THE TOP 5 CHALLENGES TO MEETING NIST 800-171 COMPLIANCE
In a recent presentation given by Darren King, Director, Defense Industrial Base Cybersecurity Assessment Center under the DCMA, he identified the top five areas of the DFARS 252.294.7012 regulations where the Defense Industry Base is struggling the most in meeting the requirements:
Testing Incident Response Plans
FIPS – validated encryption
Recognizing the fact that many of the 200,000 plus companies that are required to meet this standard do not have large IT Departments and budgets it is no surprise that they face these challenges. Over the coming weeks we’ll take a look at each of these and unpack/explore them in more detail to understand the challenges and hopefully assist organizations in tackling the issues.
Multi-Factor Authentication (MFA)
The Council of Economic Advisors estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 billion in 2016. The majority of this malicious activity exploits access to network resources of Defense Industry Base business’s that are protected only by passwords.
MFA plays a significant role in protecting FCI and CUI from being exfiltrated from organizations by adding an extra layer of authentication to mitigate the risk of passwords being compromised by requiring an additional piece of information beyond something the user knows, like a password.
Types of MFA
There are generally three recognized types of authentication factors:
Something You Know – includes passwords, PINs, combinations, code words, or secret handshakes. Anything that you can remember and then type, say, do, perform, or otherwise recall when needed falls into this category.
Something You Have – includes all items that are physical objects, such as keys, smart phones, smart cards, USB drives, and token devices. (A token device produces a time-based PIN or can compute a response from a challenge number issued by the server.).
Something You Are – includes any part of the human body that can be offered for verification, such as fingerprints, palm scanning, facial recognition, retina scans, iris scans, and voice verification.
The most common second factor used is something you have, typically a pin number sent to an email address or a smartphone, for added security, a physical token device can be issued to a user, such as a USB key.