CurrentWare & NIST SP 800-171 Compliance

CurrentWare for NIST SP 800-171

Searching for software solutions for NIST SP 800-171 or NIST SP 800-53 compliance? This article will outline CurrentWare’s solutions for achieving compliance with the NIST cybersecurity framework.

Table of Contents

How CurrentWare Helps Ensure Compliance With the NIST Cybersecurity Framework

Need to implement technical safeguards to meet data security compliance requirements? CurrentWare’s security software keeps your network secure by providing critical security controls that are mandated by a majority of cybersecurity frameworks. 

Restrict Portable Storage Devices

Blocking data egress points such as portable storage devices is a basic security requirement for preventing data loss. CurrentWare’s endpoint security software AccessPatrol provides data security controls that alert administrators to suspicious file operations and prevents the use of unauthorized USB devices by users that have access to sensitive data.

  • Receive alerts of high-risk USB device usage straight to your inbox
  • Restrict access to peripheral devices such as removable storage, Bluetooth, and WiFi
  • Maintain auditable records of files that are copied, created, renamed, or deleted on portable storage devices
  • Block file transfers based on file type and file name

NIST cybersecurity framework control 3.8.7—Control the use of removable media on system components
In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives.

Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the capability to insert, read, or write to such devices.

Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned.

Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices.”

NIST Special Publication 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
removable media policy template mockup

Removable Media
Policy Template

  • Set data security standards for portable storage
  • Define the acceptable use of removable media
  • Inform your users about their security responsibilities

Get started today—Download the FREE template and customize it to fit the needs of your organization.

User Activity Monitoring

employee using their work computer

Employee monitoring with BrowseReporter provides continuous oversight of end-user activities as they perform their job functions, providing a method for identifying suspicious or unsafe computer usage.

  • Monitor web usage for suspicious URLs such as cloud storage sites
  • Track application usage for shadow IT and other unauthorized software usage
  • Track bandwidth consumption for anomalous spikes in data sent or received

Following the discovery of unwanted behavior, employee monitoring data provides your organization with the precedence for taking corrective actions to prevent unlawful or unsafe behavior that puts sensitive data at risk.

Fight Web-Based Security Threats

Blocking websites with BrowseControl is essential for securing your network against malicious websites and preventing employees from transferring data to unauthorized cloud storage platforms. 

  • Block websites based on URL, domain, IP address, or content category
  • Restrict internet access to authorized websites only with the Allowed List
  • Customize restrictions for each user, computer, or organizational unit

BrowseControl includes a port filter to close unused or undesirable network ports such as those used for FTP and P2P, an application blocker to prevent employees from launching Windows applications, and a download filter to block files from being downloaded from the internet.

Audit Logon Activity

enPowerManager provides remote power management features and timestamped device activity reports  that detail when employees login, logout, startup, shutdown, sleep, or hibernate their machines. 

  • Track logon activity for local and domain accounts
  • Audit logins for suspicious activity, such as user accounts or computers being logged into after hours. 
  • Remotely startup, shutdown, and restart computers to end-user sessions or apply critical security updates

On-Premises Deployment

Ground view of a tall building

Many frameworks have compliance requirements relating to data localization & data residency. They may also require that external access to internal resources is limited wherever possible. CurrentWare’s solutions are installed on-premises, allowing you to retain full control over your deployment and any user activity data that you collect.

What about remote workers?

Organizations that would like to use CurrentWare to manage employees that are working from home can still do so even with an on-premises deployment. See this article for more information.

Using CurrentWare to Meet NIST SP 800-53 & NIST SP 800-171 Compliance

CurrentWare for NIST 800-171 & 800-53 compliance
Learn more about CurrentWare’s NIST 800-171 compliance solutions
Control FamilyNIST Cybersecurity Framework Control & DescriptionSupporting CurrentWare Feature
Access ControlAC-6 Least Privilege:
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
Granular security controls for web access, authorized applications, peripheral devices such as USB removable storage devices, and printers.
Access ControlAC-18 Wireless Access:
The organization:

a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and

b. Authorizes wireless access to the information system prior to allowing such connections.

AC-18 (3)
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
Block devices/users from using wireless technologies including WiFi, Infrared, and Bluetooth.
Access ControlAC-19 (4)(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].Block portable devices such as mobile phones from connecting to endpoints via USB.

Block endpoints from using Bluetooth and WiFi.
Audit and AccountabilityAU-3 Content of Audit Records:
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
Email reports for web usage USB activities, and logons.
Audit and AccountabilityAU-4 Audit Storage Capacity:
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].
On-premises software with the ability to store user activity indefinitely or have it culled at set intervals.
Audit and AccountabilityAU-6 Audit Review, Analysis, and Reporting:

a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and

b. Reports findings to [Assignment: organization-defined personnel or roles].
Email reports and alerts for web usage and USB activities.
Audit and AccountabilityAU-8 Time Stamps:

The information system:
a. Uses internal system clocks to generate timestamps for audit records; and

b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
User activity reports are timestamped based on the installation location of the CurrentWare server.
Audit and AccountabilityAU-11 Audit Record Retention:
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
On-premises software with the ability to store user activity indefinitely or have it culled at set intervals.
Audit and AccountabilityAU-14 Session Audit:
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.

Session audits include, for example, tracking websites visited and recording information and/or file transfers
User activity monitoring from a central console.

Reports on web usage, USB file transfers, logon activity, power states, and live screen viewing/screenshots.
Audit and AccountabilityAU-15 Alternate Audit Capability:

The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].
Device restriction policies and user activity monitoring data have a local cache failsafe in the event that a connection to the server is lost.

All user activity is still captured and will sync with the primary database once a connection is reestablished.
Configuration ManagementCM-7 Least Functionality:
The organization:

a. Configures the information system to provide only essential capabilities; and

b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].

CM-7 (4)(b) The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system
Internet and intranet access can be denied by default with an organization-defined allowed list of URLs, categories, and/or IP addresses.

Block specific applications, ranges of network ports, Bluetooth, FTP, and peer-to-peer networking protocols.
Configuration ManagementCM-10 Software Usage Restrictions

The organization:

a. Uses software and associated documentation in accordance with contract agreements and copyright laws;

b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and

c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
Monitor application usage of employees and endpoints. Identify what software was used, when it was used, and which user/device used the software.

Block network ports and applications associated with peer-to-peer file sharing technology.

Audit file transfers to removable storage devices for evidence of unlawful distribution or copying.
Configuration ManagementCM-11 User-Installed Software

The organization:

a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;

b. Enforces software installation policies through [Assignment: organization-defined methods]; and

c. Monitors policy compliance at [Assignment: organization-defined frequency].
Track application usage to ensure that unauthorized software is not in use.

Block websites that are known to host executable files.

Block the download of executables.

Prevent the transfer of files to removable storage devices.
Incident ResponseIR-5 Incident Monitoring:

The organization tracks and documents information system security incidents.

IR-5 (1)
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
Maintain auditable records of file operations to removable storage devices, web browsing activity, and application usage.

Email alerts send user activity reports to a designated inbox when specified events occur.
Media ProtectionMP-7 Media Use:
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
Block peripheral devices such as printers, scanners, cameras, Bluetooth, cell phones, USB removable storage devices, optical media, floppy disks, tape, and SD/MM cards.

Allowed list provides exemptions for authorized removable storage devices.

Click here for more information.
System and Services AcquisitionSA-9 External Information System Services | Processing, Storage, and Service Location
The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
Supplemental Guidance: The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate.
All data is controlled by the organization with no reliance on third-party data processors or controllers required.
System and Communications ProtectionSC-43 Usage Restrictions:

The organization:

a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and

b. Authorizes, monitors, and controls the use of such components within the information system.

Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, mobile devices).
Users can be restricted from using printers, scanners, optical devices, wireless technologies, and mobile devices on managed devices.

Monitor the connection history of a variety of peripherals including portable storage, printers, scanners, optical devices, wireless technologies, and mobile devices on managed devices.

Access to websites, applications, and network ports can be restricted.

Computer usage can be monitored including application usage, bandwidth consumption, and web browsing.

FAQ: Can I Use the CurrentWare Web Console If I Need to Be NIST SP 800-171 Compliant?

AccessPatrol central web console close up

With the announcement that the new CurrentWare web console allows you to access your CurrentWare dashboard remotely, we’ve been getting a lot of questions from companies that do not want to have external access to internal resources.

To reduce the potential for unauthorized access many organizations opt to entirely restrict access to internal networks from external sources. Companies that do allow this access are expected to maintain minimum security requirements such as implementing encryption via secure VPNs and implementing remote access authentication, authorization, and access controls.

Good news! With CurrentWare’s default on-premises deployment the password-protected web console will only be accessible to devices within your local area network. Even then, only authorized operators with their own set of credentials can gain access to the web console.

The web console makes managing your CurrentWare policies more convenient by allowing you to manage policies and run reports without the need to install a CurrentWare Console on each manager’s computer.

The web console can be accessed by any modern web browser on devices that have access to the CurrentWare Server. Unless you set up port forwarding, a remote desktop connection, or a VPN with access to your local network the web console will not be accessible outside of your network.

Need more details? Reach out to us for a demo or have a live chat with our technical support team using the chat icon at the bottom of the page.

What is NIST SP 800-171?

NIST Special Publication 800-171 (NIST SP 800-171) is an NIST cybersecurity framework with a set of standards established by the National Institute of Standards and Technology (NIST). NIST SP 800-171 outlines cybersecurity standards that non-federal organizations must comply with to protect controlled unclassified information (CUI) when they work with government entities. 

The intent of NIST SP 800-171 is to provide a baseline of recommended security requirements for protecting the confidentiality of federal CUI when it is stored, accessed by, or processed in nonfederal systems and organizations. 

NIST SP 800-171 is also a subset of the Federal Information Security Management Act (FISMA), a US federal law that was designed to regulate security standards and guidelines within government services.  As a result of FISMA, NIST developed Federal Information Processing Standards (FIPS), which are requirements for all federal agencies.

To pass a FISMA compliance audit an organization will be tested against security controls outlined in NIST publications such as FIPS 199, FIPS 200, and the NIST 800 series.

These security frameworks are designed to define a range of risk levels that organizations can place their information systems on and provide guidance for implementing security controls that limit data security risks.

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is a federal data security classification that refers to data that is sensitive but unregulated. Examples of CUI include personally identifiable information (PII) and intellectual property/trade secrets such as technical drawings and blueprints.  While CUI is not classified, it is still considered to be sensitive data and it requires ample security controls to ensure that it is not disclosed to unauthorized parties.

“The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.

This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.

The minimum requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.”

NIST SP 800-171 Abstract

Who Needs to be in Compliance With NIST SP 800-171?

Non-federal organizations that work with federal organizations in the US must implement the security controls recommended by NIST SP 800-171 to demonstrate that they can adequately classify and protect CUI.

While meeting NIST SP 800-171 is not a requirement for all organizations, it is highly advantageous to do so. Aside from the obvious advantage that comes with improving the security of your network, achieving compliance with NIST SP 800-171 ensures that your organization is not disqualified from profitable government contracts.

For example, the Defense Federal Acquisition Regulation Supplement (DFARS) mandate requires that all non-federal organizations within the United States Department of Defense’s supply chain meet the cybersecurity protocols outlined in NIST 800-171.

NIST SP 800-171 vs NIST SP 800-53

NIST SP 800-171 and NIST SP 800-53 are similar security frameworks. The key difference is that NIST 800-171 is an NIST cybersecurity framework that is specifically for non-federal networks, whereas organizations that directly connect to federal servers, networks, or other federal information systems are expected to be in compliance with NIST SP 800-53.

For more information:

Conclusion & Next Steps

If your company needs to be in compliance with cybersecurity frameworks such as NIST SP 800-171, NIST SP 800-53, FISMA, or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) you can rest assured that the new CurrentWare web console is fully controlled by your organization. Your data will not be shared with CurrentWare and only those with access to the network you installed the web console on can access it.

CurrentWare’s user activity monitoring and data loss prevention solutions provide several security controls to ensure that sensitive data is protected against a variety of common threats.

Reach out to the CurrentWare team today to learn more or download a free trial to get started right away.

Want to see the web console in action? Try out the live demo.

Dale Strickland
Dale Strickland
Dale Strickland is the Digital Marketing Manager for CurrentWare, a global provider of user activity monitoring, web filtering, and device control software. Dale’s diverse multimedia background allows him the opportunity to produce a variety of content for CurrentWare including blogs, infographics, videos, eBooks, and social media shareables.