What is the NIST SP 800-46 framework?
The US Commerce Department’s National Institute of Standards and Technology (NIST) is a non-regulatory body responsible for investigating and developing standards for all federal agencies.
The NIST 800-46 framework assists companies of all sizes, sectors and industries in safeguarding their IT systems and data from the security threats associated with telework and remote access technologies, including the security of Bring Your Own Device (BYOD) technologies.
Although it is not required, following NIST 800-46 is considered best practice, especially because telework and remote access technologies often require additional security due to their increased vulnerability to external threats.
The NIST 800-46 Guide includes deploying some or all of the following security measures:
- Planning and implementing telework security policies, such as tiering remote access
- Adding a multi-factor authentication requirement to enterprise access
- Securing client side data and communications by ensuring validated encryption technologies are employed on the devices
- Maintaining the security and patching of remote access servers
- Securing all varieties of telework client devices from common security threats, which include computers and laptops, tablets and smartphones
What are the requirements for NIST 800-46?
The NIST 800-46 offers a collection of guidelines and strategies for enhancing the security of IT systems and data from the threats associated with telework and remote access technologie in an organization.
A few examples are as follows:
- Develop telework-related security policies and procedures assuming aggressive threats exist in the external environment
- Assume that communication on external networks are vulnerable to eavesdropping, intrusion and alteration because they are not under the control of the organization
- Assume that malware will be installed and will infect telework client computers
- Create a telework security policy that outlines the criteria for remote access, telework and BYOD
- Make risk-based decisions about which types of telework client devices should be allowed what levels of remote access
- Make sure remote access servers are properly protected and designed to enforce telework security policies
- Evaluate the safety and placement of remote access servers on the network
- Protect organization-controlled telework client devices from popular threats, and keep them secure on a regular basis
- Ensure that all telework client devices, such as desktop and laptop computers, smartphones and tablets, are secure
Why should you be NIST 800-46 compliant?
Following the NIST 800-46 is strongly advised but not required. It is significant because telework and remote access technologies often need additional security due to their inherent vulnerability to external threats as opposed to technologies that can only be accessed from inside the enterprise. Some of the main security concerns associated with telework and remote access systems include the following:
- Since telework client devices are used in a number of locations outside of the organization’s jurisdiction, such as employees’ houses, cafeterias and other businesses, a lack of physical security controls is a problem. Since these devices are mobile, they are more likely to be lost or stolen, putting the data stored on them at risk
- For remote access, unsecure networks are used. Organizations typically have no control over the protection of the external networks used by telework clients since almost all remote access occurs over the internet.
- Allowing external access to internal-only resources, such as sensitive servers, exposes them to new threats and increases the likelihood that they will be compromised. Every type of remote access that can be used to gain access to an internal resource raises the risk of that resource being compromised
Furthermore, the COVID-19 crisis has thrown up innumerable challenges for businesses. With remote working becoming part of everyday reality, it has significantly increased the challenge of cyber security. In order to continue functioning, companies must facilitate working from home. At the same time, they must also ensure that unsecured hardware, networks and devices do not become a cyber ‘Achilles Heel’.
Once again, the NIST 800-46 framework is not legally binding. There is no obligation to adopt it. Nonetheless, there are plenty of good reasons why you should consider doing so. First and foremost, for your own security. If you aren’t sure where to start in assessing the cyber risk of remote working and adapting accordingly, the NIST 800-46 framework is a key tool. In addition, with customer and investor confidence having taken a dip, businesses that are using the framework are more likely to win their trust.
For many businesses, cyber security may have taken something of a back seat until now. However, working conditions are now unrecognizable from just a few short months ago and the business landscape is shifting. The time to consider, assess and act upon cyber risk is now. The NIST 800-46 framework is a good starting point.
How to achieve compliance?
Companies are moving towards advanced software solutions that provide the guidance and execution of policies. These solutions are designed to protect their IT systems and data from the security threats associated with telework and remote access technologies, as security and threat risk management remain top concern for organizations to manage.
Centraleyes’s risk management and compliance platform provides simplified, automated data collection and analysis, as well as prioritized remediation guidance and real-time customized scoring, to meet the NIST 800-46 Cybersecurity Framework for companies protecting their IT systems and data. Centraleyes has mapped NIST 800-46 back to its extensive control inventory, allowing it to share data across multiple frameworks through the platform, which saves valuable time and money and supports more accurate data.
Using the Centraleyes integrated risk management platform for the NIST 800-46 requirements is a game changer, specifically streamlining your remote access, network and system security management in a timely and cost-effective manner.