Central PA Engineering Firm Enlist’s MicroXpress NIST Compliance Expertise

Central PA Engineering Firm Enlist’s MicroXpress NIST Compliance Expertise

NIST compliance would be difficult enough, even if it wasn’t constantly changing and updating.

Federal contractors have long been required to meet certain standards for the protection of classified information, and as the industry and technology have changed, so have those standards.

That’s why this Central PA Engineering Firm got in touch with MicroXpress…

This Central PA Firm Needed Help Maintaining NIST Compliance

MicroXpress first partnered with this engineering firm back in 2011. The firm wanted to outsource their IT support and knew they could trust us to manage their IT needs while they focused on their work with the Department of Defense (DoD).

Since 2016, we have been directly managing their compliance with NIST 800-171.

As a contractor for the DOD, Advanced Cooling Technologies participates in regular NIST assessments. They needed someone to assess their network security and implement the required security solutions, and chose MicroXpress to manage it for them.

What Is NIST?

The National Institute of Standards and Technology (NIST) was founded in 1901 by Congress to remove obstacles in US manufacturing competition. It intersects with business cybersecurity when it comes to NIST Special Publication 800 – 171 “Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.”

In 2016, NIST released NIST 800 – 171 to provide a cybersecurity framework that protects data not covered under a “Classified” label, but which still could prove dangerous for American interests should it be obtained by an adversary.

With NIST 800 – 171, it’s the contractor’s responsibility to safeguard all data and information related to any work performed for the DoD, including:

• Information that would be described as controlled unclassified information (CUI)
• Covered defense information (CDI)

What is CUI?

CUI is information created by the government or on behalf of the government that needs to be safeguarded. All government contractors are required by the government to follow the security guidelines to ensure adequate security by implementing NIST SP 800 – 171.

“CUI is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or Government-wide policy, as listed in the CUI Registry by the National Archives and Records Administration (NARA).”

What is CDI?

The Department of Defense (DoD) uses the term Covered Defense Information (CDI) for its own coordinating rules for cybersecurity. It is the security of contractor information systems that store, process or transmit Federal contract information.

The Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity rules apply to Covered Defense Information (CDI). DFARS supplies a set of “basic” security controls for contractor information systems where this information is stored.

These security controls must be executed at both the contractor and subcontractor levels. It is based on the information security guidance in NIST Special Publication 800-171.

Why Do Organizations Like This Central PA Firm Need To Be Compliant With NIST?

While there aren’t specific fines associated with NIST non-compliance, that doesn’t mean there won’t be consequences. If you’re not compliant, you’re technically no longer qualified to contract with the DoD—no matter which contracts you have in place or the professional relationships you’ve built over the years.

If you are under contract and are found to be non-compliant, and without having submitted variance requests or plans of action to fix noncompliance, then you would be in breach of contract, leading to monetary damages.

Furthermore, if compliance with NIST 800-171 was an evaluation factor in your contract, then noncompliance could lead to grounds for protest. You could even be found guilty for criminal fraud if you’re claiming to be NIST compliant, but it can be proven you weren’t and that you knew you weren’t.

Long story short—failing to be NIST compliant could lead to millions in lost revenue, reputational damage with governmental contacts, and even criminal charges.

What Does NIST Compliance Mean For Clients Like This Central PA Firm?

The minimum cybersecurity standards are described in NIST Special Publication 800-171 and broken down into fourteen areas:

1. Access Control: You must limit system access to authorized users.
2. Awareness & Training: You are required to promote awareness of the security risks associated with users’ activities, train them on applicable policies, standards and procedures, and ensure they are trained to carry out their duties.
3. Audit & Accountability: You must create, protect, retain and review all system logs.
4. Configuration Management: You are required to create baseline configurations and utilize change management processes.
5. Identification & Authentication: You must authenticate information systems, users, and devices.
6. Incident Response: You’re required to develop operations to prepare for, detect, analyze, contain, recover from, and respond to incidents.
7. Maintenance: You must perform timely maintenance of your information systems.
8. Media Protection: You must protect, sanitize and destroy media containing CUI.
9. Personnel Security: You’re required to screen individuals before authorizing their access to information systems, and ensure these systems remain secure upon the termination or transfer of individuals.
10. Physical Protection: You must limit physical access to and protect and monitor your physical facility and support infrastructure that houses your information systems.
11. Risk Assessment: You are required to assess the operational risk associated with processing, storage, and transmission of CUI.
12. Security Assessment: You must periodically assess, monitor and correct deficiencies and reduce or eliminate vulnerabilities in your organizational information systems.
13. System & Communications Protections: You must monitor, control and protect data at the boundaries of your system, employ architectural designs, software development techniques and system engineering principles that promote effective information security.
14. Protection System & Information Integrity: You’re required to identify, report and correct information and any flaws in your information in a timely manner. You must also protect your information systems from malicious code at appropriate locations, and monitor information security alerts and advisories so you can take appropriate actions.

If an organization is not compliant, you’re technically no longer qualified to contract with the DoD—no matter which contracts you have in place or the professional relationships you’ve built over the years.

Download our story of success with Advanced Cooling Technologies

How We Achieve Confident NIST Compliance For This Central PA Firm

FortiGate for Firewalls

We ensure that this client’s networks are protected by industry-leading Fortinet firewalls that deliver a range of enterprise-class features, including:

• The ability to identify undesirable encrypted applications
• Prevention against network intrusions
• Intelligence in improving blocking decisions
• Intrusion prevention
• A baseline for deviations from normal application behaviors

EventTracker for SIEM

Event Tracker provides SIEM-based Managed Detection and Response services. MDR is an outsourced service that provides organizations with threat hunting services and responds to threats once they are discovered.

MDR fully manages the client’s cybersecurity defense, both keeping an eye out for threats, as well as providing the expert team to address them when they occur.

Duo for MFA

MicroXpress is proud to provide MFA through our trusted, industry-leading partner Duo. This solution allows the client to add that extra layer of security to their business, ensuring only the right people can access their data

MFA enforces a strict security policy right at the time of access, as compared to other forms that require the installation of agents. When a user attempts to login using their username and password, they receive a push notification on a separate device to confirm the action.

MFA ensures that only users with both the security credentials (username and password) and an independent additional device (such as a smartphone) that corresponds to those credentials will be able to access the account.

ThreatLocker for Application Whitelisting

This application control product follows zero trust methodology. The zero trust approach to cybercrime assumes that every aspect is a potential vulnerability until it can be confirmed otherwise.

That means instead of simply investing in a strong firewall and antivirus, and assuming the client is protected, every part of the client’s IT environment and every user trying to access it is assessed for its security.

Tenable for Vulnerability Scanning

A vulnerability scan is a systemic analysis of the client’s IT infrastructure’s performance and potential security vulnerabilities.

It examines all components of their network and how they are used by their staff to determine their degree of security. By scanning for gaps and misconfigurations, we work with them to reduce the risk of cyber-attacks.

DarkTrace for Network Monitoring

The MicroXpress team monitors the performance of the client’s servers and network while staying up to date on the latest advances in its specific type of technology to make sure it doesn’t become obsolete.

Should their tech fall behind the times, we actively work to update their IT so that they never experience an issue due to outdated equipment.

How Does MicroXpress Help Federal Contractors With NIST Compliance?

We follow a precise process for managing our client’s NIST compliance:

Compliance Assessment & Strategy

Our compliance services begin with a comprehensive assessment of your IT systems, the findings of which are compared with compliance cybersecurity controls.

Our team will then develop a strategy to mitigate any risks of noncompliance, providing detailed documentation that you can demonstrate your commitment to compliance.