Searching for software solutions for NIST SP 800-171 or NIST SP 800-53 compliance? With all of the buzz around the new CurrentWare web console, we’ve been getting a lot of questions from current and potential customers. This article will outline CurrentWare’s solutions for NIST SP 800-171 compliance and address one of the most common questions we’ve been asked about the web console.
Is the CurrentWare web console limited to internal network access only? My company is very protective of confidential data and we can’t have external access to internal sites.
Here’s the short answer:
Yes! By default, the CurrentWare web console can only be accessed from your local area network. That said, if you would like to access the web console to run reports or update policies while working from an off-site location, there are ways that you can do that. I’ll touch more on that later in this article.
If your company follows compliance frameworks such as NIST SP 800-171 that recommend limiting external access to internal resources, you can safely use the CurrentWare web console. In fact, CurrentWare’s security solutions are excellent technical safeguards for meeting several controls you will need in order to achieve NIST SP 800-171 compliance.
Need more details? The rest of this article will outline the key features of CurrentWare and how it can be used in organizations that need to be in compliance with NIST SP 800-171, NIST SP 800-53, FISMA, and other compliance frameworks.Table of Contents
Need to implement technical safeguards to meet data security compliance requirements? CurrentWare’s security software keeps your network secure by providing critical security controls that are mandated by a majority of cybersecurity frameworks.
Blocking data egress points such as portable storage devices is a basic security requirement for preventing data loss. CurrentWare’s endpoint security software AccessPatrol provides data security controls that alert administrators to suspicious file operations and prevents the use of unauthorized USB devices by users that have access to sensitive data.
3.8.7 Control the use of removable media on system componentsNIST Special Publication 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
In contrast to requirement 3.8.1, which restricts user access to media, this requirement restricts the use of certain types of media on systems, for example, restricting or prohibiting the use of flash drives or external hard disk drives. Organizations can employ technical and nontechnical controls (e.g., policies, procedures, and rules of behavior) to control the use of system media. Organizations may control the use of portable storage devices, for example, by using physical cages on workstations to prohibit access to certain external ports, or disabling or removing the ability to insert, read, or write to such devices. Organizations may also limit the use of portable storage devices to only approved devices including devices provided by the organization, devices provided by other approved organizations, and devices that are not personally owned. Finally, organizations may control the use of portable storage devices based on the type of device, prohibiting the use of writeable, portable devices, and implementing this restriction by disabling or removing the capability to write to such devices.”
Employee monitoring with BrowseReporter provides continuous oversight of end-user activities as they perform their job functions, providing a method for identifying suspicious or unsafe computer usage.
Following the discovery of unwanted behavior, employee monitoring data provides your organization with the precedence for taking corrective actions to prevent unlawful or unsafe behavior that puts sensitive data at risk.
Blocking websites with BrowseControl is essential for securing your network against malicious websites and preventing employees from transferring data to unauthorized cloud storage platforms.
BrowseControl includes a port filter to close unused or undesirable network ports such as those used for FTP and P2P, an application blocker to prevent employees from launching Windows applications, and a download filter to block files from being downloaded from HTTP websites on the internet.
enPowerManager provides remote power management features and timestamped device activity reports that detail when employees login, logout, startup, shutdown, sleep, or hibernate their machines.
Many compliance frameworks have stipulations for data localization & data residency. They may also require that external access to internal resources is limited wherever possible. CurrentWare’s solutions are installed on-premises, allowing you to retain full control over your deployment and any user activity data that you collect.
Organizations that would like to use CurrentWare to monitor and manage employees that are working from home can still do so even with an on-premises deployment. See this article for more information.
|Control Family||NIST Control & Description||Supporting CurrentWare Feature|
|Access Control||AC-6 Least Privilege:|
The organization employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.
|Granular security controls for web access, authorized applications, peripheral devices such as USB removable storage devices and printers.|
|Access Control||AC-18 Wireless Access:|
a. Establishes usage restrictions, configuration/connection requirements, and implementation guidance for wireless access; and
b. Authorizes wireless access to the information system prior to allowing such connections.
The organization disables, when not intended for use, wireless networking capabilities internally embedded within information system components prior to issuance and deployment.
|Block devices/users from using wireless technologies including WiFi, Infrared, and Bluetooth.|
|Access Control||AC-19 (4)(c) Restricts the connection of classified mobile devices to classified information systems in accordance with [Assignment: organization-defined security policies].||Block portable devices such as mobile phones from connecting to endpoints via USB.|
Block endpoints from using Bluetooth and WiFi.
|Audit and Accountability||AU-3 Content of Audit Records:|
The information system generates audit records containing information that establishes what type of event occurred, when the event occurred, where the event occurred, the source of the event, the outcome of the event, and the identity of any individuals or subjects associated with the event.
|Email reports for web usage USB activities, and logons.|
|Audit and Accountability||AU-4 Audit Storage Capacity:|
The organization allocates audit record storage capacity in accordance with [Assignment: organization-defined audit record storage requirements].
|On-premises software with the ability to store user activity indefinitely or have it culled at set intervals.|
|Audit and Accountability||AU-6 Audit Review, Analysis, and Reporting:|
a. Reviews and analyzes information system audit records [Assignment: organization-defined frequency] for indications of [Assignment: organization-defined inappropriate or unusual activity]; and
b. Reports findings to [Assignment: organization-defined personnel or roles].
|Email reports and alerts for web usage and USB activities.|
|Audit and Accountability||AU-8 Time Stamps:|
The information system:
a. Uses internal system clocks to generate timestamps for audit records; and
b. Records time stamps for audit records that can be mapped to Coordinated Universal Time (UTC) or Greenwich Mean Time (GMT) and meets [Assignment: organization-defined granularity of time measurement].
|User activity reports are timestamped based on the installation location of the CurrentWare server.|
|Audit and Accountability||AU-11 Audit Record Retention:|
The organization retains audit records for [Assignment: organization-defined time period consistent with records retention policy] to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements.
|On-premises software with the ability to store user activity indefinitely or have it culled at set intervals.|
|Audit and Accountability||AU-14 Session Audit:|
The information system provides the capability for authorized users to select a user session to capture/record or view/hear.
Session audits include, for example, tracking websites visited and recording information and/or file transfers
|User activity monitoring from a central console. |
Reports on web usage, USB file transfers, logon activity, power states, and live screen viewing/screenshots.
|Audit and Accountability||AU-15 Alternate Audit Capability:|
The organization provides an alternate audit capability in the event of a failure in primary audit capability that provides [Assignment: organization-defined alternate audit functionality].
|Device restriction policies and user activity monitoring data have a local cache failsafe in the event that connection to the server is lost. |
All user activity is still captured and will sync with the primary database once connection is reestablished.
|Configuration Management||CM-7 Least Functionality:|
a. Configures the information system to provide only essential capabilities; and
b. Prohibits or restricts the use of the following functions, ports, protocols, and/or services: [Assignment: organization-defined prohibited or restricted functions, ports, protocols, and/or services].
CM-7 (4)(b) The organization employs an allow-all, deny-by-exception policy to prohibit the execution of unauthorized software programs on the information system
|Internet and intranet access can be denied by default with an organization-defined allowed list of URLs, categories, and/or IP addresses.|
Block specific applications, ranges of network ports, Bluetooth, FTP, and peer-to-peer networking protocols.
|Configuration Management||CM-10 Software Usage Restrictions|
a. Uses software and associated documentation in accordance with contract agreements and copyright laws;
b. Tracks the use of software and associated documentation protected by quantity licenses to control copying and distribution; and
c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the unauthorized distribution, display, performance, or reproduction of copyrighted work.
|Monitor application usage of employees and endpoints. Identify what software was used, when it was used, and which user/device used the software.|
Block network ports and applications associated with peer-to-peer file sharing technology.
Monitor file transfers to removable storage devices for evidence of unlawful distribution or copying.
|Configuration Management||CM-11 User-Installed Software|
a. Establishes [Assignment: organization-defined policies] governing the installation of software by users;
b. Enforces software installation policies through [Assignment: organization-defined methods]; and
c. Monitors policy compliance at [Assignment: organization-defined frequency].
|Monitor application usage to ensure that unauthorized software is not in use.|
Block websites that are known to host executable files.
Block the download of executables from HTTP sites.
Prevent the transfer of files to removable storage devices.
|Incident Response||IR-5 Incident Monitoring:|
The organization tracks and documents information system security incidents.
The organization employs automated mechanisms to assist in the tracking of security incidents and in the collection and analysis of incident information.
|Maintain auditable records of file operations to removable storage devices, web browsing activity, and application usage.|
Email alerts send user activity reports to a designated inbox when specified events occur.
|Media Protection||MP-4 Media Storage|
The organization employs automated mechanisms to restrict access to media storage areas and to audit access attempts and access granted.
|Block user/endpoints from using peripherals such as removable storage devices.|
Maintain auditable records of an employee’s entire USB device usage history across all of the organization’s endpoint devices
Reports that indicate each device inserted into a given endpoint and/or by a given user and whether they were blocked or permitted by your AccessPatrol endpoint device policy settings
|Media Protection||MP-7 Media Use:|
The organization [Selection: restricts; prohibits] the use of [Assignment: organization-defined types of information system media] on [Assignment: organization-defined information systems or system components] using [Assignment: organization-defined security safeguards].
|Block peripheral devices such as printers, scanners, cameras, Bluetooth, cell phones, USB removable storage devices, optical media, floppy disks, tape, and SD/MM cards.|
Allowed list provides exemptions for authorized removable storage devices.
Click here for more information.
|System and Services Acquisition||SA-9 External Information System Services | Processing, Storage, and Service Location|
The organization restricts the location of [Selection (one or more): information processing; information/data; information system services] to [Assignment: organization-defined locations] based on [Assignment: organization-defined requirements or conditions].
Supplemental Guidance: The location of information processing, information/data storage, or information system services that are critical to organizations can have a direct impact on the ability of those organizations to successfully execute their missions/business functions. This situation exists when external providers control the location of processing, storage or services. The criteria external providers use for the selection of processing, storage, or service locations may be different from organizational criteria. For example, organizations may want to ensure that data/information storage locations are restricted to certain locations to facilitate incident response activities (e.g., forensic analyses, after-the-fact investigations) in case of information security breaches/compromises. Such incident response activities may be adversely affected by the governing laws or protocols in the locations where processing and storage occur and/or the locations from which information system services emanate.
|All data is controlled by the organization with no reliance on third-party data processors or controllers required.|
|System and Communications Protection||SC-43 Usage Restrictions:|
a. Establishes usage restrictions and implementation guidance for [Assignment: organization-defined information system components] based on the potential to cause damage to the information system if used maliciously; and
b. Authorizes, monitors, and controls the use of such components within the information system.
Information system components include hardware, software, or firmware components (e.g., Voice Over Internet Protocol, mobile code, digital copiers, printers, scanners, optical devices, wireless technologies, mobile devices).
|Users can be restricted from using printers, scallers, optical device, wireless technologies, and mobile devices on managed devices.|
Access to websites, applications, and network ports can be restricted.
Computer usage can be monitored including application usage, bandwidth consumption, and web browsing.
With the announcement that the new CurrentWare web console allows you to access your CurrentWare dashboard remotely, we’ve been getting a lot of questions from companies that do not want to have external access to internal resources.
To reduce the potential for unauthorized access many organizations opt to entirely restrict access to internal networks from external sources. Companies that do allow this access are expected to maintain minimum security requirements such as implementing encryption via secure VPNs and implementing remote access authentication, authorization, and access controls.
Good news! With CurrentWare’s default on-premises deployment the password-protected web console will only be accessible to devices within your local area network. Even then, only authorized operators with their own set of credentials can gain access to the web console.
More specifically, the CurrentWare web console is a (locally managed, non-internet connected) web-based version of the traditional CurrentWare Console Windows app (Winform). The web console makes managing your CurrentWare policies more convenient by allowing you to manage policies and run reports without the need to install a CurrentWare Console on each manager’s computer.
The web console can be accessed by any modern web browser on devices that have access to the CurrentWare Server. Unless you set up port forwarding, a remote desktop connection, or a VPN with access to your local network the web console will not be accessible outside of your network.
NIST Special Publication 800-171 (NIST SP 800-171) is a set of standards established by the National Institute of Standards and Technology. NIST SP 800-171 outlines cybersecurity standards that non-federal organizations must comply with to protect controlled unclassified information (CUI) when they work with government entities.
The intent of NIST SP 800-171 is to provide a baseline of recommended security requirements for protecting the confidentiality of federal CUI when it is stored, accessed by, or processed in nonfederal systems and organizations.
NIST SP 800-171 is also a subset of the Federal Information Security Management Act (FISMA), a US federal law that was designed to regulate security standards and guidelines within government services. To pass a FISMA compliance audit an organization will be tested against security controls outlined in NIST publications such as FIPS 199, FIPS 200, and the NIST 800 series.
These security frameworks are designed to define a range of risk levels that organizations can place their information systems on and provide guidance for implementing security controls that limit data security risks.
Controlled Unclassified Information (CUI) is a federal data security classification that refers to data that is sensitive but unregulated. Examples of CUI include personally identifiable information (PII) and intellectual property/trade secrets such as technical drawings and blueprints. While CUI is not classified, it is still considered to be sensitive data and it requires ample security controls to ensure that it is not disclosed to unauthorized parties.
“The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions.NIST SP 800-171 Abstract
This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category listed in the CUI Registry.
The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.”
Non-federal organizations that work with federal organizations in the US must implement the security controls recommended by NIST SP 800-171 to demonstrate that they can adequately classify and protect CUI.
While meeting NIST SP 800-171 is not a requirement for all organizations, it is highly advantageous to do so. Aside from the obvious advantage that comes with improving the security of your network, being in compliance with NIST SP 800-171 ensures that your organization is not disqualified from profitable government contracts.
For example, the Defense Federal Acquisition Regulation Supplement (DFARS) mandate requires that all non-federal organizations within the United States Department of Defense’s supply chain meet the cybersecurity protocols outlined in NIST 800-171.
NIST SP 800-171 and NIST SP 800-53 are similar security frameworks. The key difference is that NIST SP 800-171 is specifically for non-federal networks, whereas organizations that directly connect to federal servers, networks, or other systems are expected to be in compliance with NIST SP 800-53.
For more information:
If your company needs to be in compliance with cybersecurity frameworks such as NIST SP 800-171, NIST SP 800-53, FISMA, or HIPAA you can rest assured that the new CurrentWare web console is fully controlled by your organization. Your data will not be shared with CurrentWare and only those with access to the network you installed the web console on can access it.
In a standard on-premises deployment there will be no external access to the web console, though there are deployment options available for those that would like to access the web console while off-site. The very same remote access methods that are used to connect remote workers to the CurrentWare server will provide you with access to your on-premises web console. To learn more about that, visit this article.
Want to see the web console in action? Get in touch with us for a free demo.