NIST SP 800-171 – System and Communications Protection

April 17, 2024

As a government contractor, adherence to NIST SP 800-171 requirements is not just an option, but an essential mandate. Proactive preparation for compliance with these security requirements is crucial in order to avoid potential disruptions to your business operations. This blog is focused on the System and Communications Protection requirement.

Key Takeaways 

  • Implementing advanced system and communications protection measures is essential for maintaining the confidentiality, integrity, and availability of Controlled Unclassified Information (CUI) while ensuring operational resilience against cyber threats.
  • Network communications should be monitored and configured to prevent connections that could open system resources to vulnerabilities.
  • Organizations must ensure that users are aware of collaborative computing devices to protect communication sessions and confidentiality of CUI at rest.

Ensuring Robust Cybersecurity Defense

Protection of CUI through regular and comprehensive system and communications protocols is essential. NIST SP 800-171’s System and Communications Protection requirement provides a rigorous framework designed to fortify system digital infrastructures against invasive and sophisticated threats.

3.13.1. Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems. Vigilant monitoring and control of communications at the system’s external boundaries are configured to prevent unauthorized access and safeguard against external threats. For example, implementing robust firewalls to filter incoming and outgoing network traffic and blocking unauthorized access attempts, along with Intrusion Detection Systems (IDS), should be deployed to watch network traffic for suspicious patterns and to trigger alerts when unauthorized activity is detected. Access controls, such as role-based access control (RBAC), restrict communication channels to only authorized users. These are just a few boundary vigilance measures that help ensure only verified and necessary information crosses perimeters, serving as a critical line of defense in an organization’s cybersecurity framework.

3.13.2. Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems. The necessity of incorporating secure architectural designs and engineering principles is emphasized to fortify information security within organizational systems. Structural integrity in the system design lays a resilient foundation against cyber threats, integrating security as a fundamental aspect of system architecture.

3.13.3. Separate user functionality from system management functionality. A clear delineation between user functionality and system management tasks is needed to reduce the risk of unauthorized system access to privileged functions. This operational segregation improves the security posture through role-based access controls, ensuring a structured and secure operational environment.

3.13.4. Prevent unauthorized and unintended information transfer via shared system resources. Mechanisms to prevent accidental or unauthorized information transfer through shared system resources are essential. This controlled sharing ensures that data leakage and exposure are carefully mitigated, protecting sensitive information from unintended distribution.

3.13.5. Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. The implementation of subnetworks to isolate publicly accessible system components from internal networks is encouraged. Network segmentation minimizes the risk of external attacks and unauthorized access, creating a secure buffer zone that protects the internal network from potential vulnerabilities prevalent in public-facing services.

3.13.6. Deny network communications traffic by default and allow network communications traffic by exception. Enforce a network communication traffic policy within a system’s boundary and selected points, including inbound and outbound traffic. Organizations must enforce a deny-all, permit by exception policy that only allows for essential and approved connections.

3.13.7. Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks. Remote devices like notebook computers, smartphones, and tablets are required to have split tunneling disabled. Split tunneling allows for traffic to be split between an organization’s VPN as well as an external connection. This method appeals to users who may want to connect remote devices to the organization’s local system resources making the system susceptible to attacks. Systems should be configured to detect split tunneling and to prohibit the device from connecting to the system.

3.13.8. Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. The implementation of cryptographic mechanisms ensures protection against unauthorized CUI disclosure. Confidentiality is required for both internal and external networks, including devices capable of transmitting information. Communication paths outside controlled boundaries leave systems susceptible to modification or interception. Organizations may face challenges ensuring confidentiality with commercial transmission services. Contracts must be obtained and in cases where it is unavailable, organizations must accept greater risk or find an alternative. An example of an alternative safeguard is a protected distribution system, which safeguards the confidentiality of transmitted information.

3.13.9. Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. Internal and external network connections associated with communication sessions should have configurations that deallocate their IP address or port pair at the operating system level, or deallocate network assignments at the application level. Network assignments should be deallocated when one system level network connection is being used by multiple application sessions. Connections should be terminated immediately when the session is over or after an organization’s determined time period.

3.13.10. Establish and manage cryptographic keys for cryptography employed in organizational systems. Cryptographic key management requirements should be in accordance with Executive Orders, policies, regulations, directives, applicable federal laws, parameters, levels, and standards. Key establishment and management can be done through manual procedures or mechanisms supported by manual procedures.

3.13.11. Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Organizations should implement cryptography practices using Federal Information Processing Standards (FIPS) validated or National Security Agency (NSA) approved standards. Cryptography protects CUI by supporting random number generations and by enforcing the separation of information when authorized individuals lack formal access approvals.

3.13.12. Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. Organizations should disable cameras, microphones, and whiteboards from remote activation – on the device, toggle off the settings related to “Allow remote access” or “Remote activation.” For organizational settings, IT administrators can implement group policies to manage device settings and prevent remote activation of network devices by ensuring indication lights turn on when the microphone or camera is active to provide awareness to users present at the device.

3.13.13. Control and monitor the use of mobile code. Establish clear policies and procedures that outline what mobile code is acceptable and how it should be used, including restrictions on downloading code and requiring the mobile code to be from trusted sources. Implementing mobile device management (MDM) allows organizations to control app installations and potentially restrict mobile code execution within apps. Organizations can monitor mobile code by implementing endpoint solutions to detect suspicious code and alert the IT security team, and by configuring firewalls to block the potentially malicious code. Security assessments should be used to monitor and identify vulnerabilities involving mobile code execution.

3.13.14. Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. VoIP technologies should be monitored by using session border controllers (SBCs). SBCs act as a gateway between internal networks and VoIP provider’s network. SBCs allow organizations to manage and secure VoIP traffic by filtering calls based on predefined rules such as destinations or caller ID, encrypting calls using Secure Real-time Transport Protocol (SRTP), and monitoring call activity for suspicious patterns.

3.13.15. Protect the authenticity of communications sessions. Communications and data exchanges must be protected against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. Authenticate individuals by verifying identities, using methods such as multi-factor authentication or digital certificates.

3.13.16. Protect the confidentiality of CUI at rest. Protecting CUI at rest involves safeguarding sensitive information that is stored on devices and not actively being transmitted. This level of protection is achieved through encryption or physical security measures. Encryption uses algorithms and keys to scramble the data making it unreadable without authorization. Physical security involves physically restricting access to devices storing CUI; this consists of locking server rooms, using tamper-evident seals, and controlling access to removable media.

Ensuring Comprehensive Security in the Digital Age

Adherence to NIST SP 800-171, particularly sections 3.13.1 to 3.13.5, is fundamental for protecting the integrity and confidentiality of CUI against the environment of increasingly sophisticated cyber threats. By reinforcing system and communications security, organizations can ensure the resilience and integrity of their information systems, keeping trust and compliance in an evolving digital landscape. To mitigate the risk of unauthorized eavesdropping or recording through collaborative computing devices, organizations must enforce strict controls, such as prohibiting remote activation. Authenticating communication sessions is critical to thwarting cyber attacks and to supporting the security of network interactions. Moreover, safeguarding (CUI at rest is imperative for preserving its confidentiality.

These are just a few examples of how to implement System and Communications Protection whether you are a DoD Contractor or part of the Defense Industrial Base (DIB). Look for our next blog on System and Information Integrity.

Stay Ahead of the Game: Ensure Your NIST SP 800-171 Compliance for DoD Contracts

IBSS will use our 20 years of corporate DoD cybersecurity experience to prepare you for NIST SP 800-171 compliance. We specialize in developing cybersecurity strategies that align with organizational business processes to detect or prevent cyber attacks. We identify threats and vulnerabilities, and we assist organizations with managing risks to critical data. We provide expert support to promote compliance with Defense Federal Acquisition Regulation Supplement (DFARS), Federal Information Security Modernization Act (FISMA), Federal Risk and Authorization Management Program (FedRAMP), NIST SP 800-171, and Privacy requirements.

Contact us now to get a free consultation on how to develop your company’s NIST SP 800-171 SSP.

Related

SQUID-A-RAMA

SQUID-A-RAMA

Another IBSS educational event with support from the eeBLUE/NAAEE Aquaculture Literacy grant is in the books. Squid-A-Rama is as exciting as it...

Learn more about IBSS