Keeping track of regulations regarding computer and network security is always a major headache for businesses that do work with the federal government. If a company is not IT-focused and is operating outside of its comfort zone trying to parse through technical language while making sure their security is up to par, it only makes things that much more difficult. Even worse, after doing an immense amount of work to make sure a business has proper NIST compliance in its encryption and security, small mistakes can still prevent an organization from achieving NIST compliance.
What is NIST Compliance?
NIST stands for National Institute of Standards and Technology. It is a non-regulatory of division the U.S. Department of Commerce that researches and publishes standards for numerous scientific and technological fields, including information technology. When referring to NIST compliance in the specific context of this blog, we are referring to compliance with the computer security standards published in NIST Special Publication 800-171. These are standards regarding the encryption and protection of Controlled Unclassified Dara, also referred to as CUD. CUD is information protected by the federal government that is stored on nonfederal devices and networks because of work the government is doing with private organizations. For organizations whose device and network security isn’t NIST compliant, attaining work involving federal data won’t be an option.
Employees Breaking NIST Compliance Through Their Smartphones
Achieving NIST compliance involves making sure any CUI an organization has access to is protected by FIPS validated encryption. FIPS stands for Federal Information Processing Standards, and “FIPS validated” means that a vendor has submitted its cryptographic modules to a certifying authority in the government, and that the encryption has been approved.
It is common for companies to have a “Bring Your Own Device” policy regarding smartphones, however not all popular smartphones have FIPS validated encryption. As we mentioned in our previous blog post on NIST, only some Android phones are FIPS validated, and for iPhones it depends on what version of the operating system the device is using. If an employee waits too long to update their version of iOS, suddenly a company is no longer using FIPS validated encryption on all its devices. To stay fully NIST compliant, keeping track of the software and hardware all your employees are using is key.
Asking Vendors the Wrong Questions About FIPS
Given that NIST compliance requires having FIPS validated products, companies concerned about encryption and data security will often ask their vendors about their product’s FIPS status. This approach is correct, but it is important to be precise in how a company asks a vendor about their products. Many companies simply ask if a product is “FIPS compliant” rather than “FIPS validated”, and vendors will answer affirmatively because they believe their product matches the requirements for validation even if the product has not actually been reviewed by a government agency. The best way to avoid any vendors dodging this question is to ask them what their cryptographic module certificate number is and then search that certificate number at this site to confirm its legitimacy.
Ask the Experts
NIST compliance is important for data security, but also very complicated. Constantly worrying and spending time auditing every type of encryption on every device a company uses is time consuming and distracts from a business’s goals. It is often more efficient and less risky to simply speak to network security professionals from a managed IT services company who can audit a business to ensure it is fully NIST compliant. Reach out to us if you’re interested in a NIST compliance audit.