Reaching (all the way to) your NIST 800-171 compliance goals
If you’re a U.S. Department of Defense (DoD) contractor or you do work with GSA or NASA, you’re likely pretty familiar with NIST 800-171. If you’re not a contractor subject to NIST 800-171, congrats, this is one security framework you DON’T need to comply with. You can stop reading, grab a cup of coffee and focus on your NIST Cybersecurity Framework efforts instead.
NIST 800-171 has technically been in force since the start of 2018. And while you had to be compliant at the beginning of the year, you’re likely still looking to streamline your compliance and refine controls based on the evolving understanding of what NIST 800-171 means. You’re not alone, NIST even had a workshop on what Controlled Unclassified Information (CUI) in October. Given that protecting CUI is at the core of NIST 800-171, it’s safe to assume things will be dynamic for some time to come.
A brief history of NIST 800-171
In a past life, I was the CISO for a DoD contractor. In particular, I was a CISO at a DoD contractor when the DFAR requirements were announced and we had to start preparing for compliance with NIST 800-171 by the end of 2017. I remember looking at 171 and thinking there were huge chunks of it that we, and most of our peers, had largely under control. Encryption requirements and other architectural security controls were well-traveled ground, and there were lots of vendors with well-tested products to close the compliance gap.
But then there were other controls, particularly around monitoring and operations, that weren’t easily solvable with off-the-shelf products. The Defense Industrial Base (DIB), in general, went through a cybersecurity revolution in the early 2010s, after they were hit with a wave of targeted attacks. But there was still a long way to go. Their technology investments needed a commensurate investment in services and people. That’s easier said than done. If you’ve ever worked in a professional services company (including defense contractors), you know how hard it is to hire people that can’t bill their time back to customers. Think IT, legal, finance and … oh yeah … security. It’d be easier to go climb Kilimanjaro to stand up a 24x7 SOC (If you’d like more info on setting up your own SOC, as well as the costs and challenges associated with it, check out our blog post, How much does it cost to build a 24x7 SOC.)
Understanding common NIST 800-171 compliance gaps
Like it or not NIST 800-171 spells out a number of operational controls, which are hard to put in place without old-fashioned human beings. And you’ve got to have these controls in place to get your compliance crown (and pass your audit with flying colors). Most of them relate to monitoring. They include:
|3.1.12||Monitor and control remote access sessions|
|3.3.3||Review and update logged events|
|3.3.5||Correlate audit record review, analysis, and reporting processes for investigation and response to indications of unlawful, unauthorized, suspicious, or unusual activity|
|All of section 3.6||Incident response|
|3.14.3||Monitor system security alerts and advisories and take action in response|
|3.14.6||Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks|
|3.14.7||Identify unauthorized use of organizational systems|
The details of each section are different, but the overall gist of all of these requirements is the same; you need someone to monitor your systems to look for bad things, respond to the bad things and then report on the bad things. The challenge for many organizations is the “someone” part. Identifying “who” exactly is going to monitor, respond and report often leads to a bunch of dead ends.
While it’s possible to automate a few things with some scripts and shoot texts and emails to IT staff at all hours of the night, that’s not really satisfying (or sustainable). From a compliance perspective, that kind of solution is riding the edge of auditor acceptability. Worse, if you stumble into a reportable incident and your client comes looking to see what happened, solutions like scripts and late-night emails aren’t going to be satisfying to them either. They’re going to wonder why nobody was looking.
Closing your compliance gaps without building a SOC
If you’re at a professional services company that does government contracting, you’ve made responsible investments in security technology and you’re staring at the 24x7 monitoring requirements in section three of NIST 800-171 wondering what to do, you’re in good company. Building a security operations center (SOC) and hiring a bunch of SOC analysts is about as likely as getting a sole source contract to run every federal network at every agency. So what should you do to get compliant?
“By offloading your security operations to an MSSP, you can address the operational needs of 800-171 relatively quickly.”
The most obvious place to look is at managed service providers. By offloading your security operations to an MSSP or a managed detection and response (MDR) provider, you can address the operational needs of NIST 800-171 relatively quickly. Nine times out of …. nine it’s generally easier to sign a service contract that it is to build your own SOC.
But choosing a provider isn’t always straightforward. Not all MSSPs and MDRs are created equal, and there are warning signs that an MSSP may not be right for you. However, while we’re admittedly a little biased, we feel that Expel is a great fit for organizations that are trying to get operational support for their NIST 800-171 needs. Here’s why.
We use your existing security technology
Unlike many other MSSPs and MDRs, we meet our customers where they are. We don’t require you to use a specific endpoint product or a specific SIEM (or even have a SIEM in the first place). We use what you use. Expel supports a large number of security vendors already, and if you use a technology we don’t yet support, let’s chat and see if we can integrate with it. You’ve made your investment in security technology. Let us help you realize more value from that investment.
We provide answers, not alerts
It’s a little cliche, but it’s really the words we live by here at Expel. When our analysts investigate something and notify you about an incident, it’s actually something you can transact on. Put another way … won’t have to do your own analysis to figure out if it’s a “real” alert or determine what the impact might be. We do that for you. Further, we provide you with specific steps you need to take to remediate the issue. Really, you don’t need to think much about your security operations unless we notify you. And when we notify you, you’ll be well armed to deal with the issue at hand.
Onboarding is wicked fast!
Some MSSP’s and MDRs require weeks to months to onboard new customers. There may even be a professional services team that shows up to “help” the process. Here at Expel, we’ve been focused on making onboarding as easy as possible from day one. We send you a VM, you install it, and then you provide API keys for your various security technologies. We take it from there. Onboarding with Expel is usually measured in hours, with our customers seeing tangible value within the first few days. If you feel like you have a compliance gap you need to close, we can help you close it as fast as you’re willing to move.
The price is straightforward pricing
Life is too short to spend running around and around with a vendor about pricing. I’ve sat through enough color team meetings and responded to enough RFP’s to know how valuable time is (and how infuriating wasted time can be). Here at Expel, we’ve made our pricing straightforward. No hidden costs, no last minute “oh, that’ll be extra.” We collect all the info we need up front to quickly give you the complete breakdown you need. That should make your procurement people happy, which in general makes everyone happy.
We’re happy to chat about NIST 800-171 compliance and our service offerings. We’re security nerds like that.