Addressing NIST 800-172A enhanced security requirements for configuration management
By Matt Malarkey | Date published: 11 April 2022
Last month, the National Institute of Standards and Technology (NIST) released Special Publication (SP) 800-172A, which details the assessment procedures for NIST 800-172, enhanced security requirements relating to controlled unclassified information (CUI).
The publication is aimed at both federal agencies and non-federal organizations that handle CUI. Protecting CUI in non-federal organizations and systems is essential as it can impact the government’s ability to carry out important missions and operations.
NIST 800-172A is aimed at individuals with system development or information security assessment and monitoring responsibilities. The publication is also for the attention of those with privacy, risk management and governance oversight responsibilities and those responsible for information security operations.
Assessments relating to SP 800-172 may be carried out by the organization itself, by using an independent third-party or by a government- sponsored assessment. Assessment procedures can be used by organizations to help address any gaps in its security and risk management, prioritize risk mitigation decisions and support continuous monitoring efforts.
It is not expected that organizations will use every assessment method and object in every audit that they carry out, instead they should have the flexibility to use the specific assessment methods needed to achieve their objectives.
One essential aspect of protecting CUI outlined in this publication is configuration management (see section 3.4, pages 11 – 12 of the publication).
There are three enhanced security requirements relating to configuration management. The publication outlines a number of potential assessment methods, which include examining plans, policies, and records, testing controls and interviewing relevant personnel.
The first requirement is to maintain an authoritative source and repository with accountability for approved system components.
The objectives of this assessment should determine whether approved system components and implemented components are identified and whether an authoritative source and repository is established.
The second security requirement is to employ automated mechanisms that detect misconfigurations or unauthorized system components. There are several possible procedures to be followed that the organization can select from.
The choices include removing the components or placing them in a quarantine or remediation network. It is possible to select more than one of these, with the aim being to facilitate re-configuration, patching, or some other form of mitigation.
Lastly, the third requirement is to use automated discovery and management tools to maintain the inventory of system components. This inventory must be accurate, complete, and readily available.
Using Nipper to meet NIST 800-172A requirements
Carrying out essential network configuration assessments to meet requirements outlined in NIST 800-172A requires the right tools. Using software such as Nipper, organizations can analyze configurations and interactions of the network infrastructure. Nipper fulfils the security requirement to detect misconfigurations and, through virtual modelling, reduces false positives.
With Nipper’s unrivalled accuracy, organizations can save the time usually spent on investigating false positives and dedicate more resource to fixing misconfigurations. The software automatically prioritizes risks, provides exact technical fixes, and its machine consumable outputs are given for autonomous mitigation.
For organizations operating on a larger scale, Nipper Enterprise provides continuous misconfiguration detection and response. This solution can either connect directly to network devices for continuous monitoring of configuration files or, in snapshot mode, it can ingest previously extracted configs.
Those with NIST 800-172 requirements are likely to also have the requirement to comply with CMMC and NIST 800-171. The software has dedicated modules that can automate the assessment of 89% of network controls related to these requirements.