update schedules are incorporated into our operations workflows and include updates identification, testing, staging and application each month. We also monitor vendor and industry sources to evaluate risk and impact of newly discovered weaknesses and vulnerabilities. By establishing and executing these maintenance routines, we ensure our service platforms, and your information systems and data, remain protected and compliant.

If you need assistance meeting the requirements of NIST SP 800-171, we are here to help.

With over 30 years of experience, Daniel Bjorklund is a dedicated information security practitioner and innovator. He serves as a principal at Assured Bridge, helping to mature and guide compliance-as-a-service and managed security service provider operations. Dan is also Chief Technologist at Sabine Solutions - a defense contractor, and owns a small cybersecurity consulting firm: Community Cyber. He is active in the startup and entrepreneurial communities in the Augusta, GA area, helping set firm cybersecurity foundations for new companies and efforts.

Dan is a current CISSP and holds a Master of Science degree in Information Assurance and Security and a Bachelor of Science degree in information technology. When not hunched in front of a computer, Dan can often be found above 3000 feet avoiding highway traffic, flying his airplane as a licensed pilot. He and his wife enjoy outdoor activities, biking, fishing and sightseeing in the Southeastern United States.