Sub-contractors generally must comply with National Institute of Standards and Technology (NIST) security requirements if they wish to bid or work on Department of Defense (DoD) projects. This case study covers a NIST compliance project that CSCi recently completed, which highlights the benefits of achieving compliance for the client.
Compliance Challenge
A midsized defense contractor in San Diego needed to achieve regulatory compliance according to cyber security initiatives recently enacted by the DoD. Federal contractors that process, store or transmit Controlled Unclassified Information (CUI) generally must meet stringent security guidelines from the NIST to continue doing business with the government in 2018. The federal government defines CUI as confidential information that isn’t designated as “classified”, “top secret” or “for official use only.” The final version of NIST SP 800-171 published in 2015 establishes the minimum standards for protecting CUI.
Assessment & Planning
CSCi performed a detailed assessment of the contractor’s IT and security infrastructure and developed a remediation plan to comply with federal regulations. CSCi also helped develop templates for the client to document their internal security policies and procedures according to the following 14 NIST security controls defined in NIST SP 800-171:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
CSCi then proposed a hybrid cloud solution based on the client’s premises to facilitate the automatic failover of a critical server solution.
Implementation
CSCi used a Fortinet Fortigate firewall and Fortiswitch network switch to help prevent gateway threats and allow CSCi to configure port security. CSCi also implemented Internet Protocol Security (IPsec) and dual-factor authentication on virtual private network (VPN) tunnels. This solution enforced encrypted communications between network nodes.
The next step was to implement a public key infrastructure (PKI) certificate-based authentication method. This approach enforces secure, authenticated access to the server, allowing network administrators to manage digital certificates and public-key encryption. Finally, CSCi will use a FortiSIEM analytic tool to detect and mitigate ongoing security threats with detailed logging, retention and reporting in accordance with NIST standards.
Results
The defense contractor now meets all the requirements of the 14 NIST control families needed to comply with NIST SP 800-171, allowing it to successfully bid on government contracts.
This project was based on CSCi’s Assess, Remediate, Maintain (ARM) program. The assessment phase of this program includes a complete assessment of the client’s network and security practices. These recommendations are applied in the remediation phase to address security vulnerabilities in the client’s system. The maintenance phase uses on-going security services to maintain compliance with NIST SP 800-171.
Summary
CSCi has been providing IT services such as NIST compliance for small businesses in San Diego for over 30 years. We offer both managed and on-site services, often in partnership with major companies such as Cisco, Fortinet, HP and Microsoft. Contact us today to find out what we can do for you
