Sound cyber security takes diligence across all fronts, especially when the focus is on protecting Controlled Unclassified Information (CUI). NIST published special guidance in NIST SP 800-171 to protect confidentiality and establish standards for protecting sensitive federal data used in non-federal information systems. Defense contractors with access to CUI in the performance of their federal contract must comply with the controls in NIST SP 800-171 selected by their federal customer and demonstrate adequate security.
Vulnerability scanning is essential to a contractor’s compliance efforts. The frequency you conduct vulnerability scans depends on many factors. Any major system, organization, or infrastructure change is a prime target, along with compliance requirements and your overall security goals. Here’s how to inject the right cadence of NIST vulnerability scanning frequency into your information security program.
What is a vulnerability scan, and why does it matter?
We went to the source for cyber standards. According to NIST, a vulnerability scan is just what it sounds like: a technique to identify hosts/host attributes and associated vulnerabilities. Vulnerability scanning is a valuable tactic for any organization to identify and remediate system gaps and misconfigurations before attacks happen.
Often, vulnerability scans are confused with penetration tests. However, they’re different tools, each with their own value. With a vulnerability scan, you have an automated process to find issues in your systems – like a missing patch or risky software – at the pace you set. Penetration testing, on the other hand, involves manual and automated simulations where a fictitious bad actor, the penetration tester, is trying to breach your network and get access to sensitive accounts and data.
How do you perform a vulnerability scan?
Vulnerability scanning software automates the process of scanning everything from network devices, servers, and workstations to applications and databases. Typically, scanning reports will list the identified vulnerabilities, rank their criticality, and suggest the associated remediation.
Vulnerability scans are conducted with a variety of tools to search systems for various security vulnerabilities.
Vulnerability scanning and penetration testing with NIST 800-171
NIST SP 800-171 establishes crucial standards for organizations striving for stronger security across systems. Here are the essential requirements to meet:
Requirement 3.11.2: In addition to specifying periodic vulnerability scans, NIST describes scans as soon as new vulnerabilities are identified. Organizations should also recognize that customer software applications may require more extensive approaches, including static analysis, binary analysis, and dynamic analysis.
By NIST definition, a vulnerability scan shall include:
- Scanning for ports, protocols, functions, and services that must not be accessible to users/devices
- Scanning for improper configuration
- Incorrectly operating information flow control mechanisms
As interoperability is often an essential requirement, organizations should use products based on Security Content Automated Protocol (SCAP), Common Vulnerabilities and Exposures (CVE), Open Vulnerability Assessment Language (OVAL), and Common Vulnerability Scoring System (CVSS). Red team exercises should also provide more vulnerability sources to scan.
Requirement 3.12.1: Periodically assess security controls to determine effectiveness and satisfy security requirements. Once security controls are implemented, further assessment helps ensure safeguards and countermeasures are providing effective control across targets. Documentation through formal reports will provide the right level of technical information. Taking the concept further, Requirement 3.12.2 mandates the development and implementation of an action plan to mitigate vulnerabilities and meet security requirements.
Requirement 3.12.3: The continuous monitoring of security controls is fundamental to ensuring continued effectiveness. Develop a continuous monitoring program to facilitate awareness of vulnerabilities and threats and drive informed risk management decisions. Automated tools make it much easier and faster to push updates to firmware, hardware, software, and other systems.
Requirement 3.14.1: With this requirement, the focus is on timely identification, reporting, and correction of system flaws. Take advantage of state-of-the-art tools, security assessments, vulnerability scans, continuous monitoring, incident response activities, and error handling across your software and systems.
How often should vulnerability scans be run according to NIST SP 800-171?
NIST SP 800-171 suggests “periodic” vulnerability scanning in organizational systems and applications. While that’s vague, industry best practices suggest performing them every 72 hours at a minimum and more often if the tools used are capable of doing so and the scope of your network and support resources allow for it.
Every time you discover new vulnerabilities affecting your systems and applications, it’s time for another vulnerability scan to detect and deter any threats or attacks.
It’s smart practice to document any vulnerabilities you identify into a plan of action and milestones document. This allows you to set responsibility and a schedule for remediation. And, in cases where you have a critical application that uses outdated code, you may have to accept the associated vulnerability until the application can be replaced. It’s all a matter of balancing risk and opportunity ahead.
At DTS, we work closely with our government and industry clients to strike the right balance to achieve the right level of cyber security. We bring years of experience and superior knowledge to help organizations stay ahead of cyber threats and protect their privacy. Connect with us today for your free Cybersecurity Assessment.
