Security policy is the basis of organization’s information security. Many organizations have information security policy in place to ensure that their information is always secure. However, having a security policy document in itself is not enough. It is very important to ensure that the contents must be implemented to be effective. 9DSS will provide recommendations on the systematic approach for policy enforcement and compliance.

If your company does business with the Federal Government or DoD, you should be complaint with NIST guidelines and Federal Acquisition Regulation (FAR) subpart (4.19) and contract clause (52.204-21) that deal exclusively with Cybersecurity.  The Regulation broadly applies to “covered contractor information systems” that process, store, or transmit “Federal contract information.” These terms are interpreted expansively to cover any information provided by or transmitted to the Federal government in connection with contract performance. 

9DSS NIST Assessment Approach
We begin our assessment by working closely with you to understand your business processes in order to understand the NIST special publication that best pertains to your organization . We will work with and interview key individuals within the business and information technology services responsible for compliance with the NIST special publication. We will evaluate your compliance with all control requirements through review of documentation supporting the operating effectiveness of controls. When our evaluation is complete, we will provide your organization with a detailed compliance assessment report outlining corrective action plans with a detailed roadmap for achieving NIST compliance.

NIST Compliance Assesment

The National Institute of Standards and Technology (NIST) is a non-regulatory federal agency within the U.S. Department of Commerce. NIST’s mission is to promote U.S. innovation and industrial competitiveness by advancing measurement science, standards, and technology in ways that enhance economic security and improve our quality of life. NIST promotes their mission by developing special publications that are devoted to specific information security topic.

At 9DSS we have experience advising our clients using NIST guidance and frameworks such as:

NIST Cybersecurity Framework: Created through voluntary collaboration between industry and government, the Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure. The prioritized, flexible, repeatable, and cost-effective approach of the Framework helps owners and operators of critical infrastructure to manage cybersecurity-related risk.

NIST 800-53: This publication provides a set of procedures for conducting assessments of security controls and privacy controls employed within federal information systems and organizations.

NIST 800-61: This publication assists organizations in establishing computer security incident response capabilities and handling incidents efficiently and effectively.

NIST 800-30: This document provides guidance for carrying out each of the three steps in the risk assessment process (i.e., prepare for the assessment, conduct the assessment, and maintain the assessment) and how risk assessments and other organizational risk management processes complement and inform each other.

NIST 800-171: This publication provides federal agencies with recommended requirements for protecting the confidentiality of Controlled Unclassified Information (CUI): (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.

NIST 800-82: This document provides guidance on how to secure Industrial Control Systems (ICS), including Supervisory Control and Data Acquisition (SCADA) systems, Distributed Control Systems (DCS), and other control system configurations such as Programmable Logic Controllers (PLC), while addressing their unique performance, reliability, and safety requirements.

Federal Acquisition Regulation (FAR) 52.204-21

Federal Acquisition Regulation (FAR) 52.204-21, it is a contract clause (52.204-21) to the FAR “for the basic safeguarding of contractor information systems that process, store, or transmit Federal contract information.” FAR 52.204-21 imposes a set of fifteen (15) “basic” cybersecurity controls for contractor information systems upon which “Federal contract information” is stored, processed or transmitted. Federal contract information is defined as information provided by or generated for the Government under a contract to develop or deliver a product or service for the US Government.  Compliance with FAR clause 52.204-21 should be viewed by contractors as a baseline Cybersecurity requirement – but it does not take the place of other, more complex requirements.

DFARS 252.204-7012

(Safeguarding Covered Defense Information & Cyber Incident Reporting)

All Department of Defense (DoD) contractors that process, store or transmit Controlled Unclassified Information (CUI) must meet the Defense Federal Acquisition Regulation Supplement (DFARS) minimum security standards by December 31, 2017 or risk losing their DoD contracts.

DFARS Safeguarding riles and clauses, for the basic safeguarding of contractor information systems that process, store or transmit Federal contract information. DFARS provides a set of “basic” security controls for contractor information systems upon which this information resides. These security controls must be implemented at both the contractor and subcontractor levels based on the information security guidance in NIST Special Publication 800-171 “Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations.”

Company

Who We Are
Social Responsibility
Careers
Executive Team

© 9 Dot Security Solutions, All Rights Reserved. Privacy Policy | Sitemap

Services

Managed Services
Security Consulting
PCI Compliance
Professional Services
Forensic Services

Links

Resources
Industry News

Contact Us

2250 Riverwood Pkwy, Suite 1900
Atlanta, GA 30339
404-919-4774
info@ninedss.com

Facebook Twitter Google-plus