As we continue our in-depth look at NIST SP 800-171 as it applies to DFARS, we will get into two important assessments that organizations need to make continually: risk assessment and security assessment.
As both your systems and threats against those systems continue to evolve over time, it’s important that you implement routine checks to make sure that you’re still secure and in compliance with regulations. The requirements outlined in the next two sections of NIST SP 800-171 will help you to do just that
There is only one basic security requirement in the Risk Assessment requirement family:
- Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational systems and the associated processing, storage, or transmission of CUI.
This security requirement invites us to take a holistic approach to risk assessment. While it does specifically mention storing and processing CUI, it also mentions other security risks to the organization, including image and reputation. This reminds us that maintaining security is a broad business objective, not a narrow focus of the IT or security team.
Two derived requirements elaborate on how to handle risk assessments:
- Scan for vulnerabilities in organizational systems and applications periodically and when new vulnerabilities affecting those systems and applications are identified.
- Remediate vulnerabilities in accordance with risk assessments.
All systems, but particularly externally accessible systems, should be scanned for vulnerabilities routinely. This can be done by an outside auditor, or by an in-house security team. Tools such as Nessus and OpenVAS are useful for locating and cataloging potential exploit vectors on your network, but their results still require careful analysis to properly assess risk.
While risk assessment involves the overall picture of organizational and system security, security assessment is focused on the nuts and bolts of security controls that mitigate the risks and secure your systems.
The four basic security requirements in this family are:
- Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
- Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational systems.
- Monitor security controls on an ongoing basis to ensure the continued effectiveness of the controls.
- Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems.
Again, these assessments need to be periodic and continuous -- it’s not a one-and-done thing. Existing controls need to be evaluated for effectiveness, and improvements should be made as new complexities are introduced to your systems.
These requirements also mention two key items that any DFARS-compliant system needs to have on hand: A System Security Plan (SSP) and Plan of Action (POA). Essentially, the SSP explains exactly how you are going to secure your systems, and the POA says what steps you still need to take to get there. For example, do you need to implement a stronger MFA system for your VPN? That should go in your POA, including deliverables and deadlines. And as you continually assess the security of your system, both your SSP and POA will grow and evolve along with your security requirements.