What is NIST 800-171 and how does it differ from NIST 800-53?
NIST SP 800-171 – "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations" provides guidance for protecting the confidentiality of Controlled Unclassified Information (CUI) residing in non-federal information systems and organizations. The publication is focused on information that is shared by federal agencies with a non-federal entity. If you are a contractor or sub-contractor to governmental agencies whereby CUI resides on your information systems, NIST-800-171 will impact you.
Cybercriminals regularly target federal data such as healthcare records, Social Security numbers, and more. It is vital that this information is protected when residing on non-federal information systems. NIST 800-171 has an implementation deadline of 12/31/2017, which has contractors scrambling.
Many of the controls contained within NIST 800-171 are based on NIST 800-53, but they are tailored to protect CUI in nonfederal information systems. There are 14 “families” of controls within NIST 800-171, but before we delve into those, we should probably discuss Controller Unclassified Information (CUI) and what it is.
There are several categories and subcategories of CUI, which you can be view here. You may be familiar with Sensitive but Unclassified (SBU) information—there were various categories that fell under SBU—but CUI replaces SBU and all its sub-categories. CUI is information which is not classified but in the federal government’s best interest to protect.
NIST 800-171 Requirements
As we mentioned above, there are 14 classes of controls within NIST 800-171. These are:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
We will now delve further into each of these categories and discuss the basic and derived security requirements where SolarWinds® products can help. Basic security requirements are high-level requirements, whereas derived requirements are the controls you need to put in place to meet the high-level objective of the basic requirements.
3.1 Access Control
3.1.1 – Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
3.1.2 – Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
This category limits access to systems to authorized users only and limits user activity to authorized functions only. There are a few areas within Access Control where our products can help, but many of these controls are implemented at the policy or device levels.
3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.
SolarWinds Log & Event Manger (LEM) can audit deviations from least privilege—e.g., unauthorized file access and unexpected system access. Auditing can be done in real-time or via reports. LEM can also monitor Microsoft® Active Directory® (AD) for unexpected escalated privileges being assigned to a user.
3.1.6 – Use of non-privileged accounts when accessing non-security functions.
SolarWinds LEM can monitor privileged account usage and audit the use of privileged accounts for non-security functions.
3.1.7 – Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
Execution of privileged functions such as creating and modifying registry keys and editing system files can be audited in real-time or via reports in LEM. On the network device side, SolarWinds Network Configuration Manager (NCM) includes a change approval system which helps ensure that non-privileged users cannot execute privileged functions without approval from a privileged user.
3.1.8 – Limit unsuccessful logon attempts.
The number of logon attempts before lockout are generally set at the domain/system policy level, but LEM can confirm if the lockout policy is being enforced via reports/nDepth. LEM can also be used to report on unsuccessful logon attempts, as well as automatically lock a user account via the Active Response feature.
3.1.12 – Monitor and control remote access sessions.
LEM can monitor and report on remote logons. Correlation rules can be configured to alert and respond to unexpected remote access (e.g., access outside normal business hours). SolarWinds NCM can audit how remote access is configured on your network device, identify any configuration violations, and remediate accordingly.
3.1.21 – Limit use of organizational portable storage devices on external information systems.
LEM can audit and restrict usage of portable storage devices with its USB Defender feature.
3.2 Awareness and Training
3.2.1 – Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
3.2.2 – Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
This section relates to user awareness training, especially around information security. Users should be aware of policies, procedures, and attack vectors such as phishing, malicious email attachments, and social engineering. Unfortunately, SolarWinds can’t provide information security training your users—we would if we could!
3.3 Audit and Accountability
3.3.1 – Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.3.2 – Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
This set of controls helps to ensure that audit logs are in place and that they are monitored to identify authorized or suspicious activity. These controls relate to the data you want LEM to ingest and how those logs are protected and retained. LEM can help satisfy some of the controls in this section directly.
3.3.3 – Review and update audited events.
LEM helps with the review of audited events, provided the appropriate logs are sent to LEM.
3.3.4 – Alert in the event of an audit process failure.
LEM can generate alerts when agents go offline or the log storage database is running low on space. LEM can also alert on behalf of systems when audit logs are cleared—e.g., if a user clears the Windows® event log.
3.3.5 – Correlate audit review, analysis and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
LEM’s correlation engine and reporting can assist with audit log reviews and help ensure that administrators are alerted to indications of inappropriate, suspicious, or unusual activity.
3.3.6 – Provide audit reduction and report generation to support on-demand analysis and reporting.
Audit logs can generate a huge amount of information. LEM can analyze event logs and generate scheduled or on-demand reports to assist with analysis. However, you will need to ensure that your audit policies and logging levels are appropriately configured.
3.3.7 – Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
LEM satisfies this requirement through Network Time Protocol server synchronization. LEM also includes a predefined correlation rule that monitors for time synchronization failures.
3.3.8 – Protect audit information and audit tools from unauthorized access, modification, and deletion.
LEM helps satisfy this requirement through the various mechanisms outlined in this post: Log & Event Manager Appliance Security and Data Protection.
3.3.9 – Limit management of audit functionality to a subset of privileged users.
As per the response to 3.3.8, LEM provides role-based access control, which limits access and functionality to a subset of privileged users.
3.4 Configuration Management
3.4.1 – Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
3.4.2 – Establish and enforce security configuration settings for information technology products employed in organizational information systems.
Minimum acceptable configurations must be maintained and change management controls must be in place. Inventory comes into play here, too. NCM will have the biggest impact here (on the network device side), thanks to its ability to establish baseline configurations and report on violations. LEM and SolarWinds Patch Manager can also play roles within this set of controls.
3.4.3 – Track, review, approve/disapprove, and audit changes to information systems.
NCM’s real-time change detection, change approval management and tracking reports can be used to detect, validate, and document changes to network devices. LEM can monitor and audit changes to information systems, provided the appropriate logs are sent to LEM.
3.4.8 – Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
LEM can monitor for the use of unauthorized software. Thanks to Active Response, you can configure LEM to automatically kill nonessential programs and services.
3.4.9 – Control and monitor user-installed software.
LEM can audit software installations and alert accordingly. Patch Manager can inventory machines on your network and report on the software and patches installed.
3.5 Identification and Authentication
3.5.1 – Identify information system users, processes acting on behalf of users, or devices.
3.5.2 – Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
This section includes controls such as using multifactor authentication, enforcing password complexity and storing/transmitting passwords in an encrypted format. SolarWinds does not have products to support these requirements.
3.6 Incident Response
3.6.1 – Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
3.6.2 – Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
There is only one derived security requirement within the Incident Response section, namely:
3.6.3 – Test the organizational incident response capability.
LEM can play a role in the incident generation and the subsequent investigation. LEM can generate an incident based on a defined correlation trigger and respond to an incident via the Active Responses. Reports can be produced based on detected incidents.
3.7.1 – Perform maintenance on organizational information systems.
3.7.2 – Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
SolarWinds isn’t relevant to most of the requirements in this section. Controls contained within the maintenance category include: ensuring equipment remove for off-site maintenance is sanitized of CUI, checking media for malicious code and requiring multifactor authentication for nonlocal maintenance sessions.
LEM can assist with the 3.7.6 requirement that states “Supervise the maintenance activities of maintenance personnel without required access authorization.” Provided the appropriate logs are being generated and sent to LEM, reports can be used to audit the activity performed by maintenance personnel. NCM also comes into play, allowing you to compare configurations before and after maintenance windows.
3.8 Media Protection
3.8.1 – Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
3.8.2 – Limit access to CUI on information system media to authorized users.
3.8.3 – Sanitize or destroy information system media containing CUI before disposal or release for reuse.
Most of the controls within the Media Protection systems are not applicable to SolarWinds products. However, LEM can assist with one control.
3.8.7 – Control the use of removable media on information system components.
LEM’s USB Defender feature can monitor for usage of USB removable media and can automatically detach USB devices when unauthorized usage is detected.
3.9 Personnel Security
3.9.1 – Screen individuals prior to authorizing access to information systems containing CUI.
3.9.2 – Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
There are no derived security requirements within this section. LEM can assist with 3.9.2 by auditing usage of credentials of terminated personnel, validating that accounts are disabled in a timely manner, and validating group/permission changes after a personnel transfer.
3.10 Physical Protection
3.10.1 – Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
3.10.2 – Protect and monitor the physical facility and support infrastructure for those information systems.
SolarWinds cannot assist with any of the physical security controls contained within this section.
3.11 Risk Assessment
3.11.1 – Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
3.11.2 – Vulnerable software poses a great risk to every organization. These vulnerabilities should be identified and remediated—that is exactly what the controls within this section aim to do.
Risk Assessment involves lots of policies and procedures; however, Patch Manager can be leveraged to keep systems up to date with the latest security patches.
3.11.2 – Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
Patch Manager cannot perform vulnerability scans, but it can be used to identify missing application patches on your Windows machines. NCM identifies risks to network security based on device configuration. NCM also accesses the NIST National Vulnerability Database to get updates on potential emerging vulnerabilities in Cisco® ASA and IOS® based devices.
3.11.3 – Remediate vulnerabilities in accordance with assessments of risk.
Patch Manager can remediate software vulnerabilities on your Windows machines via Microsoft® and third-party updates. Patch Manager can be used to install updates on a scheduled basis or on demand. On the network device side, NCM performs Cisco IOS® firmware upgrades to potentially mitigate identified vulnerabilities.
3.12 Security Assessment
3.12.1 – Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.
3.12.2 – Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
3.12.3 – Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
We can help with one of the Security Assessment controls. LEM can monitor event logs relating to information system security and perform correlation, alerting, reporting, and more. SolarWinds has several other modules that support monitoring the health and performance of your information systems and networks.
3.13 System and Communications Protection
3.13.1 – Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
3.13.2 – Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Many of the controls in this section involve protecting confidentiality of CUI at rest, ensuring encryption is used and keys are appropriately managed, and networks are segmented. However, the basic security requirement 3.13.1 is certainly an area where SolarWinds can assist. This requirement involves monitoring (and controlling/protecting) communication at external and internal boundaries. LEM can collect logs from your network devices and alert to any suspicious traffic. SolarWinds NetFlow Traffic Analyzer (NTA) can also be used to monitor traffic flows for specific protocols, applications, domain names, ports, and more.
3.13.6 – Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
LEM can ingest traffic from network devices that provides auditing to validate that traffic is being appropriated denied/permitted. NPM and NTA can also be used to monitor traffic. NCM can provide configuration reports to help ensure that your access control lists are compliant with “deny all and permit by exception,” as well as providing the ability to execute scripts to make ACL changes en masse.
3.13.14 – Control and monitor the use of VoIP technologies.
NPM/NTA and SolarWinds VoIP & Network Quality Manager can be used to monitor VoIP traffic/ports.
3.14 System and Information Integrity
3.14.1 – Identify, report, and correct information and information system flaws in a timely manner.
3.14.2 – Provide protection from malicious code at appropriate locations within organizational information systems.
3.14.3 – Monitor information system security alerts and advisories and take appropriate actions in response.
The controls within this section set out to ensure that the information system or the information within the system has been compromised. Patch Manager and LEM can play a role in system/information integrity.
3.14.4 – Update malicious code protection mechanisms when new releases are available.
Essentially, this control requires you to patch your systems. Patch Manager provides the ability to patch your systems with Microsoft and third-party updates on a scheduled or ad-hoc basis. Custom packages can also be created to update products that are not included in our catalog.
3.14.5 – Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened or executed.
This control ensures that you have an anti-virus tool in place to scan for malicious files. LEM can receive alerts from a wide range anti-virus/malware solutions to correlate, alert, and respond to identified threats.
3.14.6 – Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
This security control is very well suited to LEM—the correlation engine can monitor logs for any suspicious or malicious behavior. LEM can be used to monitor inbound/outbound traffic, although NPM/NTA could be used to detect unusual traffic patterns.
3.14.7 – Identify unauthorized use of the information system.
LEM can monitor for unauthorized activity. User-defined groups come into play here which can create blacklists/whitelists of authorized users and events.
Still with me? As you can see, there is a substantial number of requirements within the 14 sets of controls, but when implemented correctly, the framework can go a long way to ensure the confidentiality, integrity, and availability of Controlled Unclassified Information and your information system as a whole. The SolarWinds products I’ve mentioned above all include a wide variety of out-of-the-box content such as rules, alerts, and reports that can help with the NIST 800-171 requirements.
I hope this blog post has helped you with untangling some of the NIST-800-171 requirements and how you can leverage SolarWinds products to help. If you’ve got any questions or feedback, please feel free to comment below.