NextLabs helps organizations meet the security requirements of the National Institute of Standards and Technology (NIST). In particular, NIST has published several documents, each of which focuses on a different facet of security. NextLabs addresses many of the requirements of these publications as noted below.
This document details a framework to protect an organization and its assets from a range of threats, including cyberattacks, insider threats, application security, supply chain risks, and human error, among others. NextLabs helps organizations meet various access control requirements, including enforcement of least privilege/need-to-know, dynamic privilege management, and usage controls on features such as Edit, Print, Reshare, and Extract.
This paper defines of attribute based access control (ABAC). NextLabs was selected by NIST to help define the core capabilities and benefits of ABAC. ABAC is an access control model where authorization to perform a set of operations is determined by evaluating attributes associated with the subject, object, requested operations, and, in some cases, environment conditions against policy, rules, or relationships that describe the allowable operations for a given set of attributes.
NIST SP 800-171 sets forth the minimum security standards for all Department of Defense contractors that process, store, or transmit Controlled Unclassified Information (CUI). NextLabs helps organizations safeguard the information that resides in or transits through covered contractor information systems and the reporting of cyber incidents.
NIST SP 800-178
In this document, titled “A Comparison of Attribute Based Access Control (ABAC) Standards for Data Services. Extensible Access Control Markup Language (XACML) and Next Generation Access Control (NGAC),” NIST describes how these are very different attribute based access control standards with similar goals and objectives. The goal of both models is to provide a standardized way for expressing and enforcing a multitude of access control policies on various types of data services. The two standards differ with respect to the manner in which access control policies are specified, managed, and enforced.
NIST SP 1800-2
NIST SP 1800-2 covers how energy companies need to control physical and logical access to their resources, including buildings, equipment, information technology (IT), and operational technology (OT) to protect power generation, transmission, and distribution. They must implement technology to authenticate authorized individuals to the devices and facilities to which the companies are giving them access rights to with a high degree of certainty.
NIST SP 1800-3
Like SP 800-162 this document focuses on ABAC, however it includes the involvement of the National Cybersecurity Center of Excellence (NCCoE) and their example of an advanced access control system. The NCCoE practice guide in this paper details a collaborative effort between the NCCoE and technology providers to demonstrate a standards-based approach to attribute based access control. This guide also discusses potential security risks facing organizations, benefits that may result from the implementation of an ABAC system, and the approach the NCCoE took in developing a reference architecture and build.
NIST SP 1800-9
This paper discusses access rights management for the financial services sector. Financial services firms are complex organizations with several internal systems managing sensitive financial and customer data. These internal systems are typically independent of each other, which makes centralized management and oversight challenging. In collaboration with the financial services community and technology collaborators, the National Cybersecurity Center of Excellence (NCCoE) developed SP 1800-9 which uses standards-based, commercially available technologies and industry best practices to help financial services companies provide a more secure and efficient way to manage access to data and system.
NIST SP 800-207
This special publication discusses the core logical components that make up a zero trust architecture (ZTA) network strategy. Zero trust refers to an evolving set of network security paradigms that narrow defenses from wide network perimeters to individuals or small groups of resources. Its focus on protecting resources rather than network segments is a response to enterprise trends that include remote users and cloud-based assets that are not located within an enterprise-owned network boundary.
Cybersecurity Capability Maturity Model (CMMC) certification is the US Government’s solution to fix low rates of compliance associated with NIST SP 800-171. CMMC is not optional and is designed to permit only allow businesses with a valid CMMC certification to bid on and win contracts with the US Government. The US Department of Defense (DoD) recognizes that all contractors are not alike, as well as the nature of how subcontractors are used. The CMMC is a tiered model that addresses every business in the DIB, from the largest contractors down to small subcontractors (e.g., IT service providers, bookkeepers, janitorial services, etc.) that could impact CUI.
One common misconception is that CMMC compliance is the same thing as NIST SP 800-171. That is not entirely true, especially in the higher levels of CMMC that include requirements from frameworks other than NIST SP 800-171.
CMMC Level 1: This is essentially addressing FAR 52.204-21 cybersecurity principles.
CMMC Level 2: This builds on CMMC Level 1 and addresses a little over half of NIST 800-171 controls.
CMMC Level 3: This builds on CMMC Level 2 and addresses all NIST 800-171 and a few extras.
CMMC Levels 4 & 5: CMMC Levels 4 & 5 build off CMMC Level 3 and include controls from a range of frameworks:
- CERT RMM v1.2
- NIST SP 800-53
- NIST SP 800-172
- ISO 27002
- CIS CSC 7.1