Using the NIST Framework for Cybersecurity
In today's business landscape, data and computer controls are at the center of how organizations operate. Your enterprise resource planning (ERP) system, manufacturing execution system (MES), financial planning system, human resources platform, customer relationship management (CRM) system, and payroll system are just a few of the key systems running your business. Every one of these systems is vulnerable and needs to be protected from cybersecurity threats. Understanding what these threats are, where they originate, how to protect your systems, and educating your employees to mitigate risks are crucial to keeping your organization safe and secure.
Most organizations have a person or persons responsible for cybersecurity. Many companies report the status of their security plans to their Board of Directors on a quarterly basis. But is that enough?
Cyber attacks come in many forms; direct and indirect hacking of systems, phishing emails, and third-party devices like USB drives. Staying ahead of bad actors trying to steal your company and employee information is becoming increasingly difficult.
It is impossible to anticipate every new threat coming at your company and its business systems. Therefore, having a plan to protect and prevent security threats is in order. Many organizations are looking to the National Institute of Standards and Technology (NIST) for guidance. NIST created a framework, primarily used by government contractors, to protect systems. This framework is known as the NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations and the Defense Federal Acquisition Regulation Supplement (DFARS). DFARS has become a mandate from the federal government to prime contractors, and prime contractors are asking that all subcontractors submit information outlining compliance.
The NIST framework was developed to protect the most important pieces of U.S. government and military equipment and therefore is a good guideline for companies to follow.
DFARS NIST 800-171 is a set of fourteen families of security requirements for protecting the confidentiality of controlled unclassified information in nonfederal information systems and organizations. These fourteen families are:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authentication
- Incident response
- Media protection
- Personnel security
- Physical protection
- Risk assessment
- Security assessment
- System and communication protection
- System and information integrity
Under each of these fourteen points, there are two areas needed for compliance; basic security requirements and derived security requirements.
DRAFS is an extensive framework to implement and follow. Each family of requirements will take significant time and resources to deploy. However, it will protect your systems, data, and information.
MAPI and Deloitte recently conducted a study on cyber risk in advanced manufacturing, which outlines the need to be secure, vigilant, and resilient. This study found that manufacturers are concerned about their business systems as well as their industrial control systems and their connected products. DFARS NIST 800-171 can be applied to all systems of concern and will help your organization build the plans and processes it needs to protect your information and organization.