DFARS 252.204-7012 Security Requirement 3.12.4 requires contractors of the Department of Defense to create and regularly update a system security plan. This plan should describe the boundaries of your systems and the relationships between these systems.
What are system boundaries?
Cybersecurity was arguably a lot simpler before the age of cloud and mobile computing. Nearly all business data would be stored on-site on local servers and. workstations. This also meant that the only things that needed to be protected was the network, as well as any systems that would be used to transfer data off-site, such as email. As such, an organization’s cybersecurity systems would be defined by a perimeter, behind which everything would be protected using multiple layers of security.
Today, it is common to have most systems hosted in the cloud. Workstations in the office are no longer the main access points, since employees regularly use laptops and mobile devices to work from home or on the move. Often, these devices belong to employees as well, which presents additional challenges when it comes to establishing or maintaining security controls. Due to these highly distributed computing environments, businesses must rethink perimeter security as individual nodes, such as end user devices, all of which have their own boundaries.
How to map out your network
The NIST 800-171 framework, upon which DFARS 252.204-7012 is based, requires you to identify and prioritize critical systems and services, including all those that store, process, or transmit controlled unclassified information (CUI).
This process begins with building a complete inventory of your data-bearing assets, including both physical and virtual resources. You will then need to assign a risk score to each one, as this will help you prioritize key security processes and systems.
|
Related article: What are the best ways to protect media and CUI? |
Today, most computing systems are software-defined, existing in the form of virtual machines hosted in remote data centers. These systems themselves must be protected behind multiple levels of security, such as strict access controls and encryption. However, easily the greatest challenge is securing the multitude of devices used to access these systems, such as mobile devices, laptops, workstations, and other endpoints. Many of these systems lie outside of what would normally be defined as the network perimeter. Moreover, many established businesses still have legacy systems as well, which also need protection.
The most efficient methodology for reviewing systems architectures according to NIST 800-171 is to focus on high-value services, ideally taking an outside-in approach. It is important to correctly determine how these high-value systems interact with others. For example, you need to know which users, devices, and applications have access to those systems. If a system or user account does not need access to certain data, then it should not have. Determining these relationships can help you uncover many opportunities to bolster your security.
How to identify your system boundaries
The highly diverse nature of today’s computing environments can make it difficult to determine where boundaries actually lie. Regulatory requirements play a major role in correctly defining a system boundary, although most, including NIST 800-171, are fairly vague in their approach. For example, NIST describes a system boundary as ‘a set of information resources allocated to an information system’. Other compliance regimes have a much more rigid definition.
You will likely need to define multiple system boundaries. In theory, the largest boundaries are the entire operating environment, including directory services, email, and shared devices. The problem here is that these boundaries are simply too large and complex to protect as one. On the other hand, defining boundaries that are too small might exclude critical dependencies that together might have a direct impact on the availability, integrity, and security of your data.
Correctly identifying system boundaries is essential for figuring out which controls are needed and how they are to be implemented. This will also help you eliminate single points of failure such as, for example, a device that has unlimited access to critical resources when it does not need to.
The most effective way to strengthen your boundaries is to establish perimeters for individual systems and those that are deeply interconnected. For example, a cloud-hosted system that stores data on its own servers exists as a completely separate physical and logical entity from another application that is hosted in another cloud environment or locally. However, there may also be situations where these two disparate systems still need to share data, in which case your will also want to establish a wider boundary around them, as well as the security controls necessary to protect these assets.
Charles IT helps you achieve the highest standards of information security through adherence to the NIST 800-171 framework. Get in touch today to schedule your first gap assessment!