- Simplifies NIST 800-171 compliance with customized reporting
- Protects CUI by monitoring all communications and traffic for malicious activity
- Supports incident response and risk-assessment exercises
- Enables compliance with DFARS cybersecurity requirements
Today, federal departments and agencies are increasingly digitized and subcontracted. This has led to an explosion of government data held in the information systems of subcontractors who work with sensitive or confidential data related to agriculture, finance, military and other areas that fall under federal regulations.
To keep this information secure, Executive Order 13556 established the Controlled Unclassified Information (CUI) program to standardize the way federal contractors handle unclassified information that requires protection, such as personally identifiable information, or sensitive government assets.
This program has issued final guidelines for protecting this data, “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations”. known as the NIST 800-171 standard. The US Department of Defense has issued the Defense Federal Acquisition Regulation Supplement (DFARS) cybersecurity requirement. This rule requires defense contractors to meet the NIST 800-171 standard or risk losing their contracts.
Controlled Unclassified Information (CUI) can be stored in a variety of repositories, such as file servers, databases, access logs and other types of unstructured and structured data repositories. Safeguarding access to CUI and defending it from outside attack requires diligent administration and close cooperation between the IT teams and the many business units that need access to the data.
In addition, NIST 800-171 requires the institution of a Continuous Monitoring program for each Defense Contractor that monitors, filters, logs and alerts on any suspicious activity generated on the contractor’s network. Contractors need to enlist the assistance of MSPs to review all logged activity to meet Incident reporting requirements to Dibnet. A Security Operations Center will provide you active monitoring and alerting to stay ahead of threats and report them in real time.
Techni-Core’s Partner, Arctic Wolf, provides a 24×7 security operations center (SOC)-as-a-service to enable defense contractors and federal contractors to meet the NIST 800-171 security and incident response compliance requirements using the industry-leading, cloud-based AWN CyberSOC. Arctic Wolf simplifies compliance incidence reporting for DFARS 7012 by working directly with your Techni-Core ISSO to ensure that all incidents are alerted, ticketed in Techni-Core’s ConnectWise system, assessed, elevated and if a cyber threat is found, your Techni-Core ISSO will provide formalized reporting to Dibnet.
|Section 3.1 Access Control||3.1.20: Verify and control/limit connections to and use of external information systems.||The AWN CyberSOC service receives firewall logs, which can be used to demonstrate requirement compliance.|
|Section 3.3 Audit and Accountability||3.3.5: Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious or unusual activity.
3.3.6: Provide audit reduction and report generation to support on-demand analysis and reporting.
3.3.8: Protect audit information and audit tools from unauthorized access, modification and deletion. 3.3.5: Use automated mechanisms to integrate and correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious or unusual activity.
|AWN CyberSOC delivers this service via automated tools and adds a Concierge Security Engineer to reduce false positives and provide additional context and actionable intelligence.
Arctic Wolf has many standard reports and can create custom reports on an ad-hoc or weekly schedule. We also support our customers in the event of an audit or external investigation including exporting of event/log data or real-time discovery via screen sharing with your assigned CSE.
Arctic Wolf has strict security policies
in place to prevent unauthorized access to SOC tools. Log data is encrypted in transit and at rest. AWN CyberSOCTM delivers this service via automated tools and adds a Concierge Security Engineer™ to reduce false positives and provide additional context and actionable intelligence.
|Section 3.5 Identification and Authentication||3.5.3: Use multifactor authentication
(MFA) for local and network access to privileged accounts and for network access to non-privileged accounts.
|Arctic Wolf can provide log data from MFA systems used, such as Okta or DUO, to comply with this requirement.|
|Section 3.6 Incident Response||3.6.1: Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user-response activities.
3.6.3: Test the organizational incident response capability.
|Arctic Wolf can provide closed ticketed incidents as evidence of an operational handling capability.
Arctic Wolf can help validate your incident response plan by performing a tabletop IR exercise.
|Section 3.11 Risk Assessment||3.11.2: Periodically scan for vulnerabilities in information systems and applications, as well as when new vulnerabilities affecting the system are identified.||This is a core function of the Arctic Wolf service for externally exposed systems.|
|Section 3.13 System and Communication Protection||3.13.1: Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
3.13.5: Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
3.13.14: Control and monitor the use
of voice over Internet protocol (VoIP) technologies.
|The Arctic Wolf sensor generates net flow data at egress points to the public internet, and can also work off span/mirror ports for key internal subnet/VLANs and provide monitoring and alerting based on the net flow data.
Arctic Wolf can provide firewall log data from servers or systems installed in the separated zones.
VoIP traffic can be monitored by an Arctic Wolf sensor using an internal tap or span/ mirror configuration. If the central server (call manager etc.) is providing logs via syslog, that can be used for additional context and alerting.
|Section 3.14 System and Information Integrity||3.14.6: Monitor information systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.||This is a core function of the AWN CyberSOC service, and is conducted through a sensor appliance that acts as a managed intrusion detection system.|