Remote Work and Data Security: Adhering to NIST SP 800-171

Remote work is becoming popular and remains convenient. However, it also poses challenges to information security, especially for organizations that handle Controlled Unclassified Information (CUI). This post explores the guidelines outlined by the U.S. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 for protecting CUI in nonfederal information systems and organizations, with a focus on remote work. We will also delve into the importance of digitalization and electronic archiving for secure data management.

The NIST SP 800-171 was published in response to Executive Order 13556 on managing CUI. It offers guidelines on how CUI should be securely accessed, transmitted, and stored in nonfederal information systems and organizations. The publication has been updated several times since its original release in June 2015 to address evolving cyber threats. It outlines requirements in four main categories:

1. Controls and processes for managing and protecting.

2. Monitoring and management of IT systems.

3. Clear practices and procedures for end users.

4. Implementation of technological and physical security measures

NIST SP 800-171 permits remote work, but it necessitates implementing safeguarding measures for CUI at alternate work sites. It provides several controls specifically for remote access of CUI:

1. Control 3.10.6: Enforce safeguarding measures for CUI at alternate work sites.

2. Control 3.1.12: Monitor and control remote access sessions.

3. Control 3.1.13: Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.

4. Control 3.1.14: Route remote access via managed access control points.

5. Control 3.5.3: Use multi-factor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

6. Control 3.13.7: Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in external networks (i.e., split tunneling).

Personal Technology Best Practices for Remote Work

Given the ubiquitous use of personal smart devices, here are some steps remote employees should take to further protect access:

1. Change the default username and passwords for all internet-connected devices.

2. Regularly update the firmware on routers, modems, and all connected devices. Many of these updates are designed to address known security vulnerabilities.

3. Turn off and unplug unused devices, and consider disabling or covering cameras when not in use.

4. Keep security software or firewalls updated to the latest version.

Adhering to NIST SP 800-171 guidelines and practicing digital archiving can go a long way in safeguarding sensitive data, promoting efficient data management, and maintaining organizational integrity for CMMC compliance. As technology continues to evolve, so too must our practices for protecting and managing information.