If you are a government defense contractor and you receive controlled unclassified information, you must comply with NIST SP800-171.
In April of 2015, NIST published the first public draft of something called SP800-171 which described requirements for protecting controlled unclassified information on non-federal information systems and organizations. The government also published regulation (DFARS 252.204-7012) that states that any entity that collects, develops, receives, transmits, uses, or stores defense information in support of a government contract must abide by the guidance in SP800-171 – with a deadline of compliance to happen by December of 2017. That’s right around the corner!
What does all of this mean?
There are 14 categories of compliance and each one has numerous objectives that must be achieved. This means that there are various processes, procedures and probably systems that you will have to implement to achieve compliance with this mandate. There is a lot of guidance on the internet on how to comply, but much of this information is obscure and difficult to read. Putting together a game plan for compliance can be a daunting task – especially if you don’t know how to comply with items such as Performing a Risk Assessment or Create a Vulnerability Program.
Let me know if I can help - I'm continually working with organizations that have compliance challenges and helping put together strategies for understanding where the gaps are and executing projects to close those gaps.
Random writings of an Information Security Executive in Chicago.
I provide security leadership for various companies in the Chicagoland area.
Friday, March 17, 2017
Wednesday, March 1, 2017
Examinations focusing on Cyber for brokerage and securities firms
The banking industry has traditionally been the poster child
of regulation. I’ve been dealing with federal and state regulators since I
started in the industry back in the early 90’s. I can remember one of my
first “IT Examinations” back in 1995 - The examiners at the time were more
interested in getting up to speed on the rapidly evolving technology than they
were with being able to provide direction to the bank. Those days are
definitely over and many very talented and skilled examiners now exist at every
agency that regulates banking.
Review of technical controls back then may have been a bit
of a joke, but nowadays, it’s no laughing matter, which is evident by the
ramping up of cyber-security by the examination body that regulates brokerage
and securities firms – the OCIE. While the OCIE has always been in place
as an examining body of the SEC, the effort spent on IT was marginal at best -
That is about to change.
Last year around this time, the OCIE came out with a Risk
Alert that stated that they were going to be focusing their efforts on
cyber-security and published a document that illustrates what they will be
looking for (https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf).
Additionally, the SEC came out with a document illustrating their Examination
Priorities for 2017. (https://www.sec.gov/about/offices/ocie/national-examination-program-priorities-2017.pdf)
Glancing through the appendix of the first document, the
traditional banker wouldn’t bat an eye, but if you are a small securities firm,
this is something that will likely give you pause. It discusses such
topics as periodic assessments, vulnerability scans, and policies. These
are not typically a problem and can be put in place rather quickly, but what
about nebulous areas like data mapping, data classification, risk management,
vendor management and incident response? That’s a heavy weight on the shoulders
of a small IT staff – especially if most of those terms are unfamiliar!
The company I work for can help you put together a strategy
for understanding where the gaps are and executing the project to close those
gaps. Compliance initiatives are something we work with continually across
many industries. Contact me for more information or if I can help in any
way.
Subscribe to:
Posts (Atom)