Organizations doing business with the U.S. Government, or planning to do so, must consider the potential for increased cybersecurity requirements. Contracts that include the creation, communication and/or storage of controlled unclassified information (CUI) are specifically encumbered by the requirements described in NIST SP 800-171: Protecting Controlled Unclassified Information in NonfederalSystems and Organizations. Additional controls may be imposed if the contract serves the Department of Defense and includes covered defense information. These additional measures can be found outlined in DFARS Clause 252.204-7012: Safeguarding Covered Defense Information and Cyber Incident Reporting.
Note: NIST recently released draft Special Publication 800-171B: Enhanced Security Requirements for Critical Programs and High Value Assets, which includes additional control requirements for CUI/CDI deemed especially sensitive or critical.
Security Controls Required
NIST SP 800-171 contains 14 families, or categories and 110 security controls (NIST SP 800-171B adds another 33). Each control measure is important in it’s own right, and together all contribute to raising the security level of the information technology architecture so protected. This is, in fact, the intent. While no system can be invulnerable, by implementing complimentary measures we protect information, systems and people at a much higher level than would be possible without them.
The above requirements, while possibly compulsory depending on contract, are beneficial to all businesses and markets. Certainly, commercial operations benefit by implementing them, or suffer catastrophe if they choose not to. Banks, hotels, restaurants, department stores, online services have all revealed how vulnerable our systems can be and the havoc that can be caused when they’re exploited.
MFA Increases Security
Let’s take one control as an example: Multifactor Authentication (MFA). MFA is an authentication mechanism where more than a single piece of evidence is used as proof of identification. We all maintain passwords to access our digital environment, but passwords are notoriously vulnerable for a number of reasons. Adding another piece of evidence such as a security dongle, security card or application generated code further ensures that the identity of the requestor is more likely to be valid.
MFA is, in fact, a required control in NIST SP 800-171, item 3.5.3: “Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts”. So, we’re requiring additional proof, beyond a password, that who or what is requesting access, is who or what they say they are. This proof can take many forms, such as those described above, or perhaps biometric factors like fingerprints, irises or facial recognition. There are many commercial solutions available that meet this need.
Not Just for Government Work
For many small businesses, this talk of security controls and even more security controls may appear burdensome and onerous. Rather, most represent good cybersecurity practices that are embraced throughout industry. As an example, the Payment Card Industry Data Security Standard (PCI-DSS) includes many of the same controls for those businesses taking payments, including online processing. This is specified in PCI requirement 8.3 of the security standards document. What this shows is that appropriate security measures are important for successful business operations, not just those in one particular market sector.
Our personal accounts also benefit from the addition of MFA to our authentication procedures. With the number of Facebook, Twitter, Instagram, email and other social media compromises, it seems prudent at least to protect ourselves and our families. For a reference list of services that support MFA, look here: https://twofactorauth.org.
Assured Bridge incorporates multifactor authentication in all our products and services. Not just for customers, but for our own administration, development and support teams. This helps to protect people, systems, data, contracts and operations as part of a robust cybersecurity architecture. We’re here to help, feel free to call or email for more information.