The CSCI Approach to Compliance
The federal government defines Controlled Unclassified Information (CUI) as any confidential information that isn't designated as “classified”, “top secret” or “for official use only.” Federal contractors that process, store or transmit CUI generally must meet stringent security guidelines from the National Institute of Standards and Technology (NIST) by 2017 if they wish to continue doing business with the government. The final version of NIST SP 800-171 published in 2015 establishes the minimum standards for protecting CUI.
To help our clients meet the NIST SP 800-171 requirements, we developed our own approach to compliance called the ARM program which stands for Assess, Remediate and Maintain.
The assessment phase of the ARM program consists of a complete assessment of the client’s current network and security practices. We then use this assessment to develop recommendations for any changes that should be made to those practices.
The recommendations are then applied during the remediation phase of the ARM program.
The maintenance phase uses on-going managed security services to maintain compliance with NIST SP 800-171, which includes the logging, reporting, retention and development of group policies. Help desk support for antivirus and patch management is also part of the ARM program’s maintenance phase.
NIST SP 800-171 specifies the following 14 requirements for protecting CUI:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Our ARM program assigns sole responsibility for the configuration management, maintenance and system integrity requirements to CSCi. It also assigns shared responsibility for security assessment and system protection between CSCi and the client. All other requirements in NIST 800-171 are the sole responsibility of the client.
The configuration requirement includes the establishment of baseline configurations and the enforcement of configuration settings for all Information Technology (IT) products. Maintenance requirements for organizational systems include the provision of effective controls over the personnel and techniques used to perform maintenance activities, which primarily requires personnel. System integrity requirements include protecting the system from malicious code and reporting system flaws in a timely manner. They also include monitoring the system for security breaches and responding appropriately, which can be performed from a single workstation with software.
The portion of the security assessment requirement assigned to CSCi under our ARM program includes continually monitoring the security controls to ensure they remain effective. Our ARM program also assigns the part of the requirements for system and communications protection that deal with promoting effective information security to CSCi. This area of responsibility includes architectural designs, software development techniques and systems engineering principles. These requirements are primarily addressed with firewall and network software.
CSCI provides a range of IT services for small business owners in the San Diego area, including regulatory compliance. We use state-of-the-art services and partnerships with industry leaders to provide you with reliable, cost-effective compliance plans. Contact us today to find out more about how we can help you meet your compliance requirements.