Is Your Organization Ready for NIST/DFARS?

As the clock winds down on 2017, there are only a few weeks left for organizations to become compliant with the United States Department of Defense’s Defense Federal Acquisition Regulation Supplement (DFARS) regulation. In this post, we’ll walk through this new regulation and what your IT teams need to implement for your organization to achieve compliance.

DFARS requires that any business that contracts with the DoD or federal civilian executive branch agencies must implement National Institute of Science and Technology (NIST) guidelines by December 31, 2017. Fail to do this and you risk losing this federal business. Even beyond the end of 2017, businesses will be expected to stay compliant with changing NIST security guidelines.

While this blog post addresses issues related to compliance and legal topics, it does not constitute legal advice and is provided for informational purposes only. If you or your organization requires legal advice, please contact an attorney.

NIST’s Standards

Founded more than a century ago, NIST is a physical science laboratory responsible for ensuring businesses and governments understand and address the ever-evolving field of cybersecurity. Many will be familiar with The Cybersecurity Framework.

The most recent release of its Special Publication 800-63, Digital Identity Guidelines updated old password rules, and its new framework SP 800-171, Protecting Covered Defense Information in Nonfederal Systems and Organizations, outlines requirements of both civilian and DoD agencies to achieve compliance protection on information created by the government, or by an entity on behalf of the U.S. Government.

Here, we’ll look at five of the new standards in SP 800-171 that impact IT teams – and how to meet them.

For a full overview, download our whitepaper that includes the complete NIST 800-171 compliance matrix.

3.1.5 - Employ the principle of least privilege, including for specific security functions and privileged accounts.

This is fairly straightforward. Employees should only have access to specific parts of the network that they need to do their jobs. This ensures confidential information remains just that, and in the event that someone does have their credentials compromised, any damage done by an intruder can be contained to a handful of applications rather than the entire network.

Okta’s Lifecycle Management product ensures that administrators can easily set up permissions so that every employee only has access to what they need to. It allows you to set up access rules based on attributes such as group membership, quickly find all users that have access to a single application, and assign access to applications by established groups rather than by individual.

3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

These new regulations place importance on tracking and securing remote network activity, which can understandably be cumbersome for any enterprise.

But this is another area where Okta can help. Okta’s Identity and Access Management (IAM) products maintain logs for both initial access and continued monitoring of remote sessions. They also offer non-intrusive, non-disruptive solutions that work with your Virtual Private Network (VPN), Remote Desktop Protocol (RDP), and Secure Shell (SSH) to enhance privacy and security. You can use IAM to quickly track access patterns from any number of devices as well.

3.1.20 - Verify and control/limit connections to and use of external information systems.

This is a straightforward – make sure to monitor and control the use of any external information system while operating within your business. Okta meets this particular requirement with Multi-Factor Authentication and Single Sign-On that can verify and control connections to external systems while avoiding putting unnecessary limits on them as well.

3.5.1 Identify information system users, processes acting on behalf of users, or devices.

Okta centralizes identity integration through its Active Directory and Lightweight Directory Access Protocol (LDAP), which solves IAM challenges by verifying and managing user access throughout a variety of corporate resources. Okta’s flexible policy framework also allows each individual organization to set a policy for access using Single Sign-On and Multi-Factor Authentication.

3.5.3 Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

NIST standards mandate that all federal agencies must use Multi-Factor Authentication (MFA) for any sort of privileged or remote access to a network. A single password simply doesn’t cut it for modern security needs. NIST requires multi-factor authentication using both a password and secondary device such as a smartphone app or biometric authentication, such as a fingerprint. Okta’s Adaptive MFA meets this requirement by the delivering intelligent, contextual access based on defined user groups.

Compliance by December 31, 2017

The NIST guidelines are far-reaching, and while there’s only a short window of time to become compliant before they go into effect, getting ready for these changes doesn’t need to be excessively expensive or time-consuming.

Okta’s flexible identity layer can seamlessly fit into any organization, improving your cybersecurity and providing a straightforward solution for NIST compliance.

This blog post outlines just a sample of the requirements specified in NIST SP 800-171. For a more comprehensive overview of the purpose of these standards, what they entail, and how you can achieve compliance, check out our white paper: Meeting the Latest NIST Guidelines with Leading-Edge Technology.