From: Government Technology
By Jan. 1, 2018, government contractors who work for the Department of Defense (DoD) or the intelligence community are mandated to comply with a NIST special publication 800-171. In addition, these security guidelines from NIST provide a meaningful road map for other government organizations and contractors regarding cybersecurity protections. Here’s an exclusive expert interview that offers details to help.
Dan Lohrmann
***
DL: How can contractors show compliance? What is needed?
TJ: Contractors should start by gaining an understanding of their assets, and then identify and tag those that are highly valuable. They should perform a risk assessment to see gaps that put those assets at risk, and implement protections that not only enable compliance with the NIST mandate, but more importantly continuously protect those crowned jewels. For example, they should use user and entity behavior analytics to monitor and detect when an employee accesses a highly sensitive application that he normally would not access, and verify if the behavior is business justified or indeed unusual. If it is not business justified, that alert should be sent to investigators as a high priority alert for investigation. They should have data loss prevention technology and multi-factor authentication in place, integrated with user and entity behavior analytics, to ensure their most valuable data assets stay in the hands of only those who are given access, and doesn’t leave the organization. They should make sure their most valuable information is encrypted at all times and that their security technologies are configured properly.
Leave a Reply