Hybrid Solution for NIST 800-171
Posted on January 24, 2020 by Ted Wernet, CISSP
Leveraging Cloud Solutions for NIST 800-171 Compliance
If you are like most DoD affiliated companies right now you are trying to figure out “How do we become CMMC (Cybersecurity Maturity Model Certification) compliant?”. The short answer is become NIST 800-171 compliant as this is the foundation of CMMC.
Okay, so if we start with NIST 800-171, what do we need to do?
Not only do you need to have all the proper procedures and processes in place and documented, you must also ensure that your IT infrastructure solutions can meet all the technical requirements as laid out in NIST 800-171. Let’s use a recent customer engagement to demonstrate how we were able to leverage a hybrid solution to meet NIST 800-171 technical requirements.
When we began our engagement, this customer had a complete on-premise environment. Their perimeter firewall had IPS/IDS, a SPAM filter, and a web filter – your standard Microsoft AD environment. In addition, they were employing a solid wireless solution using PKI and Radius authentication, a SEIM for log collection and evaluation and a feature-rich anti-virus/host intrusion prevention system. They were actually in a fairly good place as most of their solutions were already in place to meet information assurance/cyber security requirements. They also had a very robust documentation package to work from, but we will save that discussion for another day.
After performing a NIST 800-171 assessment on their environment it was quickly determined they still had a few pieces missing from their technical arsenal. They needed a more robust Mobile Device Management solution and a Multi-factor Authentication solution. After a brief discussion, two criteria were determined to be the most important in selecting solutions: price and maintenance/administration. This was not surprising as these are common decision factors when acquiring an IT solution.
First let’s review the Mobile Device Management solution. They were currently using their on-premise Exchange server to manage accessibility and require device encryption. This was a great start, but it does not meet the organizational requirement to limit access to CUI data on mobile devices or to force the encryption of the data itself on mobile devices. Several vendors were reviewed that offered viable solutions to these problems. However, the cost of additional hardware, training and configuration requirements were big turn-offs for our customer.
In parallel, we were also on the hunt for a Multi-factor Authentication solution. As our search for this solution began, we ran into the same scenario: great products but hardware and setup costs were not a hit for our customer.
As we continued down this path and after several discussions with vendors and their IT support staff, the client decided it might be a good time to start looking at outsourcing some of this administrative burden. That was when we began reviewing potential cloud solutions. The huge upside for our customer was, of course, no new hardware and minimal configuration and training cost.
As IT people we all love to have our systems in-house. It gives us autonomous control over every aspect of a given device and its function. Unfortunately, this control comes with a cost. Licensing, configuration, administration and maintenance add up very quickly, and it’s these costs that really got us thinking about other solutions which led us to the cloud. Many cloud services have NIST 800-171 compliant offerings and I am NOT recommending one solution over another as they all have their benefits and drawbacks.
After reviewing these offerings, our customer decided the best fit was Microsoft’s offering in the GCC High environment. The customer was familiar with O365 as it was its current Office and SharePoint solution. What they did not know was the GCC High offering was now available to smaller organizations, instead of the 500-seat minimum requirement. So by leveraging the GCC High offering, not only were we able to implement a Multi-factor Authentication and Mobile Device Management solution, the customer could use the SharePoint offering to store CUI as SharePoint is NIST 800-171 compliant. This was a huge relief as their current plan was to migrate the SharePoint site back to their on-premise environment!
The customer really favored this solution because management was accessed through a portal with which they were already comfortable and policy configuration for these solutions was fairly straight forward. The low monthly cost to add these services made it a great fit.
Now of course there are some nuances with this setup whether you’re doing a Hybrid or full migration. In this example, it took 30 days for the new tenant to be setup. They also had to provide a current DoD contract number to qualify for GCC High, though I believe this requirement may change in the future as it seems to be counter-intuitive. Once the new tenant was available and a solid testing/migration plan was in place, they were able to implement the final pieces of their technical solutions. They are now looking at migrating their Exchange environment to the cloud to further reduce an on-premise footprint. If you are struggling to implement your technical solutions for NIST 800-171 the cloud could very well be a solution for your organization.