Signing up for CISA alerts can jump start your NIST compliance efforts
Implementing NIST SP 800–171 as a small business can feel like standing at the foot of Mount Everest with no climbing gear and no map…
Implementing NIST SP 800–171 as a small business can feel like standing at the foot of Mount Everest with no climbing gear and no map. After all, with 110 security controls and 320 individual assessment criteria, many may feel quite unprepared!
Sometimes the first step is the hardest, but it doesn’t have to be. Let me join you on your walk through Namche Bazaar to find the equipment you need to begin your ascent.
Compliance with NIST SP 800–171, 3.14.3
As you begin your NIST expedition, let’s take a look at one control you can put in place today.
3.14.3 Monitor system security alerts and advisories and take action in response.
-NIST SP 800–171 Rev. 2
Step 1: Sign up for security alerts
Determine if: 3.14.3[b] system security alerts and advisories are monitored.
-NIST SP 800–171A
Agencies like Cybersecurity & Infrastructure Security Agency (CISA) provide security advisories and alerts.
Consider signing up for one of the following and monitor it with regular frequency. But be careful not to sign up for too many or you’ll get paralyzed with information overload.
CISA and US-CERT: https://us-cert.cisa.gov/mailing-lists-and-feeds (scroll to the bottom of the page and enter your email address to customize the alerts you receive)
Microsoft: https://msrc.microsoft.com/update-guide
NIST National Vulnerability Database: https://nvd.nist.gov/
Step 2: Have a plan of action
Many companies will complete Step 1 but have no plan in place for what to do if an alert affects them.
Determine if: 3.14.3[a] response actions to system security alerts and advisories are identified.
-NIST SP 800–171A
Create a simple document outlining:
the alerts you signed up for.
the frequency you will review these alerts (e.g., immediately upon receiving, weekly, monthly, etc.).
the stakeholders you will notify of a relevant alert.
the actions you will take when an alert affects one or any of your systems or software.
Step 3: Implement your plan of action
Now that you’re monitoring security alerts and have a plan, it’s time to put that plan into action.
Determine if: 3.14.3[c] actions in response to system security alerts and advisories are taken.
-NIST SP 800–171A
Make sure your team knows what to do and who to contact when a security alert requires a change to your systems or software. Actions may include:
installing patches
making system configuration changes
adjusting system architecture
modifying your processes, among other actions
Following these steps will not only ensure that you are implementing control 3.14.3, but will also increase your awareness of and preparedness for a potential security incident.