In this week’s Whiteboard Wednesday, Matt Hathaway, director of IDR solutions marketing at Rapid7, breaks down three NIST compliance frameworks as they relate to data security. This includes 800-53, 800-171, and the Cybersecurity Framework, as well as how they can serve as useful guidelines when building a security program.
Hi and welcome to Whiteboard Wednesday. I'm Matt Hathaway, and here today, we're going to talk about NIST compliance. So, NIST, the National Institute of Standards and Technology, covers a wide range of industries, and they work with those industries to help from a US Federal Government perspective to find approaches that need to be taken, recommendations, series of guidelines. There's a lot of different components, but specifically today, I want to talk about the data security guidelines and the requirements they set forth.Show more Show less
The first one which most people have heard of is 800-53. They're approaching revision five. It's currently being reviewed, but revision four has been out there in the industry for a while, and what that does is set a series of standards that all federal agencies in the United States must follow and must comply with. They all fit in with 18 different control families that cover hundreds of controls that you need to implement to be considered a secure federal government agency and organization.
So, what's coming newer is 800-171. So, something called DFARS compliance has required that organizations that handle CUI must comply with 800-71, and what that is, is a subset of 800-53 of about 14 different control families and much fewer controls, and these must be implemented and validated and shown in compliance by December 31, 2017 in order to continue your contract or whatever relationship you have with the federal government.
And then the third is the Cybersecurity Framework from NIST. This is not a requirement. It's not controls, but it's very useful to any organization to think about how to construct their security program, how to evaluate where they currently stand today, all based on five basic risk management capabilities that any system should have and how to approach that for critical infrastructure, is the primary audience, but it can be useful to anybody.
That's it for this week's Whiteboard Wednesday. We'll talk to you next week. Thanks for joining.