Case Study 1: Federal Contractor

In 2017, RIS engaged with a contractor providing services to the federal government. The work performed by the contractor included handling of controlled-unclassified information, or "CUI". The government, in turn, was tightening requirements on the handling of CUI in non-federal systems. As such, NIST Special Publication 800-171 was promulgated. This SP provides for security controls selected from NIST Special Publication 800-53.

RIS performed an initial assessment of the existing information security and privacy controls in place. An initial request for "provided by customer" documents demonstrated opportunities to formalize and mature existing practices. One key source of information for both RIS and the customer was the creation of data flow diagrams. The data flow diagrams started with process discussion with the customer:

At a high level, what are your core business processes?
By what means does CUI enter your organization?
By what means does CUI leave your organization?
What other business processes rely on this CUI?

The resulting information was used to identify information systems in-scope for the NIST 800-171 assessment. Perhaps equally important was the identification of out of scope information systems. Reduced scope leads to reduced expense and complexity of the assessment efforts. A secondary product of the data flow diagram creation was business process documentation. While BPMN diagrams proved too much of an ask, narrative style documentation was produced.

In this assessment, RIS identified several key areas where improvements were urgently needed. RIS collaborated with the customer on 17 distinct control families, targeting vulnerabilities often overlooked by small organizations. One such vulnerability is in the area of access and authorization. Small teams, especially those with low turnover, may not perceive the need for rigorous access controls because everyone knows each other. Similarly, RIS noted gaps in their business continuity and disaster recovery plans. The lack of past disruptions may have led to a failure in recognizing these risks. RIS also introduced the concept of ongoing risk management, a new approach for the business. Given the constraints of time and resources that are common to all businesses, the control recommendations were tailored to be practical and actionable.

In summary, RIS successfully brought the customer into compliance by implementing a blend of administrative controls and third-party services. This involved using a managed-services provider for end-user device management, conducting vulnerability scans, and activating endpoint detection and response services. Additionally, RIS updated the organization's existing policies and procedures. These guidelines are drawn from respected government and industry standards providers such as NIST, CSRC, ISACA, and (ISC)². RIS continues to maintain an ongoing relationship with the customer, ensuring they adhere to the newly implemented processes and offering ongoing security training.

<- back