How to Use OSSEC to Comply With NIST 800-171, A Real-World Use Case
Written By Paul Veeneman, CISSP, CISM, CRISC, CMMC-RP
During Atomicorp OSSEC Conference 2021, Paul Veeneman, CISSP, CISM, CRISC, CMMC-RP, described how he solves audit and accountability (AU) control and other compliance challenges in NIST 800-171.
Complying With NIST-800-171
NIST 800-171 provides guidance to federal agencies to safeguard controlled unclassified information (CUI), and seeks to establish a unified policy for all agencies to follow for data sharing and transparency.
NIST 800-171 is a subset of the NIST 800-53 federal government and critical infrastructure requirements. It also serves as the regulatory and security framework for the 2019 Defense Acquisition Regulations Supplement (DFARS), which covers the safeguarding of defense information as well as cyber incident reporting. NIST requires Department of Defense contractors and sub-contractors of federal agencies to adhere to 14 practice domains and 110 objectives.
These practice domains include:
- Access control
- Awareness and training
- Audit and accountability
- Configuration management
- Identification and authorization
- Incident response
- Maintenance
- Media protection
- Personnel security
- Physical protection
- Risk management
- Security assessment
- Systems and communications
- Systems integrity
There are also CMMC (Cybersecurity Security Maturity Model Certification) cyber hygiene levels to achieve and maintain, with Level 3 specifying the meeting of all NIST 800-171 controls. If you’re a defense contractor or sub-contractor, you’re going to want to know what these CMMC levels entail and how to attain them. DFARS 7019 and 7020 call for additional controls, and with Atomic OSSEC, we’ve gone a little bit beyond CMMC Level 3 and NIST 800-171 to support (and provide evidentiary information toward) an additional 20 practices in good cyber hygiene, including:
- Audit and accountability – 9 control requirements
- Audit process and tools
- Non-repudiation of users
- Review and update of events
- Audit process failure alert
- Audit information correlation
- Audit record reduction/ad hoc
- Audit information integrity
- Audit information protection
- Audit management access
Solving AU Controls With Atomic OSSEC: Audit process and tools
You need to have in place an audit and process rules platform, typically called a SIEM (security information and event management) tool to address NIST and other security and compliance requirements. Atomic OSSEC is outfitted with a selectable NIST 800-171 compliance management feature. It provides audit logging, tracking, traceability, reporting, monitoring, and management for meeting NIST 800-171 requirements:
- Host-based intrusion detection (HIDS)
- File integrity monitoring (FIM)
- Active response alerting
- Integrated threat intelligence
- Compliance audit and reporting
- More than 5,000 preconfigured rules
- GUI-based management
- Intuitive dashboards
Solving AU Controls With Atomic OSSEC: Non-repudiation (3.3.2)
Organizations need to have non-repudiation of accounts within the information system or contractor information system to address NIST 800-171. Non-repudiation [NIST Control Spec No. 3.3.2] consists of an assurance of a valid authorized sender. Basically, it entails proof of delivery and proof of sender identity. It, along with information protection [3.3.8], and management access [3.3.9] represent key capabilities needed in meeting NIST 800-171.
Audit logging and audit information are vital components of threat identification, mitigation, and resolution. The integrity of that information, and the security of access control to the audit logging system, are paramount, and need to be taken all the way down to the account identifier level. As I like to tell clients and contractors, the ability to put Professor Plum in the library with the wrench is key and that’s what non-repudiation all comes down to. Atomic OSSEC addresses these risks to the central audit authority by providing granular management access roles and responsibilities, with integration of 2-Factor Authentication with industry leaders, YubiKey and Google.
Solving AU Controls With Atomic OSSEC: Audit review and update [3.3.3]
Atomic OSSEC ingests, parses, and monitors security log event data for threats, suspicious activity, and risks to the enterprise information systems that are critical to business processes and production operation.
As mentioned earlier, NIST SP 800-171 compliance reporting is a selectable option within the configuration of Atomic OSSEC. Active alerting and automated report generation ensure the SP 800-171 compliance information is in the hands of administrators, practitioners, stakeholders, and decision makers when it’s needed most. Atomic OSSEC also provides vulnerability threat dashboards and compliance reporting dashboards that we use.
You can also use Atomic OSSEC to automate SCAR and vulnerability reporting. SCAR, in this case, stands for STIG Compliance Automation Repository (SCAR), which is a security technical implementation guide for meeting a standard or regulation. Atomic OSSEC provides automation and other functionality here, enabling the organization to give stakeholders the rollup of information they need when they need it.
Solving AU Controls With Atomic OSSEC: Fast data correlation
You also want to be able to meet NIST 800-171 requirements for correlation [3.3.6], ad-hoc reduction [3.3.6], and Network Time Protocol (NTP) internal/external sources [3.3.7].
Audit logging can accumulate vast amounts of data. When you can have up to 10TB or more a day, you need automation to help to analyze this data across all platforms and systems, reduce noise (including false positives), and do so in a timely fashion.
Atomic OSSEC enables an enterprise to triage and conduct response reporting, allowing administrators to demonstrate agile compliance capabilities.
Audit Process Failure Alerting: Murphy’s Law
Murphy’s Law… When you need that audit and logging data most, there’s the potential for a service, application, or system failure. Atomic OSSEC has multiple functions and features to mitigate that risk. Critical systems, such as the central audit authority, demand redundancy and high availability. Atomic OSSEC provides this defense-in-depth capability, meeting and exceeding the audit process failure compliance requirements.
Atomic OSSEC Benefits Beyond AU Controls
Beyond Audit and Accountability (AU), there are 13 practice domains, and 101 controls within the NIST 800-171 compliance and security framework. Atomic OSSEC provides the audit logging and reporting capabilities to supply the evidence for most NIST SP 800-171 requirements, including the implementation of required security controls, policies, and processes used in protecting CUI. Meanwhile, the robust audit functionality has reduced overall compliance costs and time…
Find out more. Hear how Atomic OSSEC facilitates NIST 800-171 compliance.
Watch the replay.
Find out more about Atomic OSSEC.