NIST 800-171 provides a roadmap of 16 level 2 controls that are specifically tailored to bolster situational awareness. These controls are broken down by family below:
Access Control (AC)
- Limit use of portable storage devices on external systems (AC.L2-3.1.21): Use endpoint security solutions to enforce policies restricting or monitoring the use of USB drives and other portable storage devices on external systems. Alternatively, consider providing encrypted USB drives that are centrally managed and tracked.
Audit and Accountability (AU)
- Limit management of audit logging functionality (AU.L2-3.3.9): Implement role-based access controls (RBAC) to restrict access to audit log management functions. Only designated administrators should have access to modify audit logging settings.
Configuration Management (CM)
- Establish and maintain baseline configurations and inventories (CM.L2-3.4.1): Use configuration management tools to create and maintain a baseline inventory of hardware, software, firmware, and associated documentation. Regularly update the inventory as changes occur throughout the system lifecycle.
- Establish and enforce security configuration settings (CM.L2-3.4.2): Utilize security configuration management tools to enforce standardized security settings across all IT products used within the organization. Automated tools can help identify deviations from the baseline and remediate them promptly.
- Employ the principle of least functionality (CM.L2-3.4.6): Configure systems to disable or remove unnecessary features, services, or applications that are not essential for business operations. Regularly review and update configurations to ensure compliance with the principle of least functionality.
- Restrict, disable, or prevent the use of nonessential programs (CM.L2-3.4.7): Implement application control or whitelisting solutions to restrict the execution of nonessential programs. Only approved applications should be allowed to run, reducing the risk of malware infections.
- Apply deny-by-exception or permit-by-exception policy (CM.L2-3.4.8): Adopt a whitelisting approach to software execution, where only authorized applications are allowed to run by default. Exceptions can be granted on a case-by-case basis following a thorough review and approval process.
Identification and Authentication (IA)
- Store and transmit only cryptographically-protected passwords (IA.L2-3.5.10): Implement strong encryption algorithms (e.g., AES) to encrypt passwords during storage and transmission. Use secure protocols (e.g., TLS) for transmitting passwords over the network.
- Obscure feedback of authentication information (IA.L2-3.5.11): Configure authentication systems to provide minimal feedback (e.g., generic error messages) to users during login attempts. Avoid disclosing specific details that could aid attackers in guessing credentials.
- Employ replay-resistant authentication mechanisms (IA.L2-3.5.4): Implement authentication mechanisms that utilize techniques such as challenge-response protocols or time-based codes to prevent replay attacks. Examples include TOTP (Time-based One-Time Password) and HMAC-based One-Time Password (HOTP).
System and Communications Protection (SC)
- Prohibit remote activation of collaborative computing devices (SC.L2-3.13.12): Disable remote activation features (e.g., Wake-on-LAN) on collaborative computing devices. Provide physical indicators to notify users when devices are active to prevent unintended access.
- Control and monitor the use of mobile code (SC.L2-3.13.13): Implement application whitelisting or sandboxing techniques to control the execution of mobile code (e.g., JavaScript, ActiveX) within web browsers and other applications. Regularly monitor and log mobile code executions for suspicious activity.
- Control and monitor the use of VoIP technologies (SC.L2-3.13.14): Implement network segmentation to isolate VoIP traffic from other data traffic. Use encryption protocols (e.g., SRTP) to secure voice communications over the internet. Regularly update VoIP software and firmware to patch known vulnerabilities.
- Separate user functionality from system management (SC.L2-3.13.3): Implement RBAC to restrict administrative privileges to designated system administrators. Regular users should have limited access rights to system management functions to prevent unauthorized modifications.
- Prevent unauthorized information transfer via shared system resources (SC.L2-3.13.4): Implement data loss prevention solutions to monitor and control sensitive information transfer via shared system resources (e.g., file shares, network drives). Define policies to block or quarantine unauthorized data transfers and notify administrators.
- Terminate network connections after defined period of inactivity (SC.L2-3.13.9): Configure network devices (e.g., firewalls, routers) to automatically terminate idle connections after a predefined period of inactivity. This helps reduce the risk of unauthorized access and conserves network resources.
We understand that implementing these controls can be challenging for some organizations, but it’s essential for safeguarding your sensitive information and maintaining compliance. If you have any questions or need further assistance with implementing these controls, please reach out to the cybersecurity team at DTC!