Transitioning to the Latest Version of NIST 800-171: Unravelling Revision Three of the Cybersecurity Framework (Updated Nov 2024)
The National Institute of Standards and Technology (NIST) developed the NIST 800-171 framework to set guidelines and security requirements for protecting Controlled Unclassified Information (CUI). The latest version three (V3) brings significant revisions impacting organizations' handling of CUI. In this blog, I'll explore the background of NIST 800-171, critical changes in V3, the implications for organizations striving to stay compliant, and how SolarWinds offers several solutions to implement many NIST 800-171 requirements.
What is NIST 800-171, and how does it differ from NIST 800-53?
The NIST 800-171—"Protecting Controlled Unclassified Information in Non-federal Systems and Organizations" provides federal agencies with recommended security requirements, protecting the confidentiality of CUI in non-federal systems and organizations. These requirements apply to non-federal system components that process, store, transmit CUI, or provide protection. If you are a contractor or sub-contractor to governmental agencies where CUI resides on your information systems, NIST-800-171 will affect you. In contrast, NIST 800-53 covers a broader scope, providing a comprehensive framework for protecting all federal information and systems, including CUI and other types of sensitive federal information.
Cybercriminals regularly target federal data, such as healthcare records, Social Security numbers, and more. This information must be protected when it resides in non-federal information systems. Many controls in NIST 800-171 are based on NIST 800-53 but are tailored to protect CUI in non-federal information systems. There are 17 “families” of controls in NIST 800-171, but before we delve into those, we should probably discuss CUI. You can view several categories and subcategories of CUI here. You may be familiar with Sensitive but Unclassified (SBU) information—various categories fall under SBU—but CUI replaces SBU and all its subcategories. CUI is not classified information, but protecting it is in the federal government’s best interest.
The latest NIST 800-171 V3 requirements
As mentioned above, organizations must follow 17 control families and 97 controls within NIST 800-171:
- Access control (16)
- Awareness and training (2)
- Audit and accountability (8)
- Configuration management (10)
- Identification and authentication (8)
- Incident response (5)
- Maintenance (3)
- Media protection (7)
- Personnel security (2)
- Physical protection (5)
- Risk assessment (3)
- Security assessment (4)
- System and communications protection (10)
- System and information integrity (5)
- Planning (3)
- System and Services Acquisition (3)
- Supply Chain Risk management (3)
We will now delve further into these categories and discuss the fundamental and derived security requirements and how SolarWinds can help. Basic security requirements are high-level, whereas derived requirements are the necessary controls put in place to meet the high-level objective of the basic requirements.
3.1 Access Control
3.1.1 – Account Management
SolarWinds® Access Rights Manager (ARM) enables IT and security admins to centrally provision, de-provision, manage, and audit user access rights to systems, data, and files while protecting their organizations from security breaches.
3.1.2 – Access Enforcement
This category limits access to systems for authorized users only and user activity for authorized functions only. ARM helps you constantly monitor access rights to your identities and assets and enforces least privilege principles through periodic access reviews. However, many of these controls are implemented at policy and device levels.
3.1.3 – Information Flow Enforcement
3.1.4 – Separation of Duties
3.1.5 – Least Privilege
SolarWinds® Security Event Manager (SEM) can audit deviations from least privilege, such as unauthorized file access and unexpected system access. Auditing can be done in real time or via reports. SEM can also monitor Microsoft Active Directory (AD) for those unexpected, escalated privileges assigned to a user.
Excessive user access privilege can pose significant risk to your organization's data. ARM is designed to help improve your security posture and mitigate threats by:
Monitoring and auditing unauthorized access and changes to AD, Azure AD, file servers (Windows, NetApp, EMC), Exchange, SharePoint Online, OneDrive, and SAP R/3.
A template-based creation of users with increased automation can be applied for user access to server and file activation, deactivation, modification, and deletion.
3.1.6 – Least Privilege–Privileged Accounts
SEM can monitor privileged account usage and audit the use of privileged accounts for non-security functions.
3.1.7 – Least Prevent–Privileged Functions
The execution of privileged functions, such as creating and modifying registry keys and editing system files, can be audited in real time or via reports in SEM. On the network device side, SolarWinds® Network Configuration Manager (NCM) provides a change approval system where users who are classified as non-privileged can execute privileged functions only with approval from a privileged user.
3.1.8 – Unsuccessful Log-in Attempts
The number of log-in attempts before lockout is generally set at the domain/system policy level. SEM confirms enforcement of the lockout policy using reports and filters. It can also report on unsuccessful login attempts and automatically locks user accounts via the Active Response feature.
3.1.9 – System Use Notifications
3.1.10 – Device Lock
SEM can block IP addresses, kill malicious applications, or lock out users—automatically.
3.1.11 – Session Termination
You can also configure SEM to respond to threats automatically by deleting user accounts, disabling domains, logging off or shutting down machines
3.1.12 – Remote Access
SEM can monitor and report on remote logins. Correlation rules can be configured to alert and respond to unexpected remote access (Ex. outside regular business hours). NCM can audit how remote access is configured on your network device, identify configuration violations, and remediate them accordingly.
3.1.16 – Wireless Access
3.1.18 – Access Control for Mobile Devices
3.1.20 – Use of External Systems
SEM can audit and restrict the usage of portable storage devices with its feature.
3.1.22 – Publicly Accessible Content
3.2 Awareness and Training
3.2.1 – Literacy Training and Awareness
This section relates to user awareness training, especially around information security. Users need to know about policies and procedures and be familiar with attack vectors such as phishing, malicious email attachments, and social engineering.
3.2.2 – Role-Based Training
ARM enables organizations to optimize roles and processes using a data owner concept. By introducing a role concept for analyzing and granting access rights, you're introducing the data awareness concept and corresponding action. You can map your company's organizational chart with the data owner concept and cover all departments. Then, you can assign employees to individual data owners. The data owners analyze or assign access rights to their staff.
3.3 Audit and Accountability
3.3.1 – Event Logging
SEM offers streamlined user activity tracking, so you can catch suspicious logon and logoff attempts across critical servers, workstations, and network devices.
3.3.2 – Audit Record Content
This set of controls helps ensure audit logs are in place and monitored to identify authorized or suspicious activity. These controls relate to the data you want SEM to ingest and how those logs are protected and retained. SEM can directly help satisfy some of the controls in this section. NCM also includes powerful features to assist with the Audit and Accountability controls, including real-time change detection, configuration change reports, and a change approval system. ARM can report and audit resources at a single-user level.
3.3.3 – Audit Record Generation
SEM helps review audited events, provided the appropriate logs are sent to SEM.
3.3.4 – Response to Audit Logging Process Failures
SEM can generate alerts when agents go offline or the log storage database runs low on space. It can also alert systems when audit logs are cleared. Ex. if a user clears the Windows event log.
3.3.5 – Audit Record Review, Analysis, and Reporting
With ARM, you can quickly generate and deliver comprehensive user access reports supporting regulatory compliance audits. ARM documents are used in the Active Directory, file servers (Windows, EMC, NetApp), SharePoint Online, Exchange, and OneDrive. You can use the Calendar function to view activities over time. The mandatory comment function takes the burden off the administrator. A short note (a ticket number, for instance) is stored, so every activity is traceable, even after it’s happened.
SEM’s correlation engine and reporting can assist with audit log reviews. Administrators are alerted to indications of inappropriate, suspicious, or unusual activity.
3.3.6 – Audit Record Reduction and Report Generation
Audit logs can generate a tremendous amount of information. SEM can analyze event logs and generate scheduled or on-demand reports to assist with analysis. However, you must ensure your audit policies and logging levels are appropriately configured. ARM audit reports can be scheduled daily, yearly, or on demand.
3.3.7 – Time Stamps
SEM implements time stamps through Network Time Protocol server synchronization, and a predefined correlation rule monitors time synchronization failures.
3.3.8 – Protection of Audit Information
SEM provides role-based access control, which limits access and functionality to a subset of privileged users.
ARMs role-based access features and functionalities are administered by privileged users only.
3.4 Configuration Management
3.4.1 – Baseline Configuration
3.4.2 – Configuration Settings
Minimum acceptable configurations must be maintained and change management controls implemented. Inventory also comes into play here. NCM will have the most significant impact on network devices thanks to its ability to establish baseline configurations and report on violations. SEM and Patch Manager can also play roles within this set of controls.
3.4.3 – Configuration Change Control
NCM’s real-time change detection, change approval management, and tracking reports can be used to detect, validate, and document any changes to network devices. SEM can monitor and audit changes to information systems, provided the appropriate logs are sent to SEM.
3.4.4 – Impact Analyses
3.4.5 – Access Restrictions for Change
3.4.6 – Least Functionality
3.4.8 – Authorized Software, Allow by Exception
SEM can monitor the use of unauthorized software. Thanks to Active Response, you can configure SEM to automatically delete nonessential programs and services.
3.4.10 – System Component Inventory
SEM can audit software installations and alert accordingly. Patch Manager can inventory machines on your network and report on the software and patches installed.
3.4.11 – Information Location
3.4.12 – System and Component Configuration for High-Risk Areas
3.5 Identification and Authentication
3.5.1 – User Identification and Authentication
3.5.2 – Device Identification and Authentication
This section includes information on controls, such as using multifactor authentication, enforcing password complexity, and storing/transmitting passwords in an encrypted format. SolarWinds does not have products to support these requirements.
3.5.3 – Multi-Factor Authentication
3.5.4 – Replay-Resistant Authentication
3.5.5 – Identifier Management
3.5.7 – Password Management
3.5.11 – Authentication Feedback
3.5.12 – Authentication Management
3.6 Incident Response
3.6.1 – Incident Handling
3.6.2 – Incident Monitoring, Reporting, and Response Assistance
There is only one derived security requirement within the Incident Response section, namely:
3.6.3 – Incident Response Testing
SEM can play a role in the incident generation and subsequent investigation. It can generate an incident based on a defined correlation trigger and respond to it via Active Responses. Reports can be produced based on detected incidents.
3.6.4 – Incident Response Training
3.6.5 – Incident Response Plan
3.7 Maintenance
3.7.4 – Maintenance Tools
3.7.5 – Non-local Maintenance
3.7.6 – Maintenance Personnel
SEM can assist with the requirement to “Supervise the maintenance activities of maintenance personnel without required access authorization.” Provided the appropriate logs are generated and sent to SEM, reports can be used to audit the activity performed by maintenance personnel. NCM also comes into play, allowing you to compare configurations before and after maintenance windows.
3.8 Media Protection
3.8.1 – Media Storage
3.8.2 – Media Access
3.8.3 – Media Sanitization
Most of the controls within the Media Protection systems do not apply to SolarWinds products. However, SEM can assist with one control.
3.8.4 – Media Marketing
3.8.5 – Media Transport
3.8.7 – Media Use
SEM’s USB-Defender feature can monitor the usage of USB removable media and can automatically detach USB devices when unauthorized usage is detected.
3.8.9 – System Backup—Cryptographic Protection
3.9 Personnel Security
3.9.1 – Personnel Screening
3.9.2 – Personnel Termination and Transfer
This section does not have derived security requirements. SEM can assist with 3.9.2 by auditing the usage of terminated personnel's credentials, validating that accounts are disabled promptly, and validating group/permission changes after a personnel transfer.
3.10 Physical Protection
3.10.1 – Physical Access Authorizations
3.10.2 – Monitoring Physical Access
3.10.6 – Alternate Work Site
3.10.7 – Physical Access Control
3.10.8 – Access Control for Transmission
3.11 Risk Assessment
3.11.1 – Risk Assessment
Risk assessment helps organizations better understand their environments' complexities and security threats while providing real-time visibility to help prevent, detect, and remediate security issues. With the security integration, you can see security-related events across networks, infrastructures, applications, and databases. It provides powerful observability capabilities to help customers identify risks, vulnerabilities, and compliance status on a dedicated security dashboard, assisting teams to focus on critical issues. With the SolarWinds® Observability Self-Hosted platform, you can now see security-related events across networks, infrastructures, applications, and databases. It provides powerful observability capabilities to help customers identify risks, vulnerabilities, and compliance status on a dedicated security dashboard, assisting teams to focus on critical issues.
Identify and resolve typical permission obstacles and security risks with ARM. The ARM Risk Assessment Dashboard visualizes the top risk factors with the highest impact on security. Start with an overall rating and create a risk assessment report.
The Risk Assessment Dashboard displays the following:
- Broken access control lists (ACLs) and other inheritance issues prohibiting proper permission management
- Unresolved security identifiers (SIDs) increasing security risk
- Direct user access to resources
- "Everyone" and other catch-all group access increase the risk of excessive permissions
- Inactive accounts
- Groups in recursions
- Accounts with never-expiring passwords
3.11.2 – Vulnerability Monitoring and Scanning
To help remediate vulnerabilities, the vulnerability and risk dashboard in SolarWinds® Security Observability enables customers to identify environmental risks based on vulnerabilities. This feature provides a new view for customers to identify risks and vulnerabilities within their infrastructure. This will assist them in prioritizing and reducing risk in important assets by enabling them to understand the severity of the risk.
If vulnerabilities are identified due to outdated software or missing OS updates, you can use SolarWinds® Patch Manager to apply those updates and remediate them.
If you have a vulnerability scanner like Nessus, Rapid7, or Qualys, SEM can parse event logs from these sources to alert them about detected vulnerabilities and correlate activity. Network configuration management on the SolarWinds Observability Self-Hosted platform can help identify risks to network security and reliability by detecting potential vulnerabilities in Cisco ASA and IOS-based devices via integration with the National Vulnerability Database. You can update the firmware on various network devices to remediate known vulnerabilities.
3.11.4 – Risk Response
The vulnerability and risk dashboard can provide a new perspective on identifying infrastructure-related risks. As a result, you can better comprehend the severity of a situation and prioritize and reduce risk in essential assets. Risk-based prioritization is the benchmark for managing mounting cyber threats and remediating the most significant risks. The dashboard’s risk score is calculated based on each node’s Common Vulnerabilities and Exposures (CVE) scoring, and the infrastructure score is calculated by aggregating the node scores.
Patch Manager can remediate software vulnerabilities on your Windows machines via Microsoft and third-party updates. It can install updates on a scheduled basis or on demand. On the network device side, NCM performs Cisco IOS firmware upgrades to mitigate identified vulnerabilities.
3.12 Security Assessment and Monitoring
3.12.1 – Security Assessment
3.12.2 – Plan of Action and Milestones
3.12.3 – Continuous Monitoring
We can help monitor the Security Assessment controls via modules like NCM and SEM. Network configuration should be noticed when monitoring security controls and performing assessments. NCM enables you to standardize network device configuration, detect out-of-process changes, audit configurations, and correct violations. SEM can monitor event logs relating to information system security and perform correlation, alerting, reporting, and more. SEM can monitor event logs relating to information system security and perform correlation, alerting, reporting, and more. SolarWinds provides several other modules that support monitoring the health and performance of your information systems and networks.
3.13 System and Communications Protection
3.13.1 – Boundary Protection
3.13.4 – Information in Shared System Resources
Many of the controls in this section involve protecting the confidentiality of CUI at rest, ensuring encryption is used, keys are appropriately managed, and networks are segmented. SolarWinds can assist with essential security requirements. This involves monitoring, controlling, and protecting communication at external and internal boundaries. SEM can collect logs from your network devices and alert you to any suspicious traffic. SolarWinds® NetFlow Traffic Analyzer (NTA) can monitor traffic flows for specific protocols, applications, domain names, ports, and more.
3.13.5 – Information Exchange
3.13.6 – Network Communications, Deny by Default, Allow by Exception
SEM can ingest traffic from network devices that provide auditing to validate that traffic is being appropriated, denied/permitted. NPM and NTA can also be used to monitor traffic. NCM can provide configuration reports to help ensure your access control lists are compliant with “deny all and permit by exception,” as well as providing the ability to execute scripts to make ACL changes.
3.13.8 – Transmission and Storage Confidentiality
3.13.9 – Network Disconnect
3.13.10 – Cryptographic Key Establishment and Management
3.13.11 – Cryptographic Protection
3.13.12 – Collaborative Computing Devices and Applications
3.13.13 – Mobile Code
3.13.15 – Session Authenticity
NPM/NTA and SolarWinds® VoIP & Network Quality Manager (VNQM) can monitor VoIP traffic and ports.
3.14 System and Information Integrity
3.14.1 – Flaw Remediation
3.14.2 – Malicious Code Protection
3.14.3 – Security Alerts, Advisories, and Directives
The controls in this section help establish that the information system or the information within the system has been compromised. Patch Manager and SEM can play a role in system/information integrity.
Essentially, this control requires you to patch your systems. Patch Manager allows you to fix your systems with Microsoft and third-party updates on a scheduled or ad hoc basis. Custom packages can also be created to update products not included in our catalog.
This control also helps ensure you have an anti-virus tool to scan for malicious files. SEM can receive alerts from various anti-virus/malware solutions to correlate, alert, and respond to identified threats.
3.14.6 – System Monitoring
This security control is well suited to SEM. The correlation engine can monitor logs for suspicious or malicious behavior. SEM can be used to monitor inbound and outbound traffic, although NPM/NTA could be used to detect unusual traffic patterns.
3.14.8 – Information Management and Retention
SEM can monitor for unauthorized activity. User-defined groups come into play here, and you can create blacklists/whitelists of authorized users and events.
3.15 Planning
03.15.01: Policy and Procedures
03.15.02 – System Security Plan
03.15.03 – Rules of Behavior
3.16 System and Services Acquisition
03.16.01– Security Engineering Principles
03.16.02 – Unsupported System Components
03.16.03 – External System Services
3.17 Supply Chain Risk Management
03.17.01– Supply Chain Risk Management Plan
03.17.02 – Acquisition Strategies, Tools, and Methods
03.17.03 – Supply Chain Requirements and Processes
Still with me? As you can see, there are many requirements within the 17 sets of controls. Still, when implemented correctly, the framework can go a long way to helping ensure the confidentiality, integrity, and availability of CUI and your information system. The SolarWinds products mentioned above include out-of-the-box content such as rules, alerts, and reports—all of which help with NIST 800-171 requirements.
I hope this blog post has helped you understand some of the NIST-800-171 requirements and how to leverage the SolarWinds product offering. If you have any questions or feedback, please comment below.