The Federal Government standardizes how agencies handle sensitive information. Recently published regulations regarding Controlled Unclassified Information (CUI) address the identification, marking, handling, storage and destruction of all non-classified information that has safeguarding or dissemination controls.
As a component of this effort, the National Institute of Standards and Technology (NIST) within the Department of Commerce has released a draft version of NIST Special Publication (SP) 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Although not mandatory at this time, contracts, memoranda of understanding, and other agreements may require adhering to the new guidelines.
The Government is expected to issue a Federal Acquisition Regulation (FAR) clause that will require people working under contract to abide by NIST SP 800-171. NIST SP 800-171 sets forth fourteen specific security objectives. These are:
- ACCESS CONTROL: Limit information system access to authorized users.
- AWARENESS AND TRAINING: Ensure that managers and users of organizational information systems are made aware of the security risks and ensure that personnel are adequately trained.
- AUDIT AND ACCOUNTABILITY: Create information system audit records to enable the reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual users can be traced to be held accountable for their actions.
- CONFIGURATION MANAGEMENT: Establish baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation); and establish security configuration settings for technology products.
- IDENTIFICATION AND AUTHENTICATION: Identify information system users and authenticate (or verify) the identities of those users as a prerequisite to allowing access.
- INCIDENT RESPONSE: Establish an operational incident-handling capability for organizational information systems; and track, document, and report incidents to appropriate authorities.
- MAINTENANCE: Perform periodic maintenance on organizational information systems; and provide effective controls on the tools and personnel used to conduct maintenance.
- MEDIA PROTECTION: Protect information system media containing CUI, both paper and digital; and limit access to CUI on information system media to authorized users.
- PHYSICAL PROTECTION: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- PERSONNEL SECURITY: Screen individuals prior to authorizing access to information systems containing CUI.
- RISK ASSESSMENT: Periodically assess the risk to organizational operations, assets, and individuals.
- SECURITY ASSESSMENT: Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; develop and implement plans of action designed to correct deficiencies.
- SYSTEM AND COMMUNICATIONS PROTECTION: Monitor, control, and protect organizational communications (i.e., information transmitted or received by information systems).
- SYSTEM AND INFORMATION INTEGRITY: Identify, report, and correct information and information system flaws in a timely manner; and provide protection from malicious code.
Secure System Administration
Protecting an entire enterprise shouldn’t get in the way of the mission, it should support the mission.
AiTech employs industry experts that know how to protect networks inside and out from large enterprises to small businesses. Our security administrators have several names, including security specialist, network security engineer, and information security analyst, but a job title is less important than the specific roles and responsibilities our team offers.
Not only are we skilled system administrators, but we offer solutions for user management, access control, system maintenance, network protection, security audits, and policy recommendations. AiTech is a full-service IT provider and can help your organization design, deploy, and secure your network. Whether it’s an existing network in need of improvement, or a new network that needs informed policy recommendations, AiTech can administer the network your organization needs, with the security it requires.
Roles and responsibilities of our security administrators may include:
- Monitoring networks for security breaches, investigating violations as they occur
- Developing and supporting organizational security standards, best practices, preventative measures, and disaster recovery plans
- Conducting penetration tests (simulating cyberattacks to find vulnerabilities before others can find them)
- Reporting on security breaches to users, as necessary, and to upper management
- Implementing and updating software to protect information
- Staying up-to-date on IT security trends and information
- Recommending security enhancements to management and C-suite executives
Security Training & Awareness
AiTech’s approach to security starts and ends with an informed userbase, because a network is only as secure as its most vulnerable user.
Large organizations may require uniform network policies, but enforcing those policies demands a proactive culture brought about by training and awareness. AiTech has trained several users across multiple organizations to predict and mitigate cyber threats in real time.
On-site training, remote certification sessions, or train-the-trainer session can all be tailored to meet the needs of your organization.