NIST SP 800-171 Encryption & Compliance: FAQs

Frequently asked questions about NIST SP 800-171 compliance.

In working with federal government contractors every day, we see a lot of questions regarding encryption and NIST SP 800-171 compliance.  Some may seem basic, but we realize not everyone is an expert in information technology, and many people are trying to tackle this government compliance monster on their own, or with limited resources. Let us help you out.

What Is Encryption?

Encryption, for the purpose of NIST SP 800-171, means using hardware or software to cryptographically protect the information, so that onlythe intended recipients can access it.  When a file or data or a hard drive is encrypted, if an unauthorized person had that information, and didn’t also have the key, or password, they could not read the information.  There are two main types of encryption that are of concern under 800-171, data at rest, and data in transit encryption.

What Is Data at Rest Encryption?

Data at rest encryption is encryption for data while it is sitting on the device that stores it.  When you unlock your mobile phone after a power off and have to type a PIN in, you are probably using DAR encryption on that device.  If someone didn’t have the PIN, and the phone was off and not logged in, the data would not be accessible.

Do We Need Data at Rest (DAR) Encryption on Our Endpoints?

In terms of if data at rest encryption is needed under NIST SP 800-171, the answer is, in certain cases.  DAR encryption is required for all mobile devices (laptops, tablets, mobile phones) that store CUI. NIST SP 800-171 compliance does not require DAR encryption for desktops or servers.  

From the perspective of 800-171, desktops and servers are within the secure boundary of your facility, which will have other controls and protections in place.  The primary control that is relevant for this is 3.1.19, “Encrypt CUI on mobile devices.”

Be advised, you may be required to utilize DAR encryption for your servers or desktops under other requirements, like a specific federal contract requirement, or another compliance requirement.  DAR encryption is cheap and easy insurance to prevent data loss if a device is lost or stolen.

What Is Data in Transit Encryption?

Data in transit encryption is encryption for data on the move.  This prevents unauthorized access of sensitive information while it moves across a network or the internet.  This prevents “snooping” of your sensitive material. When you sign on to a website, like your bank, it uses DIT encryption to make sure your transaction stays secure off the untrusted public internet.

Do We Need Data in Transit Encryption for CUI?

Within the boundaries of your 800-171 compliant information system, you don’t have to encrypt data as it moves, but as soon as it is moving across untrusted and insecure networks, like the internet, you need to encrypt the data.  

Most secure websites, government websites, banking websites, and gradually even the regular internet are now enforcing this type of encryption so that your sensitive data can’t be sniffed across the internet.

The relevant control for DIT encryption would primarily be 3.13.8, “Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.”  

What Type of Encryption Products Should We Use?

This question is often the most pressing – The government doesn’t support or endorse any one vendor and leaves the choice up to the contractor to decide – with one restriction.  Data encryption that is used to protect CUI needs to be FIPS validated.

What is FIPS “Compliant” Encryption? Is AES Good Enough?  

FIPS validated means that a product has submitted its cryptographic modules to the government, typically via an approved certifying authority, like a lab, to make sure the product is properly engineered and working as expected.  

From the perspective of federal government compliance, if encryption isn’t FIPS validated, it may as well be plaintext.  In practical application, this is not correct, but from a government compliance perspective, it is. The entire process of getting a cryptographic module is time-consuming and involved, and most vendors don’t want to go through it unless they are targeting a federal demographic.  

There is only one way to check if a vendor’s product is FIPS validated – through the validation system the government has set up.  The sales team of your favorite vendor will love to tell you they are FIPS compliant, which normally means they are using approved cryptographic modules, like AES, but in most cases, they aren’t actually FIPS validated.  

The only thing you should have to ask your vendor is what their cryptographic module certificate number is.  You can then search that certificate number here.

After you grab the certificate for your chosen product you can add it to your evidence documentation for your System Security Plan (SSP).  But that’s a whole different blog post.

To tie all of this back together, one super common thing that we’ve seen contractors overlook is FIPS validation for encryption on their mobile devices.  

Are Your Mobile Devices FIPS Validated and Encrypted?  

A few Android phones are FIPS validated, and iPhones typically are validated within a time period, but often iOS is a version behind on its FIPS validation.  If you have a BYOD (bring your own device) setup for mobiles that might contain CUI you should be especially concerned, as you may have no idea what devices your users are utilizing or if they are FIPS validated.  Neither Outlook Mobile or Intune are FIPS validated as of the date of this post.

On laptops, if you are using BitLocker encryption, are your systems in FIPS mode?  BitLocker is FIPS validated, but it must be in FIPS mode.

What Is NIST 800-171 Compliance?

NIST 800-171 compliance typically means that an organization has made an effort to comply with the NIST SP 800-171 controls, which focus on the protection of controlled unclassified information in non-federal systems.  Meaning, protecting government sensitive data out in the commercial space, beyond the reach of federal information system protections.

There are 110 controls in the current version of NIST SP 800-171, in 14 different areas, such as access control, incident response, or personnel security.  Each area has a number of basic and derived security requirements. Organizations looking to complete these requirements often look for an easy NIST 800 171 Compliance checklist of items to complete, but the requirements involve significant time and resources. It just isn’t that simple.

If someone says that their organization is NIST 800-171 compliant they could mean several things:

  1. Their organization currently has a system security plan (SSP) in place and at a bare minimum a plan of action and milestones (POAM) to comply with the remaining 109 controls at some point in the future
  2. Their organization currently complies with a number of the 110 controls and has a POAM for the remaining controls they have not implemented yet, which may be proving especially time or resource consuming
  3. Their organization has completed all 110 requirements from within the NIST SP 800-171, and considers themselves “fully compliant”

Up until the end of 2018, we saw a number of federal contractors who considered the first option to be their most cost-effective route.  However, as government agencies begin to consider SSPs and POAMs in their pre and post-award processes, this has been rapidly changing in the small business world of federal contracting.  Primes have also stepped up their enforcement and supply chain investigations – we are no longer seeing a single page checkbox form confirming NIST 800-171 compliance, but instead detailed questionnaires, requests for full SSPs, and in-depth review of POAMs.  

One other important note about NIST 800-171 – you don’t see some of the traditional compliance exceptions like you do in other frameworks for things like excessive costs, or difficulty of implementation.  You must comply – unless you have a written exception from the CIO of the agency that would be contracting with your firm. If you don’t, it needs to be in a POAM, and the agency can (and most likely will) consider the holes in your protection of their controlled information during contract award.  

What Does NIST Stand for?

NIST stands for the National Institute of Standards and Technology.  NIST is a part of the US Department of Commerce and is responsible for creating many of the federal information technology standards.  NIST releases excellent reference materials for almost anything related to information technology, among many other things.

How Do I Get NIST Certified?

You don’t if you are talking about NIST 800-171.  There is no NIST 800-171 certification currently. Anyone who is trying to sell it to you should be given a wide berth.  Some other NIST standards may have related certifications or validations, such as NIST 800-53 and FedRAMP authorization, but as a federal contractor, you should not be worrying about being certified for NIST.  NIST 800-171 is at the moment self-assessed for compliance. Although there is a definite possibility that a government customer or prime on a government contract may want to somehow verify you are complying with requirements around the security of controlled unclassified information they may need to send to you, such as asking to view your system security plan (SSP) and plan of action and milestones (POAM).  

What is phishing?

So, what’s phishing all about? It’s like the con artist of the digital world. Phishers send you emails, pop up on websites, call, or text, all to trick you into sharing your personal data. They’re masters of social engineering – that’s just a fancy way of saying they’re really good at tricking people.

Here’s how it works: these cyber scammers pretend to be someone you trust. They use a false sense of urgency or act official to get you to let your guard down. Before you know it, you might give away things like your login details, credit card info, or bank account numbers by exploiting human psychology. And once they have this info, watch out! They could steal your identity, take your money, or get into your private files.

How does phishing work?

Wondering how a phishing campaign goes down? It’s like a well-planned heist, but in the digital world. Here’s a breakdown of what happens:

  1. Choosing the Target: Phishers pick out who they want to trick. Sometimes they go after specific people or businesses, especially if they think there’s something valuable to grab. Other times, they throw out a big net to see who they can catch.
  2. Crafting the Con: They whip up a message that looks legitimate, like it’s coming from a real company or someone you know. They’re pretty good at using all the right logos and making email addresses look almost right. The whole point is to make you think it’s the real deal.
  3. Sending It Out: This phony message gets sent your way. It could pop up in your email, show up as a text, or even come in as a phone call. How they contact you depends on what kind of phishing they’re doing.
  4. Reeling You In: If you take the bait – like replying to their message or clicking on a hyperlink they sent – that’s when they strike. They can snatch your personal info or even sneak malware onto your computer via malicious links.

It’s sneaky business, but knowing how these phishing attacks work is the first step in making sure you and your business don’t get caught in the net.

How phishing scams trick users.

Phishing scams are like the ultimate tricksters, using a mix of clever tricks and a bit of emotional manipulation. They’re really good at pretending to be someone they’re not, which makes it tough to spot the danger. Here’s the scoop on how these scams hook people:

  • Playing on Emotions: Think fear, curiosity, urgency, or even greed. These scams hit you with messages that make you want to act fast. Maybe they scare you with talk of account suspension, or they dangle an amazing deal right in front of you.
  • Impersonating the Real Deal: Ever get an email that looks exactly like it’s from a big company or someone you know? That’s them, faking email addresses, copying logos, and making webpages that look spot-on. They’re all about making you believe it’s legit to get your login credentials.
  • Always Mixing It Up: Just when you think you’ve got phishing figured out, the scammers change their game. They’re always finding new ways to trick folks, whether it’s switching up how they contact you, cooking up new lures, or jumping on the latest trends to make their phony messages or malicious website seem real.

So, the next time you get an email message that sets off alarm bells, trust your gut. These phishing guys are sneaky, but now you know their tricks.

Forms of phishing.

Think of phishing as a chameleon, always changing its colors. It can pop up in different ways, but the goal’s always the same: tricking you into giving up your private details. Let’s break down the main types of phishing techniques:

  • Email Phishing Scams: The classic move. You get an email that looks like it’s from a legitimate place – maybe a bank or a big-name company. But watch out! Those emails often have links or attachments waiting to steal your info or drop malware onto your computer.
  • Voice Phishing (Vishing): Ever get a fishy phone call pretending to be from your bank or a government agency? That’s vishing. They’re after your details like your credit card number or Social Security number.
  • SMS Phishing (Smishing): This one’s all about text messages. You might get a message asking you to call a phone number or visit a website to “check” your personal info. Spoiler alert: it’s a trap!
  • Social Media Phishing: Yep, even social media isn’t safe. Cyber bad guys create fake profiles or hack real ones to send phishing messages, share links that are up to no good, or spread false info to snatch your sensitive data.
  • Business Email Compromise (BEC): This one’s sneaky. Hackers break into a real business email account and use it to send out phishing emails. Since BEC attacks come from someone you trust, it’s tougher to spot the danger.

Each type has its own tricks, but knowing what to look out for is your first step in staying safe. Remember, if something feels off, it probably is!

Why threat actors like phishing.

Ever wonder why phishing is like candy to cybercriminals? It boils down to a few reasons that make it their go-to trick:

  • Easy-Peasy: Making a phishing email or a fake website is a piece of cake. It doesn’t cost much, and the tools for it are just a click away. That means even the not-so-tech-savvy bad guys can jump on the phishing bandwagon.
  • Throwing a Big Net: By hitting lots of people at once, these phishing folks up their odds. They shoot out tons of emails or messages, and even if just a few people bite, it’s a win for them.
  • Low Risk, Big Payoff: Phishing is kind of a low-risk, high-reward game. The sneaky folks behind it can stay hidden and hard to track, especially if they know what they’re doing. And if they hit the jackpot, they could get their hands on loads of cash or some really secret info.
  • Opening Doors for More Trouble: Phishing is often just the start. Once they’ve got your login stuff or other personal details, they can dive into more serious cybercrimes, like locking up your data for ransom cyberattack or identity theft.
  • No Borders: The scary thing about phishing? It’s got a global reach. Some guy sitting halfway across the world can target anyone, anywhere. This makes it tough to stop them since they’re jumping over all sorts of legal boundaries.

In short, phishing’s a big deal because it’s easy, cheap, and can have a huge payoff for the bad guys, all while staying under the radar.

Who are the targets of phishing?

Short answer: pretty much anyone. It doesn’t matter who you are or what you do; if you’re online, you’re on their radar. From regular Joes and Janes to businesses big and small, government bodies, schools and colleges, banks and financial institutions, hospitals and clinics, and customers of major brands like Microsoft, Walmart, Apple, or Amazon – phishing is like fishing in a big ocean. They’re casting wide nets to catch as many fish as possible.

Types of phishing attacks.

Phishing isn’t just one-size-fits-all; it’s a whole wardrobe of disguises, each tailored to catch a specific target with different tactics and methods. Let’s check out the main styles:

General Phishing

This is the most common type of phishing attack. It’s like throwing a bunch of bait into the water and seeing who bites. These phishing attempts blast out emails, fake websites, or even text messages (smishing), aiming to fool anyone they can. They often dress up as legitimate companies, hoping you’ll hand over personal info, login details, or your credit card information.

Spear Phishing

Here, phishers get personal. Spear phishers do their homework on specific individuals or businesses, using details like your name or job to make their fake messages look real. They often dig up this info from places like social media, making their spear phishing attacks seem super believable.

Whaling

This is spear phishing’s big brother, targeting the top dogs in a company – think CEOs or managers. Whaling attacks are super detailed and carefully crafted. Since they’re aiming high, the stakes are big too, with potentially massive financial or business impacts.

Spoofing

This is like the sidekick to phishing. Spoofing is all about faking things – emails, caller IDs, websites – to make them look like they’re from someone you trust. This trick makes phishing scams seem way more legit, upping their chances of tricking you.

Dangers of phishing for businesses.

Phishing isn’t just a minor headache; it’s a major threat to any business, big or small. Here’s why you should take it seriously:

Financial risks

It’s not just about losing money on the spot. Think credit card fraud, messed-up business deals, and the high costs of cleaning up the mess. Plus, there’s the threat of fines, legal headaches, and even higher insurance premiums.

Regulatory risks

Get hit by successful phishing, and you might leak sensitive information about your team, clients, or partners. That can lead to legal trouble, regulatory watchdogs breathing down your neck, and even problems with your licenses or contracts.

Operational risks

Phishing can throw a wrench into how your business runs. Imagine locked files, disrupted workflows, lost trade secrets, and tech systems taking a hit. It’s a recipe for increased IT costs and strained business relations with external partners

Reputational risks

A phishing attack can tarnish your good name. It can shake customer trust, stir up negative press, hit employee morale, and even hurt your stock value if you’re publicly traded.

Cybersecurity risks

Phishing opens the door to all sorts of cyber threats – malware, ransomware, broken security protocols, and sneaky threats that can exploit your vulnerabilities and even lead to a data breach. It’s a big deal for the safety of your network and data.

How to identify and prevent phishing attacks.

Phishing’s like a sneaky fisherman trying to reel in your sensitive info. But don’t worry, there are ways to keep your business safe and mitigate the risks. Here’s the lowdown:

Recognize the signs of a phishing attack.

  • Check the sender’s email address for oddities. Weird spelling? Generic greetings? These are red flags.
  • Watch out for links and attachments. Hover over links to peek at the URL. Got an unexpected attachment? Think twice before opening.
  • Bad grammar or urgent demands? Another sign of suspicious emails.
  • Got an email asking for sensitive info like credit card numbers or login stuff? Double-check it’s legit before you share anything.

Provide security awareness training to employees.

  • Run fake phishing tests to teach your crew what to watch for and how to report phishing attempts.
  • Keep them in the loop with regular updates on new phishing tricks, like those scary spear phishing or vishing scams.

Conduct regular updates.

  • Keep all your software, especially your security stuff like firewalls and antivirus, up to date.
  • Add extra protection layers with multi-factor authentication, anti-phishing tools, and spam filters.

Partner with a managed services provider.

A managed services provider like Magna5 has your back with top-notch network security that’s tailored to your business. Our solutions are a whole package deal – think antivirus, threat detection, and making sure your data stays safe and sound.

How Magna5 can help you detect and prevent phishing attacks.

Navigating phishing attacks can be a daunting task for any business. It’s a challenge to stay one step ahead of these ever-evolving threats that can disguise themselves in the most unexpected ways. Understanding and responding to these attacks requires not just vigilance but also expertise and a strategic approach.

That’s where Magna5 comes in. We specialize in crafting defensive strategies tailored to the unique needs of your business. Our team of cybersecurity experts doesn’t just wait for threats; we actively seek them out, predict their moves, and stop them in their tracks before they can do harm.

By partnering with Magna5, you’re not just getting a cybersecurity provider; you’re gaining a partner dedicated to your business’s safety and success. Our comprehensive approach means you can focus on growing your business, confident in the knowledge that your digital assets are protected.

Ready to bolster your defenses and take a proactive stance against phishing? Contact Magna5 today to explore how we can fortify your business against these digital threats.

By Mariah Brooks, guest author.