NIST SP 800-171 Series: System and Communications Protection
In our continuing series highlighting the controls from the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 Rev. 2, we turn our focus to Requirement 13, System and Communications Protection, which secures any information transmitted or received by an organization at the external boundaries and key internal boundaries of systems.
What is a "key boundary?" NIST defines boundary as a physical or logical perimeter of a system. A system is a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. So, for this discussion, a system includes the hardware, software, users, processes, and procedures that your organization uses to process, store, transmit, or protect information.
The purpose of Requirement 13 is to protect organizational systems from intrusion and malicious attacks. Traffic should not flow freely between networks without verification or control. If you compare it to physical security, it’s really the same practice as ensuring non-employees or visitors are not able to walk in and out of the office as they please, due to physical controls you have put in place like doors, locks, key cards, employee badges, etc. In similar fashion, hardware and software is utilized to create a barrier and prevent access to sensitive information and systems.
Organizations usually have several network boundaries such as an external boundary that separates internal networks from public networks such as the Internet. Another boundary might be the separation between your guest and/or student network and your staff/employee network where controls are typically in place to prohibit guest access to the corporate/staff network.
Another example is VPN connections across multiple campuses or remote locations. With so many employees now in hybrid job roles or entire departments working remotely, it is essential to provide secure access to organizational networks, but also critical that you are able to limit access to systems and information by need. You can control access to servers, protect email traffic with encryption, and monitor traffic across the VPN.
It will be your organization’s responsibility to determine which of the network boundaries are critical and then to control and monitor traffic, control the types of information that flow across those boundaries, and implement protection (such as encryption) as needed.
Basic Security Requirements
3.13.1 Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of organizational systems.
This includes controlling and monitoring both external and internal access to key systems and data to ensure only authorized users have access to the information they need to complete their individual job responsibilities. This is known as the principle of least privilege in which access is limited to only what users are strictly required to do their jobs.
Firewalls can be implemented to control boundaries and protect networks externally and internally by controlling the traffic flowing across those boundaries, and monitoring and controlling access to different segments. Other boundary components may include gateways, routers, virtualization systems, or encrypted tunnels implemented within the system security architecture.
Key systems and recommended controls often include:
Things like email communications on the external boundaries of the network are at higher risk, so it is important to ensure that anytime Controlled Unclassified Information (CUI) is transmitted from one person to another, it’s adequately protected or encrypted. (NOTE: Under GLBA and the updated FTC Safeguards Rule any non-public customer information must be encrypted when in transit or at rest to prevent unauthorized access).
External web communications traffic should be restricted to designated web servers within managed interfaces and prohibit external traffic that appears to be spoofing internal addresses.
Staff should connect to external networks or systems only through managed interfaces. Limit the number of external network connections through the use of web application firewalls, VPN access, intrusion detection and prevention, and active directory groups.
Deny network communications traffic by default, and allow network communications traffic by exception (only connections which are essential and approved).
Temporary port openings should be set to expire after no more than 31 days, at which time the port is closed or additional hardening is implemented. This may also apply to third-parties who should only be granted remote access to your network on a as needed basis.
Firewall can be configured to block unauthorized scanning activity, and any inbound network traffic from unauthenticated sources, while allowing necessary data through.
Policies should also be used to monitor and regulate system access. Implement policy requiring access to University-operated Cloud services be restricted to organization-issued devices if the cloud services store or process CUI data.
Internal network boundaries are established by technology/devices and can include the following:
Wi-Fi router establishing guest vs. corporate Wi-Fi networks
Network switch or router establishing VLAN segments
Network switch establishing logical network subnets
Multiple network switches establishing separate physical LANs
Routers establishing gateway-to-gateway VPNs between separate buildings or locations
Routers establishing client-to-gateway VPNs between office and remote user workstations
A virtual host establishing connections between various virtual machines
A server establishing partitions to separate user interfaces, application processing, and database function
During an IT security assessment, the Security Advisor would review technical documentation and interview key staff to evaluate:
Firewalls, gateways, routers, etc. in place to segment internal networks
Data/audit logs for monitoring traffic/communications and process for review those logs
Alerts in place for any suspicious traffic
Protections in place for data in transit (i.e. VPN access, encryption, etc.)
Segmentation testing can also be performed to verify the segmentation controls that have been put in place are working and ensure you are not able to reach the specified networks (i.e., dedicated for PCI, HIPAA, research data, etc.) from any other organizational networks.
3.13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational systems.
This control pertains to any development of new systems or systems undergoing major upgrades, and includes practices like developing layered protections; establishing security policies, architecture, and controls as the foundation for design; incorporating security requirements into the system development life cycle; delineating physical and logical security boundaries; ensuring that developers are trained on how to build secure software; and performing threat modeling to identify use cases, threat agents, attack vectors and patterns, design patterns, and compensating controls needed to mitigate risk.
Basically, this controls requires that if you are developing any software in house, you must use sound coding methods and document best practices and industry standard software development frameworks that you referenced when designing your security architecture. The key outcome is to establish a formal flow, steps, roles, and separation of duties.
Requirement 13 also includes several Derived Security Requirements described at a high level below from the NIST SP 800-171:
3.13.3 Separate user functionality from system management functionality. This control prevents users from have administrative access, or requiring privileged user access to perform specific functions on workstations, servers, databases, etc. Implementing access control helps protect users from installing unauthorized software or applications that may lead to system compromise. Restricting which accounts or roles can access organizational systems and how also reduces the attack surface and limits access in the event that a bad actor is able to compromise an organizational account. If a general user account is compromised, the malicious party won’t have access to sensitive data or be able to gain access to organizational systems. This can be accomplished using separation like VLANs or through strong access control methods.
3.13.4 Prevent unauthorized and unintended information transfer via shared system resources. The control of information in shared system resources (e.g., registers, cache memory, main memory, hard disks). This requirement prevents information produced by the actions of prior users or roles from being available to any current users or roles that obtain access to shared system resources after those resources have been released back to the system. For example, if you have shared drives that contain sensitive data or PII, only those with a business need-to-know should have access.
3.13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks. Subnetworks that are physically or logically separated from internal networks are referred to as demilitarized zones (DMZs). Publicly accessible system components might include things like your organization’s website, so verify that site is hosted on an isolated network.
3.13.6 Deny network communications traffic by default and allow network communications traffic by exception. This requirement applies to inbound and outbound network communications traffic at the system boundary and at identified points within the system. A deny-all, permit-by-exception network communications traffic policy ensures that only those connections which are essential and approved are allowed. Any boundary devices or network firewalls should have a deny all rule and only allow what has been permitted.
3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling). Split tunneling might be desirable by remote users to communicate with local system resources such as printers or file servers. However, split tunneling allows unauthorized external connections, making the system more vulnerable to attack. This requirement is implemented in remote devices (e.g., notebook computers, smart phones, and tablets) through configuration settings to disable split tunneling in those devices, and by preventing configuration settings from being readily configurable by users. This requirement is implemented in the system by the detection of split tunneling in the remote device, and by prohibiting the connection if the remote device is using split tunneling. This requirement can be difficult to meet with more and more work from home/remote employees, but is pretty straightforward about not allowing split tunneling in order to prevent any gaps in perimeter security. In association with deployment of MFA-protected VPN for remote access, ensure that any users with the ability to interact with CUI data cannot remain connected to home or other networks while connected to the organizational network.
3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. This requirement applies to internal and external networks and any system components that can transmit information. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. It is possible (compliant) to send CUI via encrypted email, but it is often recommended that policy just states that no CUI data should be sent via email, as it is too easy for users to inadvertently email data without enabling the encryption. Or organizations can implement an automatic Data Leak Prevention (DLP) tool so email messages containing suspected CUI are automatically encrypted.
3.13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity. This requirement applies to internal and external networks. Terminating network connections associated with communications sessions include de-allocating associated TCP/IP address or port pairs at the operating system level, or de-allocating networking assignments at the application level if multiple application sessions are using a single, operating system-level network connection. Time periods of user inactivity may be established by organizations and should be based on your risk analysis and data classification process. This is a key control when allowing third-party or remote access to organizational systems. Ensure any connections are terminated immediately at the end of the necessary time period.
3.13.10 Establish and manage cryptographic keys for cryptography employed in organizational systems. Cryptographic key management and establishment can be performed using manual procedures or mechanisms supported by manual procedures. It is important to show that you are protecting encryption/decryption keys and have a proper method to management them and keep them out of end users’ (and malicious actors’) hands.
3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI. Cryptography can be employed to support many security solutions including the protection of controlled unclassified information, the provision of digital signatures, and the enforcement of information separation when authorized individuals have the necessary clearances for such information, but lack the necessary formal access approvals. Ensure all data flow paths are encrypted end to end and that you have the documentation to validate this. Your teams should also verify you have TLS 1.0 and 1.1 disabled on all servers and endpoints and TLS 1.2 enabled.
3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device. Collaborative computing devices include networked white boards, cameras, and microphones. Indication of use includes signals to users when collaborative computing devices are activated. Remote support tools will typically notify users who is accessing the computer and require approval, but it may be important to confirm that any vendors that can access your systems remotely are also logging actions of individual system users and tracking any unauthorized use of systems.
3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies. VoIP has different requirements, features, functionality, availability, and service limitations when compared with the Plain Old Telephone Service (POTS). The main distinctions between POTS and non-POTS services are speed and bandwidth. To address the threats associated with VoIP, usage restrictions and implementation guidelines are based on the potential for the VoIP technology to cause damage to the system if it is used maliciously. Threats to VoIP are similar to those with any other Internet-based application, and the VoIP network should be segmented and secured.
3.13.15 Protect the authenticity of communications sessions. Authenticity protection includes protecting against man-in-the-middle attacks, session hijacking, and the insertion of false information into communications sessions. This requirement addresses communications protection at the session versus packet level (e.g., sessions in service-oriented architectures providing web-based services) and establishes grounds for confidence at both ends of communications sessions in ongoing identities of other parties and in the validity of information transmitted. This control can be met through encrypting any communications, or through a combination of other security controls for wired network traffic (i.e., visitor management policies, AD settings to prevent unauthorized equipment from connecting to network resources, disabling USB ports, etc.).
3.13.16 Protect the confidentiality of CUI at rest. Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access, but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. This is one that many organizations may face challenges with, in terms of third-party applications encrypting data while at rest. Your teams should be having conversations with any third-party service provider partners hosting CUI data about their ability to encrypt and any additional fees that may apply (referencing new requirements from the FTC Safeguards Rule).
Additional guidance from the Security Advisor Team below:
Modern IT environments are complex with many connected networks, systems, and devices. Even small institutions process, transmit, and store vast amounts of information. To protect this information, we need to understand our environment and implement controls to address the risks inherent in such a complex operation.
A part of protecting our valuable information assets is understanding and protecting the boundaries of the environment housing those assets. Just like locking our doors, installing smart doorbells, and using home monitoring systems to protect our homes, we use firewalls, access control, and event monitoring to protect our networks and information assets. NIST SP 800-171 provides controls to help address the risks to our sensitive information.
NIST Special Publication 800-171 defines the security requirements for protecting sensitive information in non-federal information systems and organizations. It consists of 110 security requirements organized into 14 families. The System and Communication Protection (SC) family is the largest of the 800-171 domains, and it represents one of the first layers of protection that helps us to understand what’s in our environment and implement a comprehensive set of procedures and protections to both protect and control our sensitive information.