NIST

What NIST 800-171 Means for Your Sensitive Federal Information

The National Institute of Standards and Technology (NIST) released Special Publication 800-171 pertaining to all DoD and Federal contractors with access to Controlled Unclassified Information (CUI). The publication encompasses the protection of sensitive federal information and (CUI) in non-federal information systems and organizations. The Defense Federal Acquisition Regulation Supplement (DFARS) deadline for NIST 800-171 compliance was on December 31st 2017. Over the last four years, those federal contractors have implemented the standards at a record pace and have used consulting agencies such as Manufacturing Extension Partners (MEP) from NIST to do so. MEP aids in cybersecurity assessments for individual manufacturers striving for government contracts to increase their customer base. These free self-assessments are provided online in multiple formats: infographics and PDF guidebooks. The MEP provides a plethora of resources to take the initial steps towards becoming NIST 800-171 compliant and winning profitable government contracts. The BEST of these resources is the NIST Self-Assessment Handbook which is 150-pages of insightful advice tailored to various manufacturing situations. However, if you do not feel like reading this entire book then take a look at this NIST SP 800-171 Webinar by NSF International that summarizes crucial points of the NIST Self-Assessment Handbook.

What are some examples of implementations of NIST 800-171 standards?

As the NIST 800-171 standards states, it applies to ANY organizations utilizing non-confidential information in their databases and storing that data in mass storage devices such as flash drives, hard drives (mechanical or SSD) and network-attached storage devices (NAS) among others. Some notable examples include research institutions such as universities that carry out federally funded research projects such as controlled substances testing that are scheduled on the DEA Controlled Substances Act. As a result, universities such as the University of Cincinnati have developed their own NIST 800-171 Compliance Guideline manual which speak on how the university is identifying gaps, who is responsible for doing so and what actions can be taken to fill that gap. In addition, the University of Connecticut has also developed their own NIST 800-171 Security Control Requirements checklist for their Principal Investigator (PI) to use to implement and maintain the federal standards in research settings. In addition, they have tabulated the NIST 800-171 Control Requirements separated from the PI standards implementation to show how they are meeting those standards. Both of these compliance documents are great examples to base off of if you are interested in winning government contracts post-deadline and showcase how to demonstrate your own organization’s commitment towards compliance.

Researcher_NIST_Requirements

Besides universities and government funded research, businesses and financial institutions (state grant agencies, lenders and third-parties) that handle federal student loan information have to comply with the NIST 800-171 and the 109 controls set in place. Given that they have sensitive information such as first and last names, addresses, telephone and emails and most importantly banking and social security identifiers then it is essential that these organizations stay on top of their security. A single breach can reveal extremely lucrative PII (Personally Identifiable Information) for hackers to sell on the dark web or to use for their own financial gains. That is why the NIST 800-171 was revised to include this type of information. For more background on this protection of federal student aid information, take a look at the FSA’s electronic announcement from December 18, 2020. Student Walking towards Campus

To face these challenges, organizations such as EDUCASE have reported on the upcoming plans of requiring self-assessments on organizations with federal student loan data. Although, there is uncertainty on how these will be implemented and the requirements for this assessment. EDUCASE goes into more questions brought on for the FSA to answer and stresses the participation of key stakeholders. To read more on their concerns, take a look at 800-171 Compliance on the Horizon. Overall, the goal of the FSA is to ensure that throughout the entire process of using and storing loan data that it is not misused by bad actors with a proper system to maintain its security. This new standard will be ALL encompassing as most of the information from the FSA will be covered.

What to keep in mind after your NIST 800-171 compliance research?

After your research, you may have found some very large gaps within your data handling. If so, then we have the answers to your dilemma. Tx Systems provides Identity, Authentication and Access Control solutions that meet the NIST SP 800-171 to the HIGHEST levels of Federal Government standards.

These are some of the key NIST SP 800-171 standards:

  • (3.5.1) Identify information system users, processes acting on behalf of users, or devices.
  • (3.5.2) Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
  • (3.5.3) Use multi-factor authentication (MFA)/two-factor authentication (2FA) for local and network access to privileged accounts and for network access to non-privileged accounts.

nist

  • To meet the System and Communication Protection requirements, organizations can implement HID’s ActivClient for Windows Logon, Email Encryption and Digital Signing of Documents among application authentication. We also offer ActivClient solutions for MacOS and Linux to support a diverse set of environments. With a WIDE adoption of millions of DoD and Federal employees using ActivClient, it is a STRONG choice for governments and enterprises to utilize for data protection.
  • To meet the Logical and Physical Access Control requirements, Tx Systems can specify and provide physical access control systems (PACS) from HID Global and SecuGen. In addition, Tx Systems carries ADDITIONAL physical access systems from IDEMIA such as their Enterprise Security Physical Access Control Reader. RP15PACS
  • To meet the Identification and Authentication requirements, Tx Systems offers multi-factor authentication (MFA) devices such as tokens and security keys from well-known manufacturers such as Identiv and Kensington. A notable option would be the Identiv uTrust FIDO2 NFC Security Key which supports a variety of web application logins with SalesForce, Facebook and Dropbox.

identiv-utrust-fido2-nfc-security-keys

By implementing these solutions, you can rest assured that your organization complies with the following three main portions of NIST SP 800-171:

  1. Physical and Logical Access Control (Idemia Enterprise Security Physical Access Control Reader)
  2. Identification and Authentication (Identiv uTrust FIDO2 NFC Security Key)
  3. System and Communication Protection (ActivClient)

For more information regarding the specific requirements for the different information types, you can locate them in the NIST publication.

Tx Systems offers a variety of security solutions that can help your company meet NIST 800-171 requirements. Learn more at txsystems.com or feel free to send us an email at sales@txsystems.com.

This blog post was a collaboration between Carl Hughes and Brenda Sayab.

How to Increase Security in Active Directory Federation Services using Two Factor Authentication

about-hid-banner_2

Active Directory Federation Services (ADFS) is a Windows service that allows for single sign on to many applications. This solves a unique problem in enterprise business as the number of accounts and credentials employees use daily increases. During a given morning, I myself log into Salesforce, Gmail, Dropbox, Outlook, WordPress and many other accounts that allow me to do my job effectively. ADFS saves users from having to remember or write down 50 different credentials and ties all of these logon credentials to a single Windows Active Directory credential. From a user perspective, this is great. Now I only need to login once, and ADFS will automatically log me into every account that I wish.

While ADFS is great as a convenience tool, it actually makes companies more vulnerable to security risks. As we discussed in a previous blog, usernames and passwords are not secure. They can be lost, stolen, or written down and stored under keypads leaving them vulnerable to anyone with preying eyes. ADFS does not increase the security of logon; it actually paints a larger target on the Windows Active Directory credentials. Now a perpetrator, who desires access to company systems only needs to compromise one set of credentials if ADFS is installed. So how does a company implement ADFS and take advantage of their convenience and cloud features without sacrificing their security?

Luckily, HID Global has come out with an innovative solution called ActivID Tap, that allows for companies to use an HID Seos card along with their Active Directory credential to achieve two factor authentication on ADFS. The workflow of this solution is very simple and easy to use. When a user sits down at their machine, they are prompted by ADFS to input their active directory credentials, same as it always does.  But after the credential is accepted, the user is prompted to tap their Seos ID Card to the HID Omnikey smart card reader as a second means of authentication. Using ActivID Tap, the credential is kept safe because even if the password is lost or stolen, the user must have the corresponding ID card to authenticate to the system.  activtap

But that is not all. ActivID Tap also works on Android devices that have an embedded NFC reader. For those who are unfamiliar, most modern Android smart phones and tablets have an integrated contactless smart card reader (known as NFC) that can read the HID Seos card. The user can authenticate using their ADFS credential by typing in their username and password through the ADFS login page just as they do on their PC. And just like on their PC, they will be prompted to tap their card. Instead of having a USB smart card reader at their desk, they simply tap the Seos card against the back of the smart phone and they are logged in. ActivID Tap is so simple and easy to use, there is no reason not to implement it if you are using ADFS

What Is FIPS 201 and The Differences Between FIPS 201-2?

What is FIPS 201?    FIPS 201

FIPS 201 (or Federal Information Processing Standard Publication 201) is a United States federal government standard that outlines the use of the Personal Identity Verification (PIV card) requirements for all federal government agencies (and contractors). The National Institute of Standards and Technology (NIST) Computer Security Division created the FIPS 201 doctrine that outlines the cryptographic algorithm (etc.) standards. These FIPS 201 standards were created in response to HSPD-12, which in essence required that all Fed govt employees use a standard issued government ID that could be used across the different agencies and departments (DOD and otherwise). HSPD 12 was created to increase a higher level of security and allow for easy mobility for cross dept personnel. With HSPD12 now in place, a Navy officer could visit an Army base and vice versa. In the past, no standards existed and there was a high level of ID card fragmentation.

 What is the difference between FIPS 201 and FIPS 201-2?

FIPS 201-2 is an update to the FIPS 201 standards established in 2005 and was released September 2013. The key new requirements that used to be optional are now mandatory including (also shown in the NIST graphic below):

1

1.)    CAK (Card Authorization Key)- More or less replaces the use of the CHUID, creating a more trusted authentication key leveraging cryptographic and PKI capabilities

2.)    Digital Signature key– used to authenticate and digitally sign documents

3.)    Key Management Key– The Management of cryptographic keys and how they’re generated, exchanged, stored, & used

4.)    Facial Image- Facial image of govt employee to be stored on card

Optional Requirements in FIPS 201-2

Other optional additions to FIPS 201-2 are the allowance of a virtual contact interface (outlined in SP800-73-4, SP800-78-4, SP 800-85A-2). This provides the option for the PIV credential to be authenticated via a contactless interface as opposes to contact only. Also included is OCC (On Card Comparison) for biometric (also called Biometric Match on Card). Match on Card is a secure authentication protocol that requires the processing of the biometric (Iris, etc) to be performed entirely on the card. One of the biggest additions is the inclusion of Derived Credentials. The Derived Credential allows for the “porting” of your PIV Credential onto a mobile device (i.e. iPhone, Android device). In essence your phone or mobile device becomes your virtual PIV credential that can be used as an official alternative to a physical PIV card. The U.S. Government sees the Derived Credentials as a key component to the future of secure identification as the use and proliferation or mobile devices continues.

2

3

For more information about FIPS 201 related products and solutions please go to our website: www.txsystems.com