Posted by Mike Boyle, TCC Director of Business Development
Over the past several years, state and local governments have embraced the cloud to manage IT assets and operations. Malicious cyber behavior and inadvertent non-malicious mistakes are difficult to anticipate or change, so agencies and cloud solutions providers must treat security and compliance as a continuously critical priority. Threat intelligence, through monitoring and automated solutions, is the most effective weapon at thwarting the work of hackers. With the proper cloud solution, agencies can take advantage of automatic compliance with critical requirements like the National Institute of Standards and Technology Security Publication (SP) 800-53, Department of Defense Security Requirements Guide IL4 and both physical and technical security.
TCC supports government agency security strategies by building to and maintaining compliance with both the minimum information security requirements established by the National Institute for Standards and Technology (NIST) Special Publication 800-53 Rev. 4: Security Controls for Federal Information Systems and Organizations moderate-level security controls.
The National Institute of Standards and Technology (NIST) was founded in 1901 with the intent of making U.S. commerce more competitive and trustworthy. In 2002, Congress signed the Electronic Government Act into law to improve the management of government information and services. As part of that Act, the Federal Information Security Management Act (FISMA) assigns NIST with the responsibility of establishing security recommendations for all government agencies and companies that do business with the government.
As a result, NIST published FIPS 200 Minimum Security Requirements for Federal Information and Information Systems which established and defined families of security control areas. NIST also published Special Publication 800-53 which is a catalog of administrative and technical controls within those families that should be instituted based on a given data set’s security categorization. Most recently, this government department published a further refinement of these standards specifically focused on Controlled Unclassified Information (CUI), Special Publication 800-171.
NIST SP 800-171 provides a tailored, standardized set of mechanisms that non-federal organizations should consider and respond to, but they are not a set of regulations that must be followed. Each business must decide for itself how to solve their security issues. This was done on purpose — there is guidance without mandates. There is no need to rip out mature solutions already in place, yet for those new to the issue, they provide the right questions to ask.
The first step toward compliance is a security assessment. All assessments require comprehensive documentation exhibiting how the mechanisms are implemented and that they are working. In the assessment, there are 109 requirements spread over 14 families – with a couple other associated families.
The first element of each family is a coherent set of policies and procedures that every responsible person in an organization should be trained on and follow. The second element is the technical application of those procedures in system configurations and tools. With each of the requirements answered, government agencies can assume a strong safeguarding of data consistent with the highest standards.