DriveLock helps US Defense suppliers to fulfill standards mandated by the Federal Government
U.S. companies seeking contracts from the U.S. Department of Defense (DoD) and other federal agencies are required to demonstrate strict IT security controls. The DoD imposes strict requirements on the data shared between it and contractors and their subcontractors. To protect this data from cyberattacks, the DoD has developed a comprehensive framework that contractors must demonstrate compliance certification. DriveLock’s cybersecurity modular platform enables manufacturing companies to meet the mandated NIST and new CMMC 2.0 requirements.
What certifications are involved?
NIST 800 Certification
NIST 800 frameworks are the overlying requirements for controls that are aligned with and mapped to CMMC 2.0.
The data exchanged by the Department of Defense with companies is called CUI (Controlled unclassified data) and they are specified in the NIST 800 document series. They cover the following:
- Critical Infrastructure Information
- Defense Information
- NATO restricted information
The NIST 800 document series describes in detail how these CUI data can be effectively protected. To meet NIST compliance, the requirements from the NIST 800-171 CUI Controls, 800-171B and NIST 800-53 documents must be met.
The DriveLock cybersecurity platform will assist your organization to meet these requirements.
CMMC 2.0 Model Certification
Cybersecurity Maturity Model Certification (CMMC) requires that companies entrusted with national security information to adhere to advanced cybersecurity standards and security controls which help protect data and information flow through to subcontractors. DriveLock can help lock down a vast majority of the controls despite recent changes in the CMMC standards, going from 5 to 3 levels despite the increasing amounts of controls.
Legacy operating systems in industry hinder successful certification
Many industrial PCs used as human-machine interfaces to industrial robots and equipment still have legacy versions of operating systems in use, which are vulnerable to many different security risks due to their age. These are “air gapped” meaning the devices are disconnected from the Internet, which hinders their full functionality of controlling machines requiring a secure connection to the Internet to reach their full functionality. In many situations manufacturing companies cannot fulfill NIST 800-171 or CMMC 2.0 cyber security requirements.
Cybersecurity Controls - This is where DriveLock comes in
DriveLock can help implement controls on these legacy assets while maintaining the old operating system versions so that their full functionality can be used when they are connected to the internet and office IT. DriveLock supports most major Linux distributions and extends back to Windows XP Service Pack 3. This allows companies to become NIST 800-x compliant.
DriveLock products support in the so-called NIST 800-171 Control Families such as "Awareness and Training", "Access Control", "Media Protection" - to name a few. The DriveLock Zero Trust platform solutions Application Control, Device Control and Security Awareness fulfill these requirements, and helps you maximize your machine environment to achieve the highest RoI.
DriveLock’s Device Control and Application Control includes Encyption-2-GO which hardens your organization’s devices against known and future malware and cyberattacks.
Use Case: Data flow from Controlled Unclassified Data (CUI) on removable media
In the case of removable media, such as USB devices, DriveLock can effectively whitelist each USB device to a user and an endpoint device such as a computer or manufacturing device. This can greatly reduce the chances of an insider threat and other forms of internally proliferated attacks. DriveLock can help establish formal processes and controls for handling USB and other removable media exceptions to protect CUI.
In the case of USB devices, the below list demonstrates how controls some of these can be met, yet this list is not exhaustive:
- Enforces users to only be able to use the USB on specific devices within the company
- Allows the user to access data on the USB on only company issued assets
- Allows logging and shadowing of files and file types going onto the USB device for better control, and the ability to build the chain of custody
- Encrypts all data on the USB device with FIPS compliant encryption to prevent CUI from being lost in the case of the device being lost
- Secure deletion allows CUI data to be sanitized after exception periods expire for the USB device, making CUI arduously more difficult to restore
- Exceptions can be granted for users for set periods of time which is automatically enforced by the DriveLock agent
Download our free whitepaper "Cyber Security in Operational Technology / IIoT".
For more information on DriveLock's support of CMMC and NIST certification, please see our flyer.