There's a new set of rules for companies seeking federal government contract work. After months of drafts and public comments, the National Institute of Standards and Technology (NIST) published the final SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information. This allows companies to determine if they're in compliance with requirements for handling controlled unclassified information.
Federal Contractors Targeted by State-Sponsored Attacks
Recently, an artificial-intelligence (AI) startup working on a Pentagon project to interpret drone-surveillance imagery was allegedly breached, per a lawsuit filed by a former employee and as reported by Wired.
That company has since published a blog post that states they had identified and contained an untargeted bot on an isolated research server located in one of their data centers, and found it did not successfully access any of their data, algorithms or code.
According to a key finding from a report by BitSight on the security posture of U.S. government contractors and subcontractors, botnet infections are prevalent amongst the government contractor base, particularly for Healthcare/Wellness and Manufacturing contractors.**
This highlights the need to enforce and standardize security requirements for government contractors, as other contractors might not be able to identify or contain similar threats to their infrastructure, which may be hosted and managed offsite.
Federal contractors can be high-profile targets of nation state actors seeking proprietary information, such as data and code related to advancements in surveillance and military technology.
For example, a Navy contractor was hacked this year in a series of breaches. The Washington Post reports 614 GBs of highly sensitive data on undersea warfare was stolen, including secret plans on developing U.S. submarine missiles by 2020, signals and sensor data, and details on hundreds of mechanical and software systems.
Summary of NIST Rules
To protect controlled unclassified information (CUI) in contractor systems, NIST provides a flexible set of guidelines for organizations and assessors to conduct security assessments. These assessments can be conducted as self-assessments, independent third-party assessments or government-sponsored assessments, according to NIST’s initial draft of the rules published in November 2017.
Under the Access Control category, the NIST security requirements include the typical controls - including limiting access to authorized users, ensuring least privilege, limiting unsuccessful login attempts, etc. Access control requirement 3.1.7 also states that organizations must “prevent non-privileged users from executing privileged functions, and they must also capture the execution of such functions in audit logs.”
Under Audit and Accountability, federal contractors are also required to create and retain system audit logs and records to enable monitoring, analysis, investigation and reporting of unauthorized activity. The Identification and Authentication category requires that system users and devices are identified, a minimum password complexity is enforced, prohibit password reuse, etc.
Security requirement 3.5.3 also states, “Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.” Again, the MFA requirement is repeated under the Maintenance category, where MFA is required for establishing remote maintenance sessions via external network connections (3.7.5).
See the full list of controls and requirement guidance in Assessing Security Requirements for Controlled Unclassified Information (PDF).
The Path to IT Modernization
With cloud and mobile adoption accelerating IT modernization in federal agencies, the need to effectively protect government systems is essential to protecting access to government data.
Duo can help pave the (secure) way to IT modernization. In addition to multi-factor authentication, Duo provides insight into devices and users accessing your network, and control over what applications they can access. Our authentication logs and reports also provide actionable information for security assessments. These features are available in Duo Access, giving you the power to set more precise authentication policies.
To learn more, download The Path to IT Modernization: Five Steps to Protecting Government Systems.
This guide examines:
- How cloud and mobile adoption are accelerating IT modernization in federal agencies
- How stronger authentication controls and simplification of smart card access drive modernization efforts forward
- How identifying at-risk devices and solutions like single-sign on (SSO) can improve security
- How a trusted access framework is a key component in federal IT modernization initiatives
Download the ebook to learn about the five-step approach to securing access to applications in cloud and mobile environments.
** BitSight researchers took a random sample of over 1,200 U.S. federal government contractors across the following industries: Aerospace/Defense, Business Services, Healthcare/Wellness, Engineering, Technology, and Manufacturing. The cybersecurity performance of these contractors was compared with the performance of over 120 U.S. federal agencies.