In less than five months your organization needs to be DFARS NIST 800-171 compliant. If you have already formulated a remediation plan to help you address your deficiencies, continue working through your prioritized roadmap to meet the compliance deadline. If you haven’t yet begun planning, get started today. Don’t jeopardize your ability to secure and execute DoD contracts by being non-compliant.
Three areas to focus on as you craft your compliance roadmap
After you’ve assessed your organization against the 110 security controls in NIST 800-171, you’ll need to build a plan to address your compliance gaps. An effective plan will have components that address these three areas.
- Multifactor authentication
- What it is: Multifactor authentication (MFA) is a security measure where more than one method of authentication from independent categories of credentials is required to verify the user’s identity for a login or other transaction. It is an important component of any security plan as increasing authentication from single factor greatly improves security of your systems.
- What you need to do: Procure an identification and authentication service that complies with the DFARS security requirements. Make sure the MFA solution is scoped and implemented to address the unique requirements of your environment. Also, work with stakeholders and end-users to conduct use-case and validity testing. Integrate with your authentication management processes to administer the user lifecycle. Make sure you have access to training, maintenance, and support of your solution.
- Privileged Account Management
- What it is: Privileged account management (PAM) is managing and auditing account and data access by privileged users, who are individuals with administrative access to critical systems. Better managing access to privileged accounts can help prevent cyber adversaries and rogue insiders from going after privileged credentials as a way to gain broad and undetected access to your information systems.
- What you need to do: Ensure your PAM solution provides automated, monitored, and controlled privileged access. Elevate administrative access to avoid granting excessive access to privileged accounts. Require the verification of a ticket or an approval to ensure administrative access is only granted when it is required for a specific activity. Work with engineers who are well versed in fine-tuning the configuration of the PAM suite and who can provide technical expertise and customization for your unique project.
- Vulnerability Management
- What it is: Vulnerability management is the cyclical practice of identifying, classifying, remediating, and mitigating vulnerabilities in your security infrastructure. It is important that your organization continually be monitoring for vulnerabilities to ensure you stay ahead of potential threats.
- What you need to do: A DFARS compliant vulnerability management program will continuously assess your environment for vulnerabilities and patch compliance. Make sure your solution performs monthly vulnerability scans, as well as scans after any significant changes are made, of all your internal and public facing systems. Also, ensure you receive a monthly report detailing new findings and findings from the previous month(s) which have yet to be remediated. Verify implementation of patches or work arounds for each fix with follow-up scans as needed.
Plan, provision, and outsource if needed to meet the December 31, 2017 deadline
Determine what you can reasonably accomplish with your internal resources and what you need to outsource to meet the December deadline. Also, as part of your roadmap, make sure you plan for a post-compliance world where you need to maintain the controls you’ve implemented.
Regardless of where you are in your DFAR compliance process, time of of the essence. Continue your efforts or get started now – five months is not much time to effect the change mandated by NIST 800-171 compliance.
If you need support, contact us for a FREE consultation.