Meeting NIST Requirements while using SaaS Software.
December 31, 2017, Organizations who process, store, and transmit Controlled Unclassified Information (CUI) need to comply with NIST Special Publication 800-171. The question organizations need to consider is what does it mean for their SaaS Applications? How do you do it in the “bring your own cloud,” (BYOC) world we live in? I am going to walk you through critical things you need to think of for SaaS applications about as you go through this.
Figure out your scope.
If you are already ISO 27001 certified, you probably already have this knowledge and should move quickly through the following steps. Who in the business deals with CUI? Moreover, do they even know it? Starting the education campaign will not only narrow the scope but count towards awareness training. What processes deal with CUI and the form it takes such as Email or PDFs, and where do they process CUI and where do you store CUI Endpoints, Sharepoint, Email, Google Docs? When CUI is sent or received how does it there? Email, Fax, Pastebin? Why do they need CUI? Contact Specialist Program manager or just because?
Now that you know the 5 Ws, start working through the list and figure out the gaps based on scope. However, if you do not have a security program, you need to put the framework in place first. The technical controls are the easy part. The hard part is implementing in the written order and maintaining it.
800-171 focuses on applications externally hosted that have CUI Data and how to address the compliance. If you are wondering why did it, take three paragraphs to get here. Its because 2/3 of your security is People and Process, and without this implemented any technical controls will be difficult and most impacting. If you can meet the control with a process, you save time/money and narrow down what may require a cost.
Things to Consider for SaaS
A. ADFS SSO will be your friend as you will only have one password policy to enforce and you can mitigate risk of trying to ensure all your cloud apps can and do meet your password policy
B. If the SaaS provider can IP Whitelist use it. If not SAML might be your friend
C. Validate that they have there owned certifications/attestations
i. 0365 E and G will cover you from the backend, and 0365Gov/DOD will cover ITAR data if that something you put in the cloud
ii. REMEMBER: THEY ARE COVERING THERE SIDE BUT….YOU STILL HAVE TO IMPLEMENT IT CORRECTLY
D. Some providers will offer you the Escalade when the suburban covers your requirements. Mircosoft’s E-3 Licence and G-3 both meet Nist 171 and GovD would only really help if you are planning to store ITAR Data in 0365.
For more information about Red Lion 800-171, you can contact Rob at: firstname.lastname@example.org
For the full NIST Publication: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf