If you’re a small business working on a government contract that includes requirements for protection of controlled unclassified information CUI, it’s important to remember that remaining compliant is a continuous process. National Institute of Standards and Technology Special Publication 800-171 contains the guidelines for establishing and maintaining the required security processes and controls inherent in many contract terms. These requirements include maintaining and updating the systems used in support of the contract efforts.
NIST SP 800-171 Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Firmware, Software and Operating System Updates
Maintaining the security, trust and reliability of your information systems includes ensuring firmware, operating system and software updates are identified and applied to address newly identified weaknesses and vulnerabilities. The NIST SP 800-171 controls are grouped into families to help focus activities and efforts to implement and maintain an appropriate cybersecurity life cycle. Keeping systems up-to-date includes considerations from at least these three families:
- 3.4 Configuration Management
- 3.12 Security Assessment
- 3.14 System and Information Integrity
Configuration management information helps by ensuring applicable systems and software are included in inventory and tracking systems so we know which require updating. For businesses that embrace bring-your-own-device (BYOD) and remote work strategies, these complications must be considered and included in asset inventories.
Security assessment informs maintenance through awareness of what updates are available, and where priorities lie based on risk.
System and information integrity benefits from these maintenance actions by minimizing risk and vulnerabilities to the data and systems requiring protection.
Establish a Maintenance Schedule
As with other business processes, security and compliance activities are continuous and cyclic; applying system updates and patches must be performed on a schedule commensurate with the risk and changes published by operating system and software vendors. For example, Microsoft has an established monthly release for important security updates which normally occurs on the second Tuesday of each month.
A maintenance and update plan that includes monthly updates may not be sufficient to meet all security update needs. Some updates are release outside of established schedules based on their impact and severity. Your maintenance schedules must incorporate the possibility of ad-hoc updates in addition to following an established schedule. Security cognizant personnel should identify those vendor and industry sources that provide early indicators of upcoming patches relevant to your inventories.
At Assured Bridge, our information system maintenance and update schedules are incorporated into our operations workflows and include updates identification, testing, staging and application each month. We also monitor vendor and industry sources to evaluate risk and impact of newly discovered weaknesses and vulnerabilities. By establishing and executing these maintenance routines, we ensure our service platforms, and your information systems and data, remain protected and compliant.
If you need assistance meeting the requirements of NIST SP 800-171, we are here to help.