Feb 15th 2024

Attacking The Low Hanging Fruit

Note: This is a guest article by The Net Effect (TNE). TNE specializes in helping organizations develop information security and compliance programs

in security awareness training.

When someone is first introduced to NIST SP 800-171, they often find themselves paralyzed when looking at that long list of requirements they need to implement, having no idea where to start. They often assume they have nothing in place -- but this probably isn't true! Because many of the controls in common security standards (e.g., NIST SP 800-171, PCI DSS, GLBA) are based not just on best practices, but plain, old-fashioned common sense, your organization probably has some existing business processes that will meet (or at least partially meet) your compliance requirements. The best way to get started, then, is to tackle those low-hanging fruit!

Many security requirements aren't necessarily technical controls, rather administrative or procedural, and people tend to overlook those. Let's look at a few samples that are found in both FAR 52.204-21 (Basic Safeguarding Rule for FCI -- CMMC L1) and NIST SP 800-171 (Protecting the Confidentiality of CUI -- CMMC L2) and see where in your organization you might already be doing some of these things:

3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
(b)(1)(i) Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).

In this context, "devices" includes computers, servers, mobile devices, IoT, OT, etc. Most cyber security standards require an accurate asset inventory -- because you can't secure it if you don't know it's there!

Where might you find an existing asset inventory? If your organization is small and doesn't have an IT department, check with accounting/finance. They almost certainly keep an inventory of equipment for insurance purposes and tracking depreciation. It might not have all the information you'd like, but you could ask them about cooperating on that list in the future, so that information like serial number, OS version, etc. could be tracked as new equipment is purchased.

Since accounting/finance pays all the bills, they also know who is buying things for the organization. Software, cloud services, etc. may be charged to business credit cards. Work with your accounting/finance team to identify these purchases and add them to your asset inventory.

3.1.22 Control CUI posted or processed on publicly accessible systems.
(b)(1)(iv) Control information posted or processed on publicly accessible information systems.

What is a "publicly accessible system"? Well, let's start with your website. You probably already have a process for putting information on your website. Only certain people have admin privileges able to update the site. Only certain people choose what to post on the site.

This may be just an informal process at this point, but it should be fairly easy to draft an SOP stating who does what, and adding in an extra step for someone knowledgeable about FCI/CUI to make certain that protected information isn't included in an update.

3.8.3 Sanitize or destroy system media containing CUI before disposal or release for reuse.
(b)(1)(vii) Sanitize or destroy information system media containing Federal Contract Information before disposal or release for reuse.

You probably already have standard procedures for shredding paper before throwing it away. You probably also have a procedure for secure destruction of hard drives and portable media. Document those procedures. If handling CUI, review the requirements in NIST SP 800-88, Revision 1: Guidelines for Media Sanitization to be sure your current process meets the requirements. If not, tweak your process a bit and document the new version.

3.10.1 Limit physical access to organizational systems, equipment, and the respective operating environments to authorized individuals.
3.10.3 Escort visitors and monitor visitor activity.
3.10.4 Maintain audit logs of physical access.
3.10.5 Control and manage physical access devices.
(b)(1)(viii) Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
(b)(1)(ix) Escort visitors and monitor visitor activity; maintain audit logs of physical access; and control and manage physical access devices.

You almost certainly have procedures in place for physical access. Who has keys to the building? Is there a list somewhere? Who knows the alarm codes? Do you share one code or does everyone have their own? Do you have a badging system? Do visitors have to sign in? Do they get visitor badges? Are they escorted?

Document what you're doing now, and compare it to the assessment objectives for these controls in NIST SP 800-171A. Make a few improvements to your current procedures (I find that audit logs are most often lacking, especially in smaller organizations), implement them, and update your documentation.

Quite often, changing the way you approach a problem can make things so much easier! By looking for existing business processes related to the requirements you need to implement, you can break your compliance burden down to a manageable level, with existing processes and attainable goals.