NIST SP 800-171 – Protecting Information While Performing Maintenance

March 13, 2024

Cybersecurity is complex and challenging, but it is also an ever evolving and critical industry. As a government contractor, it is our mission to protect critical infrastructures and data from cyberattacks while adhering to NIST SP 800-171 requirements. Halfway through this blog series, we will now focus on the Maintenance security requirement and address the vital aspects of performing maintenance on organizational systems while controlling the tools, techniques, mechanisms, and personnel involved.

Key Takeaways

  • Rigorous implementation of maintenance protocols and controls is critical for the security and integrity of organizational systems, emphasizing the need for comprehensive measures in safeguarding sensitive information.
  • Controlled unclassified information (CUI) should not be found on any equipment located or used offsite. Any media to be used in an organizational system must be tested and approved prior to implementation.
  • Multi-factor authentication provides extra layers of defense against unauthorized access to information and systems.

NIST SP 800-171 Maintenance

3.7.1. Perform maintenance on organizational systems. Ensuring the operational integrity and security of organizational systems through scheduled maintenance is crucial. Scheduled maintenance reviews include system components such as hardware, firmware, and applications, including peripheral devices like scanners, copiers, and printers.

3.7.2. Provide controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance. The control over maintenance tools and personnel is foremost in regards to preventing unauthorized access and potential security breaches. This involves strict regulation of external diagnostic and repair tools, encompassing a range of hardware, software, and firmware items.

3.7.3. Ensure equipment removed for offsite maintenance is sanitized of any CUI. This requirement applies to all maintenance for any system component including applications – all maintenance performed offsite should be free of CUIs.

3.7.4. Check media containing diagnostic and test programs for malicious code before the media are used in organizational systems. Media must be inspected for malicious code, and if found vulnerable, incident handling policies and procedures should be in place. The incident must be handled following the organization’s policies and procedures before adding to a system.

3.7.5 & 3.7.6. Require multi-factor authentication to establish nonlocal maintenance sessions and supervise maintenance individuals. Individuals conducting maintenance through communication of external networks may be exposed to sensitive information. It is vital that organizations verify their credentials by employing multi-factor authentication, adding an extra layer of security. Then, terminate connections when maintenance is complete to prevent unauthorized access to open or active sessions. Also, it is recommended to supervise individuals who are performing hardware and software maintenance and be aware of the type of credentials issued, whether for one-time use or a limited time period.

Improving Maintenance

Open remote access sessions are a potential security vulnerability. After conducting maintenance, it is advised to promptly close remote sessions and terminate connections to reduce the attack surface. Maintenance performed outside of an organization’s enterprise must not contain any form of CUI. Importantly, policies and procedures must be in place and adhered to for any possible security threat. Media should be inspected thoroughly to improve security. Implementing multi-factor authentication for non-local maintenance sessions and supervising maintenance personnel adds an extra layer of security. This is complemented by the recommendation to promptly close remote access sessions post maintenance, reducing potential vulnerabilities.

Ensuring Equipment Sanitization and Media Security

It is vital to ensure that equipment removed for offsite maintenance is devoid of any CUI, emphasizing the importance of data sanitization. Additionally, the inspection of media containing diagnostic and test programs for malicious code before usage is crucial in preventing security breaches. NIST SP 800-88 provides helpful methodological guidance on media sanitization.

These are just a few examples on how to implement protection while performing maintenance whether you are a DoD Contractor or part of the Defense Industrial Base (DIB). Look for our next blog on Media Protection.

Stay Ahead of the Game: Ensure Your NIST SP 800-171 Compliance for DoD Contracts

IBSS will use our 20 years of corporate DoD cybersecurity experience to prepare you for NIST SP 800-171 compliance. We specialize in developing cybersecurity strategies that align with organizational business processes to detect or prevent cyber attacks. We identify threats and vulnerabilities, and we assist organizations with managing risks to critical data. We provide expert support to promote compliance with Defense Federal Acquisition Regulation Supplement (DFARS), Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), NIST SP 800-171, and Privacy requirements.

Contact us now to get a free consultation on how to develop your company’s NIST SP 800-171 SSP.

Related

SQUID-A-RAMA

SQUID-A-RAMA

Another IBSS educational event with support from the eeBLUE/NAAEE Aquaculture Literacy grant is in the books. Squid-A-Rama is as exciting as it...

Learn more about IBSS