NIST合规

To ensure that our clients maintain a compliant state and strong control environment, LBMC performs our NIST assessments using the following steps:

• 开始叫 – To discuss engagement logistics, verify controls to be tested, confirm onsite scheduling, review evidence request 过程es, and answer any pre-engagement questions
• 文档评审
• Interviews with individuals responsible 用于控制实现获得对当前处理环境的理解.
• Conduct a performance review audit of NIST specified controls and an onsite walk-around.
• Debrief and issuance of the final audit report

如果你像成千上万的其他政府承包商一样，努力理解合规性，以及需要多少资源才能达到合规性, know that you are not alone!  Don’t worry, odds are you are already in compliance to a large degree.

网络安全漏洞是一个常见的威胁，在这个时代似乎几乎是正常的.  然而, 明升体育app下载政府, along with the security expertise of NIST, continue to seek more secure and efficient ways to safeguard our data. When determining the level of information security your organization should implement, the risks of your data being compromised should be the driving factor.  不那么显而易见的, 风险较低的组织是窃取政府机密信息的目标, and the federal government now is taking additional steps to safeguard their security.

黑客的主要目标是非联邦组织，这些组织可以访问包括公民高等教育在内的联邦数据, 税, 还有医疗记录. 这种类型的信息对于恶意用户来说具有很高的价值，这些恶意用户要么希望直接泄露这些信息，要么希望建立一个立足点，作为攻击更大的联邦机构目标的起点.  其他感兴趣的组织是利用政府数据进行研究的高等教育机构, 发展, 和/或政府补助.  Although data in transit must be protected per federal encryption requirements, 想到的更大的问题是——一旦数据到达预期的接收方，应该采取什么控制措施来保护数据?  That is where NIST 800 - 171 becomes relevant. 本标准的实施是为了帮助填补在非联邦信息系统上保护受控非机密信息(CUI)的空白.

CUI is defined as “information that law, 监管, or government-wide policy requires safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, 十二月二十九日, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended (Executive Order 13556)”.  So what does this long and complex government definition really mean?

If you are a government support contractor, 例如, 可以访问未被标记为机密的联邦信息系统或政府数据, or a university using Medicare data for statistical research, 作为合同的一部分，您可以访问CUI，因此有义务保护它.  任何支持联邦信息系统并访问CUI的承包商都可能受到NIST SP 800-171的影响, and CUI isn’t necessarily limited to raw data records. It also applies to data that is collected, 存储, and documented in support of federal information system. 这包括项目管理、技术写作、系统开发和咨询.

在高水平上, NIST SP 800-53安全标准旨在供联邦政府内部使用，包含通常不适用于承包商内部信息系统的控制措施. NIST SP 800-53为联邦组织提供顶级需求，更具体地为联邦信息系统和组织提供安全和隐私控制.

另一方面, NIST SP 800-171适用于内部承包商信息系统，并为所有CUI安全需求提供了一套标准化的要求，允许非联邦组织通过始终如一地实施CUI安全措施来遵循法定和监管要求. 另外, 许多NIST SP 800-171控制都是关于策略的一般最佳安全实践, 过程, and configuring IT securely, and this means in many regards, 与NIST SP 800-53相比，NIST SP 800-171被认为不那么复杂，也更容易理解.

NIST SP 800-171的独特之处在于，它是为消除FIPS 200和NIST SP 800-53的要求而量身定制的:

1. specific to government-owned systems
2. 与CUI无关，或
3. expected to be satisfied without specifications (i.e., policy and procedure controls).

NIST SP 800-171包括超过100个控制，跨越14个控制家族，本质上更简洁, making it less complex to implement for non-federal organizations.

NIST SP 800-171的一个独特特征是，非联邦组织在定义如何实现需求方面具有灵活性. The requirements do not mandate any particular technological solutions, 允许承包商, 如果他们选择, to protect information using the systems they already have in place, rather than trying to use government-specific approaches. 对于已经拥有成熟系统的组织来说，这是一个好消息，这可能意味着他们不必“撕裂并替换”他们现有的安全程序.

NIST SP 800-171中的安全要求旨在保护驻留在承包商信息系统中的CUI，同时通常减轻承包商维护以联邦为中心的流程和需求的负担.  遵守NIST SP 800-171应该被看作是一个很好的政府数据管理的机会，也是这些组织竞争其他组织可能没有资格获得的联邦机会的机会.