FileCloud NIST 800-171 Compliance Guide · Regulation Supplement (DFARS) minimum security standards...

NIST800-171ComplianceGuide

Note:Thiswhitepaperisintendedtoprovideanoverviewandisnotintendedtoprovidelegaladvice.Formorecomprehensiveinformationonregulationsandtheirimplications,pleaseconsultyourlegalcounsel.

WWW.GETFILECLOUD.COM

FileCloud

Introduction

TheU.S.governmentrequiresfederalcontractorstocomplywiththeNIST800-171securitystandardtoensurethesecurityofControlledUnclassified

Information(CUI)innon-federalsystemsandorganizations.

InadditiontogeneralrequirementsforcontractorstocomplywithNIST800-

171,theU.S.DepartmentofDefense (DoD)mandatesthatallDODcontractorsthatprocess,storeortransmitCUI“meettheDefense FederalAcquisition

RegulationSupplement(DFARS)minimumsecuritystandardsbyDecember31,

2017orrisklosingtheirDoDcontracts.”CompliancewithNIST800-171enablescontractorstomeetthoseminimumDFARSsecuritystandards.This

documentexplainshowCodeLathe’s product,FileCloud Server,canbeusedtomanagetheCUIinnon-federalsystemsandorganizations.

CUIisdefinedasacategoricaldesignationthatreferstounclassifiedinformationthatdoesnotmeetthestandardsforNationalSecurity

ClassificationunderExecutiveOrder12958,asamended,butis(i)pertinenttothenationalinterestsoftheUnitedStatesortotheimportantinterestsof

entitiesoutsidethefederalgovernment,and(ii)underlaworpolicyrequires

protectionfromunauthorizeddisclosure,specialhandlingsafeguards,orprescribedlimitsonexchangeordissemination.

FileCloud Serverisahighlyscalable,self-hostedEnterpriseFileSharingand

Syncsolution(EFSS).TheUniquesellingpropositionofFileCloud are:total

controlofanorganization’sdata,completesecurity,unparalleledbrandingoptions,andexcellentuserexperience.Security,privacy,anddataownership

isfundamentaltoFileCloud’s securityarchitecture.FileCloud securitystartswith256-bitAdvancedEncryptionStandard(AES)SecureSocketsLayer(SSL)

encryptionatrest,two-factorauthentication,SSO(singlesign-on),granular

userandfilesharingpermissions,clientapplicationsecuritypolicies,automaticanti-virusscanningoffileswhenuploading,unlimitedfileversioning,file

locking,endpointdeviceprotection,andcomprehensiveHIPAAcompliantaudittrail.FileCloud alsousesFIPS140-2validatedcryptomoduleforallits

cryptooperations(encryptingdataatrestandintransit).WithFileCloud,you

canberestassuredthatCUIdataiswellprotectedonyourservers.FileCloudprovidesavarietyofdeploymentoptions:PrivateCloud(behindfirewalland

proxy)andPublicCloud(AWSorAzureGov Cloud).

FeaturesofFileCloud Server

• Accessandsyncallyourfilesonallyourdevices

• Sharefilestointernalandexternalusers

• MountyourremotefilesasalocaldriveonWindowsandMacOS

• Integratemobileapps,Outlook,andOfficeAdd-ons

• SetupTeamFoldersaroundprojectsordepartmentalneedsandallowbothemployeesandpartnerstosecurelyaccesstheirfilesfromanywhere

• WhiteLabelSolution- Canbebrandedforyourorganization

• Unlimitedfileversioningandrecyclebinsupport

• Versatile,granularfolderpermissionstomimicanykindoffileshareandpermissionshierarchy

• Ensureappropriatelevelofaccessforeveryuserbyassigningindividualfolderlevelpermissions

• AdministratorscanmanagealldevicesaccessingFileCloud dataandmonitorsuspiciousactivitiesinrealtime

• Incaseofanysuspiciousactivity,administratorscanselectivelyblockdevicesorpermanentlyremoveusersfromaccessingthedata

• Completedatasecurity,ownership,andtotalprivacy

• DetailedAuditTrail(What,When,Who,Where,andHow)

• DLP- FileCloud’s uniquecapabilitiestomonitor,prevent,andfixdataleakageassurescorporatedataisprotectedacrossallyourdevices(Laptops,Desktops,SmartphonesandTablets).

• Governance:FileCloud’s detailedactivitylogs,connecteddevicesinventory,andaccesslogsprovidealltherighttoolstosatisfyanydatacomplianceneeds.

• Ransomwareprotection,workflowautomation,federatedsearch,adminreports,metadatasystem,policymanagementcapabilitiesandmore….

ThefollowingtablemapstheNIST800-171requirementstoFileCloudServerthatishostedbyyouinyourprivatecloudorpubliccloudinfrastructurelikeAWSorAzureGovCloud.

NIST800-171Requirement Details HowFileCloud ServerSupportsNIST800-171Compliance

Limitinformationsystemaccesstoauthorizedusers,processesactingonbehalfofauthorizedusers,anddevices(includingothersystems).

TheFileCloud platformprovidescomprehensiveaccesscontrolsanddevicemanagementcapabilitiestomanageandaccesstheCUI.

Limitinformationsystemaccesstothetypesoftransactionsandfunctionsthatauthorizedusersarepermittedtoexecute

FileCloud’s granularaccesspermissions(viewonly,download,upload,share,sync,anddelete)allowSystemadminstolimitauthorizeduseraccesstoCUI.

3.1.3ControltheflowofCUIinaccordancewithapprovedauthorizations.

FileCloud’s powerfulworkflowcapabilitiesprovidecontrolmechanisms(copy,move,delete,verifyintegrityandnotifyowners)tomanagetheflowofCUI.

3.1.4Separatethedutiesofindividualstoreducetheriskofmalevolentactivitywithoutcollusion.

TheFileCloud platformoffersRBAC,groups,andpowerfulpolicymanagementcapabilitiestoseparatethedutiesofindividualswhowillbeusingtheFileCloudsystem.

Employtheprincipleofleastprivilege,includingforspecificsecurityfunctionsandprivilegedaccounts.

FileCloud’s role,group,andpolicy-basedaccessmanagementcapabilitiesallowsystemadministratorstodefineaccesspoliciesthatemploytheprincipleofleastprivilege.

3.1.6 Usenon-privilegedaccountsorroleswhenaccessingnon-securityfunctions.

FileCloud offersrole-basedaccesscontrolsanddifferentusertypestoaccessnon-securityfunctions

3.1.7 Preventnon-privilegedusersfromexecutingprivilegedfunctionsandaudittheexecutionofsuchfunctions.

FileCloud preventsnon-privilegedusersfromperformingadministratorduties.Privilegedadministratoractionsarealsokeptinauditrecords.

3.1.8 Limitunsuccessfullogonattempts. TheFileCloud platformallowstheadministratorstosetthemaximumnumberofunsuccessfullogonattempts.

3.1.9 ProvideprivacyandsecuritynoticesconsistentwithapplicableCUIrules.

FileCloudServerisaself-hostedproduct.Customerscancreatetheirownprivacy,TermsofService(TOS),andsecuritypolicies.

3.1.10 Usesessionlockwithpattern-hidingdisplaystopreventaccessandviewingofdataafterperiodofinactivity.

FileCloudprovidestheabilityforsystemadministratorstosetsessionlocks.Afteradefinedperiodoftime,theusersessionsareterminated.However,FileClouddoesnotusepatternhidingdisplays.

3.1.11 Terminate(automatically)ausersessionafteradefinedcondition.

FileCloudprovidestheabilityforsystemadministratorstosetdefaultloginsessionsusingthe sessiontimeoutparameter.Thiswillkeepusersactivelyloggedintotheiraccountforalimitedtimeonly.Oncetheuserexceedstheinactivityperiodthenthesessionexpires,andtheuser’ssessionsareterminated.Theusermustloginagaintogetaccess.

3.1.12 Monitorandcontrolremoteaccesssessions.

FileCloud’spowerfulauditcapabilitiesmonitors“what,when,who,why,andhow,”attributesofeveryuseraction(preview,download,uploadandotheractions)withinthesystem.Administratorscaneasilymonitortheaudittransactionsandcontroltheuseraccessifneeded.

3.1.13 Employcryptographicmechanismstoprotecttheconfidentialityofremoteaccesssessions.

FileCloud protectstheconfidentialityandintegrityofyourfilesintransitandatrest.• AES256-bitencryptionto

storefilesatrest• SSL/TLSsecuretunnelfor

filestransmission

3.1.14 Routeremoteaccessviamanagedaccesscontrolpoints.

FileCloudallowsadministratorstocontrolwhichnodesorportsareallowedforremoteaccess.SystemadministratorscanalsochoosetodeployFileCloudbehindareverseproxy.

3.1.15 Authorizeremoteexecutionofprivilegedcommandsandremoteaccesstosecurity-relevantinformation.

FileCloudprovidesaseparateadministratorportaltoexecuteprivilegedoperations.ThisportalcanbefurtherprotectedbyIPaccessrestrictionsandtwo-factorauthentication(2FA)mechanisms.

3.1.16 Authorizewirelessaccesspriortoallowingsuchconnections.

FileCloudcanbedeployedbehindacorporatefirewallorreverseproxytoauthorizewirelessaccess.FileCloudcanalsorestrictbasedonclientIPaddressesanddisabletheabilityforclientapplicationstoconnect.

3.1.17 Protectwirelessaccessusingauthenticationandencryption.

AllFileCloudcommunications(OnTransit,AtRest)areprotectedbyNIST-recommendedencryptiontechnologies.

3.1.18 Controlconnectionofmobiledevices

FileCloudpolicymanagementanddevicemanagementcapabilitiesallowdisablingandenablingtheconnectionofmobiledevicestoFileCloud.

3.1.19 EncryptCUIonmobiledevicesandmobilecomputingplatforms.

FileCloud utilizesnativeencryptionprovidedbythepopularmobileplatforms(iOSandAndroid).Administratorscanalsodisabletheabilitytoopencontentfromothermobileapplications.

3.1.20 Verifyandcontrol/limitconnectionstoanduseofexternalsystems.

Allexternalsystems(likeS3compatiblestorage)arecontrolledbyauthenticationkeys.

3.1.21 Limituseoforganizationalportablestoragedevicesonexternalsystems.

NotApplicable.

3.1.22 ControlCUIpostedorprocessedonpubliclyaccessiblesystems

FileCloud offersavarietyofdeploymentoptionstocontrolCUI:Hostiton-premisesservers(privatedeployment),orhostonhybridorsecurepublicclouddeployments(AWS/AzureGovCloud).

3.2AwarenessAndTraining

3.2.1 Ensurethatmanagers,systemsadministrators,andusersoforganizationalinformationsystemsaremadeawareofthesecurityrisksassociatedwiththeiractivitiesandoftheapplicablepolicies,standards,andproceduresrelatedtothesecurityoforganizationalinformationsystems.

FileCloud AlertsareavailableinFileCloud's Adminportalwhichtracksallunhandledexceptions,securityissues,andsystemerrormessagesgeneratedontheserver.ThenumberofalertsisshownontheFileCloud DashboardandtheAlertspagewillshowdetailedinformationaboutthevariouserrorsencountered.

3.2.2 Ensurethatorganizationalpersonnelareadequatelytrainedtocarryouttheirassignedinformationsecurity-relateddutiesandresponsibilities.

FileCloudalertsandnotificationshelptheadministratorsandenduserstofollowthebestpracticeswhenitcomestosecurity.

3.2.3 Providesecurityawarenesstrainingonrecognizingandreportingpotentialindicatorsofinsiderthreat.

FileCloud auditlogs,notifications,andshareanalyticscanbeusedforusertrainingtoidentifypotentialindicatorsofinsiderthreats.

3.3AuditAndAccountability

3.3.1 Create,protect,andretaininformationsystemauditrecordstotheextentneededtoenablethemonitoring,analysis,investigation,andreportingofunlawful,unauthorized,orinappropriateinformationsystemactivity.

FileCloudprovidescomprehensiveauditlogging(what,when,who,whereandhow)details.Administratorscanexportorarchivetheauditlogsforsafekeeping.

3.3.2 Ensurethattheactionsofindividualinformationsystemuserscanbeuniquelytracedtothoseuserssotheycanbeheldaccountablefortheiractions.

ByprovidingoptionstorecordeveryactionwithWhat,When,WhoandHowattributes,FileCloudgivescustomersthebestpossibleauditdatatosatisfyanytypeofcompliance.

3.3.3 Reviewandupdateauditedevents. TheFileCloudplatformhelpssystemadministratorsandpersonnelwithprivilegedaccesstoviewtheauditedevents.

3.3.4 Alertintheeventofanauditprocessfailure.

FileCloudAuditinterfaceclearlyshowstheaudittimeline.Administratorscancheckitperiodicallytomakesureactionsareauditedproperly.FileCloudalsosendsanalerttotheSystemAdministratorifauditarchivalfailsforsomereason.

3.3.5 Correlateauditreview,analysis,andreportingprocessesforinvestigationandresponsetoindicationsofinappropriate,suspicious,orunusualactivity.

FileCloudAuditlogscanbeexportedtoSecurityInformationandEventmanagement(SIEM)systemsandcanalsobeintegratedwithsyslogtoanalyzeandidentifysuspiciousorunusualactivity.

3.3.6 Provideauditreductionandreportgenerationtosupporton-demandanalysisandreporting.

TheFileCloud platformoffersbuilt-inandconfigurablereportsforon-demandanalysisandreporting.

3.3.7 Provideaninformationsystemcapabilitythatcomparesandsynchronizesinternalsystemclockswithanauthoritativesourcetogeneratetimestampsforauditrecords.

FileCloudcanbeintegratedwithNTPserverstoprovideauthoritativetimestamps.

3.3.8 Protectauditinformationandaudittoolsfromunauthorizedaccess,modification,anddeletion.

FileCloud canautoarchivetheauditlogstoasafelocationtopreventunauthorizedaccess,modification,anddeletion.TheFileCloud Adminportalalsooffersrole-basedaccesstorestrictunauthorizedaccesstoaudittransactions.

3.3.9 Limitmanagementofauditfunctionalitytoasubsetofprivilegedusers.

TheFileCloud Adminportaloffersrole-basedaccesstomanageandlimittheaudittransactiontoasubsetofprivilegedusers.

3.4ConfigurationManagement

3.4.1 Establishandmaintainbaselineconfigurationsandinventoriesoforganizationalinformationsystems(includinghardware,software,firmware,anddocumentation)throughouttherespectivesystemdevelopmentlifecycles.

FileCloud providessystemcheckreportsthatgivethebaselineconfigurationoftheFileCloudsoftwareanditscomponents.

3.4.2 Establishandenforcesecurityconfigurationsettingsforinformationtechnologyproductsemployedinorganizationalinformationsystems.

TheFileCloud Adminportalprovidessecuritysettings(Passwordpolicy,Authentication,Access,andSharesettings)fortheplatformthatcanbeeasilyconfiguredbythesystemadministrators.FileCloud DeviceandPolicymanagementalsoofferssecuritysettingsthatcanbeenforcedformobileandclientdeviceaccess.

3.4.3 Track,review,approve/disapprove,andauditchangestoinformationsystems.

TheFileCloudplatformrecordsadministratoractionsintheauditlog.

3.4.4 Analyzethesecurityimpactofchangespriortoimplementation.

FileCloudoffersthebestsecuritypracticesdocumentation.Systemadministratorscanconfigurethesystemasperguidelinestorunthesystemsecurely.

3.4.5 Define,document,approve,andenforcephysicalandlogicalaccessrestrictionsassociatedwithchangestotheinformationsystem.

FileCloudenforceslogicalaccessasdefinedbythesystemadministrators.Further,FileCloudauditlogstrackalllogicalaccessappliedtotheCUIdata.

3.4.6 Employtheprincipleofleastfunctionalitybyconfiguringtheinformationsystemtoprovideonlyessentialcapabilities.

FileCloudcanbeconfiguredtoprovidetheleastandessentialaccesstotheCUIdata.

3.4.7 Restrict,disable,andpreventtheuseofnonessentialfunctions,ports,protocols,andservices.

FileCloudcanbeconfiguredtorunonasecureport.Administratorscanallowonlythenecessaryfunctionsforendusers.

3.4.8 Applydeny-by-exception(blacklist)policytopreventtheuseofunauthorizedsoftwareordeny-all,permit-by-exception(whitelisting)policytoallowtheexecutionofauthorizedsoftware.

FileCloudoffersMDMcapabilitiestoenforceblacklistingofothermobileapplicationstoopenoreditFileClouddata.

3.4.9 Controlandmonitoruserinstalledsoftware.

FileCloud preventsunauthorizedappsfromaccessingtheCUI.OnlyFileCloud mobileappscanaccessthedata.

3.5IdentificationandAuthentication

3.5.1 Identifyinformationsystemusers,processesactingonbehalfofusers,ordevices.

FileCloudassignsuniqueIDstousersanddevicestotrackactivityontheplatformacrossalldevices.

3.5.2 Authenticate(orverify)theidentitiesofthoseusers,processes,ordevices,asaprerequisitetoallowingaccesstoorganizationalinformationsystems.

FileCloud offers advanced policyoptions to enable authenticationfor users as well as devices beforeallowing access to organizationalinformation systems.

3.5.3 Usemultifactorauthenticationforlocalandnetworkaccesstoprivilegedaccountsandfornetworkaccesstonon-privilegedaccounts.

FileCloudsupports2FAforusersandadministratorslocalandnetworkaccess.

3.5.4 Employreplay-resistantauthenticationmechanismsfornetworkaccesstoprivilegedandnonprivilegedaccounts.

FileClouduseraccountswillbelockedoutiftheytryusingthewrongpasswordfor“n”times.The“n”numbercanbeconfiguredtomeetyourorganizationsecurityrequirements.

3.5.5 Preventreuseofidentifiersforadefinedperiod.

FileCloudprohibitsduplicateidentifierswithinthesystemanduseridentifierscanalsobedisabledforadefinedperiod.

3.5.6 Disableidentifiersafteradefinedperiodofinactivity.

FileCloudallowsdisablingofuseraccountsafteraspecifiedtimeperiodofuserinactivity.

3.5.7 Enforceaminimumpasswordcomplexityandchangeofcharacterswhennewpasswordsarecreated.

FileCloud supportsstrongpasswordpolicy.Enablingthisoptionwillrequirethepasswordtocontainatleastoneuppercase,lowercase,number,andaspecialcharacterinthepassword.

3.5.8 Prohibitpasswordreuseforaspecifiednumberofgenerations.

FileCloudprohibitspasswordreuse.Anadministratorcanspecifythenumberofpreviouspasswordsthatcannotbereusedwhenpasswordischanged.

3.5.9 Allowtemporarypassworduseforsystemlogonswithanimmediatechangetoapermanentpassword.

FileCloudprovidesanoptionthatwillforcethenewuser,onlogin,tochangethepassword.

3.5.10 Storeandtransmitonlyencryptedrepresentationofpasswords.

Allpasswordsarestoredandtransmittedonlyinencryptedformat.

3.5.11 Obscurefeedbackofauthenticationinformation.

FileCloud providesobscurefeedbackwhenwrongpasswordisenteredtomakeithardertoguessthepassword.

3.6IncidentResponse

3.6.1 Establishanoperationalincident-handlingcapabilityfororganizationalinformationsystemsthatincludesadequatepreparation,detection,analysis,containment,recovery,anduserresponseactivities.

3.6.2 Track,document,andreportincidentstoappropriateorganizationalofficialsand/orauthorities.

TheFileCloudplatformlogsincidentsandgeneratessystemalertswhenmaliciousincidentsoccur.

3.6.3 Testtheorganizationalincidentresponsecapability.

3.7Maintenance

3.7.1 Performmaintenanceonorganizationalinformationsystems.

3.7.2 Provideeffectivecontrolsonthetools,techniques,mechanisms,andpersonnelusedtoconductsystemmaintenance.

FileCloudoffersaseparateAdminportaltolimitaccesstoconfigurationandmaintenancecontrolstoauthorizeduserssuchassystemadministrators.

3.7.3 Ensureequipmentremovedforoff-sitemaintenanceissanitizedofanyCUI.

FileCloudsupportsremoteerasingofFileClouddatainPCsandmobiledevices.

3.7.4 Checkmediacontainingdiagnosticandtestprogramsformaliciouscodebeforethemediaareusedintheinformationsystem.

FileCloudcanbeconfiguredtoscanformalwareusingananti-virusprogrambeforecontentisuploadedtoFileCloud.

3.7.5 Requiremultifactorauthenticationtoestablishnonlocalmaintenancesessionsviaexternalnetworkconnectionsandterminatesuchconnectionswhennonlocalmaintenanceiscomplete.

TheFileCloudAdminportalcanbeconfiguredtorequire2FAaccess. Itcanalsobeconfiguredtotimeoutthosesessionsafterathresholdofidletimehasbeenreached.

3.7.6 Supervisethemaintenanceactivitiesofmaintenancepersonnelwithoutrequiredaccessauthorization.

TheFileCloud auditfunctionlogsallusertransactionsirrespectiveoftheirprivilegelevels.

3.8MediaProtection

3.8.1 Protect(i.e.,physicallycontrolandsecurelystore)informationsystemmediacontainingCUI,bothpaperanddigital.

3.8.2 LimitaccesstoCUIoninformationsystemmediatoauthorizedusers.

FileCloudprotectsCUIbyencryptingcontentatrestandenforcingproperaccesscontrols.

3.8.3 SanitizeordestroyinformationsystemmediacontainingCUIbeforedisposalorreleaseforreuse.

FileCloudcanremotelyeraseCUIonclientdevices(PCs,MobilePhones).

3.8.4 MarkmediawithnecessaryCUImarkingsanddistributionlimitations.

3.8.5 ControlaccesstomediacontainingCUIandmaintainaccountabilityformediaduringtransportoutsideofcontrolledareas.

FileCloudenforcesaccesscontrolsonmobiledevicesregardlessoftheirlocation.FileCloudcanremotelyblockoreraseFileClouddataonmobiledevicesifneeded.

3.8.6 Implementcryptographicmechanismstoprotecttheconfidentialityofinformationstoredondigitalmediaduringtransportoutsideofcontrolledareasunlessotherwiseprotectedbyalternativephysicalsafeguards.

FileCloudencryptsallCUIatrestwithAESencryption.

3.8.7 Controltheuseofremovablemediaoninformationsystemcomponents.

3.8.8 Prohibittheuseofportablestoragedeviceswhensuchdeviceshavenoidentifiableowner.

3.8.9 ProtecttheconfidentialityofbackupCUIatstoragelocations.

FileCloud encryptsandenforcesaccesscontrolsforallCUIundermanagement,includingCUIonredundantservers.

3.9PersonnelSecurity

NIST800-171Requirement DetailsHowFileCloud ServerSupportsNIST800-171Compliance

3.9.1 ScreenindividualspriortoauthorizingaccesstoinformationsystemscontainingCUI.

TheFileCloudplatformallowsaccesstoCUIonlytoauthorizedusers.

3.9.2 EnsurethatCUIandinformationsystemscontainingCUIareprotectedduringandafterpersonnelactionssuchasterminationsandtransfers.

Whenemployeesandcontractorsareterminated,FileCloud canrevokepermissionsoftheusersandblocktheaccesstoCUI.Further,personneldevicescanberemotelyblockedanderasedbytheFileCloud platform.

3.10PhysicalProtection

3.10.1 Limitphysicalaccesstoorganizationalinformationsystems,equipment,andtherespectiveoperatingenvironmentstoauthorizedindividuals.

3.10.2 Protectandmonitorthephysicalfacilityandsupportinfrastructureforthoseinformationsystems.

3.10.3 Escortvisitorsandmonitorvisitoractivity.

3.10.4 Maintainauditlogsofphysicalaccess.

3.10.5 Controlandmanagephysicalaccessdevices.

3.10.6 EnforcesafeguardingmeasuresforCUIatalternateworksites(e.g.,teleworksites).

RemoteaccesstoCUIisprotectedbystrongauthenticationandaccesscontrols.Thedataisencryptedintransitandatrest.

3.11RiskAssessment

3.11.1 Periodicallyassesstherisktoorganizationaloperations(includingmission,functions,image,orreputation),organizationalassets,andindividuals,resultingfromtheoperationoforganizationalinformationsystemsandtheassociatedprocessing,storage,ortransmissionofCUI.

TheFileCloudplatformoffersanadministrativedashboard(systemsummary,recentaccesslocations,Filetypedistribution),detailedauditlogs,andbuilt-inreportstoperiodicallyassesstherisks.

3.11.2 Scanforvulnerabilitiesintheinformationsystemandapplicationsperiodicallyandwhennewvulnerabilitiesaffectingthesystemareidentified.

FileCloudcanbeintegratedwithClamAVorotheranti-malwaresoftwareviaInternetContentAdaptionProtocol(ICAP) interfacetoblockanyvirusesormalwarefrombeinguploadedtoFileCloud.

3.11.3 Remediatevulnerabilitiesinaccordancewithassessmentsofrisk.

FileCloud alertssystemadministratorsaboutsuspiciousfilesthatfailsignaturechecksaswellasfilesblockedbytheAVsoftware.

3.12SecurityAssessment

3.12.1 Periodicallyassessthesecuritycontrolsinorganizationalinformationsystemstodetermineifthecontrolsareeffectiveintheirapplication.

FileCloudoffersadministrativedashboard,alerts,andreportstoperformsecurityassessmentsquickly.

3.12.2 Developandimplementplansofactiondesignedtocorrectdeficienciesandreduceoreliminatevulnerabilitiesinorganizationalinformationsystems.

FileCloudprovidefunctionalitiestoprotectthesystemfromransomwareandmalwareattacks(RequiresintegrationwithAnt-VirusSoftwarewithICAPcapabilities).

3.12.3 Monitorinformationsystemsecuritycontrolsonanongoingbasistoensurethecontinuedeffectivenessofthecontrols.

3.12.4 Develop,document,andperiodicallyupdatesystemsecurityplansthatdescribesystemboundaries,systemenvironmentsofoperation,howsecurityrequirementsareimplemented,andtherelationshipswithorconnectionstoothersystems.

3.13SystemandCommunicationsProtection

3.13.1 Monitor,control,andprotectorganizationalcommunications(i.e.,informationtransmittedorreceivedbyorganizationalinformationsystems)attheexternalboundariesandkeyinternalboundariesoftheinformationsystems.

FileCloud monitors,controls,andprotectsorganizationalcommunicationintransitandatrestviaencryptionusingFIPS140-2validatedencryptionmodule.

3.13.2 Employarchitecturaldesigns,softwaredevelopmenttechniques,andsystemsengineeringprinciplesthatpromoteeffectiveinformationsecuritywithinorganizationalinformationsystems.

FileCloudprovidesend-to-enddataprotectionwithmultiplelevelsofsecurityateachlayer.Securityisafirst-ordercitizenwithFileCloudandisbuiltfromthegroundup–notasanafterthought.FileCloudisavailableonprivateorhybridcloudorasaprivatehosteddeploymentisanisolatedenvironmentonAWSGovCloud.Thisenablescustomerstoadoptthedeploymentmodelthatbestsuitstheirsecurityneeds.

3.13.3 Separateuserfunctionalityfrominformationsystemmanagementfunctionality(e.g.,privilegeduserfunctions).

FileCloudoffersanAdminportalwhichisseparatefromtheendUserportal.Further,theAdminportalcanbeconfiguredwithrole-basedaccesscontrolforprivilegeduserfunctions.

3.13.4 Preventunauthorizedandunintendedinformationtransferviasharedsystemresources.

FileCloudpreventsunauthorizedaccessorsharingofCUI.OnlyauthorizeduserscanshareinformationviaFileCloud.FileCloudalsohastheoptiontodisablepublicsharinganddisablingnewuserinvitesinsuchawaythattheinformationiskeptonlywithintheorganizationandauthorizedusers.

3.13.5 Implementsubnetworksforpubliclyaccessiblesystemcomponentsthatarephysicallyorlogicallyseparatedfrominternalnetworks.

FileCloud’s3-tierarchitectureallowswebinterfacesandothersystemfunctionstobedeployedoutsidenetworkDMZsforpublicaccess,whileensuringthatapplicationlogicandCUIstorageremainsoninternalnetworks.FileCloudcanbealsodeployedbehindareverseproxyforfurtherprotection.

3.13.6 Denynetworkcommunicationstrafficbydefaultandallownetworkcommunicationstrafficbyexception(i.e.,denyall,permitbyexception).

Byconfiguringtheunderlyingwebserver,youcanwhitelisttheIPaddressesusedtoaccessFileCloud.

3.13.7 Preventremotedevicesfromsimultaneouslyestablishingnon-remoteconnectionswiththeinformationsystemandcommunicatingviasomeotherconnectiontoresourcesinexternalnetworks.

3.13.8 ImplementcryptographicmechanismstopreventunauthorizeddisclosureofCUIduringtransmissionunlessotherwiseprotectedbyalternativephysicalsafeguards.

FileCloudencryptsCUIintransitusingTLS1.2(TransportLayerSecurity).

3.13.9 Terminatenetworkconnectionsassociatedwithcommunicationssessionsattheendofthesessionsorafteradefinedperiodofinactivity.

FileCloudprovidessessiontimeoutforboththeendUserandAdminportalthatcanbeconfiguredbythesystemadministrators.Afteradefinedperiodofinactivity,theuseraswellastheadminsessionexpires.

3.13.10 Establishandmanagecryptographickeysforcryptographyemployedintheinformationsystem.

FileCloudenablessystemadministratorstosetencryptionfordataatrestandintransit.

3.13.11 EmployFIPS-validatedcryptographywhenusedtoprotecttheconfidentialityofCUI.

FileCloudusesFIPS140-2validatedcryptographicmoduleforallcryptographicoperationincludingencryptionofCUIdataatrestandintransit.

3.13.12 Prohibitremoteactivationofcollaborativecomputingdevicesandprovideindicationofdevicesinusetouserspresentatthedevice.

3.13.13 Controlandmonitortheuseofmobilecode.

FileCloud clients(webbrowserordesktopclients)don’tuseanymobilecodesuchasappletsoractivexcontrols.

3.13.14 ControlandmonitortheuseofVoiceoverInternetProtocol(VoIP)technologies.

3.13.15 Protecttheauthenticityofcommunicationssessions.

FileCloudinvalidatesthesessionuponuserlogoutoruponadefinedperiodofinactivity.

3.13.16 ProtecttheconfidentialityofCUIatrest.

FileCloud usesFIPS140-2validatedencryptionmoduletoencrypt(AES256)CUIdataatRest

3.14SystemandInformationIntegrity

3.14.1 Identify,report,andcorrectinformationandinformationsystemflawsinatimelymanner.

CodeLathe monitors vulnerabilitiesinthe FileCloud platform regularlyand resolve these vulnerabilitiesbased onimpact and severity.

3.14.2 Provideprotectionfrommaliciouscodeatappropriatelocationswithinorganizationalinformationsystems.

FileCloudcanbeintegratedwithanti-malwareproductstoscanforviruses,APTsandzero-dayattacks.FileCloudalsoprovidesbuilt-inransomwareprotectionbycomparingthefilesignature.

3.14.3 Monitorinformationsystemsecurityalertsandadvisoriesandtakeappropriateactionsinresponse.

TheFileCloud platformcanbeconfiguredtoexportauditlogsandsystemalertsfromSecurityInformationandEventManagement(SIEM)systemsbeingusedforsecuritymonitoringandalerts.

3.14.4 Updatemaliciouscodeprotectionmechanismswhennewreleasesareavailable.

FileCloud canbeintegratedwithanti-malwareproductsviaanICAPinterface.Theseproductscanbeupdatedperiodicallyasnewdefinitionsarereleasedbythevendor.Bydefault,FileCloud canbeintegratedwiththeopensourceClamAV productwhichcanbeupdatedperiodically.

3.14.5 Performperiodicscansoftheinformationsystemandreal-timescansoffilesfromexternalsourcesasfilesaredownloaded,opened,orexecuted.

WhenyouintegrateFileCloudwithananti-virusproductviaICAP,alluploadedfilesarescannedforvirusesandmalware.

3.14.6 Monitortheinformationsystem,includinginboundandoutboundcommunicationstraffic,todetectattacksandindicatorsofpotentialattacks.

FileCloudmonitorsallthecommunicationsforsignsofransomwareandourauditlogs,dashboardsandgeoIPfeaturescanbeusedtolookfortrafficanomaly.

3.14.7 Identifyunauthorizeduseoftheinformationsystem.

TheFileCloud platformdoesn’tpermitunauthorizedaccessofthesystem.FileCloud’s auditlogsrecordallusertransactions.

FileCloud Architecture

FileCloud softwareistypicallyinstalledonaserver(LinuxorWindows).Afterinstallation,anAdminportalisavailabletoconfigureandmanagethesystem.Onceconfiguredbyanadministrator,userscanaccesstheFileCloud installationusingthewebbrowser,mobileapps,orevenkeeptheirdesktopfoldersinsyncusingtheFileCloud’s desktopsyncclients.

Diagram1.FileCloud Architecture

13785ResearchBlvd,Suite125AustinTX78750

Email:sales@codelathe.com

Website:https://www.getfilecloud.com

Phone:+1(888)571-6480

Fax:+1(866)824-9584

FileCloud HighAvailabilityArchitecture

TheFileCloud solutioncanbeimplementedusingtheclassic3-tierhighavailabilityarchitecture.Thefirsttierconsistsoftheloadbalancerandaccesscontrolservices.Tier1willbeawebtiermadeupofloadbalancers.Tier2willbestatelessapplicationserversandforFileCloud implementation.ThislayerwillconsistofApachenodes.Tier3willbethedatabaselayer.Theadvantageofthisarchitectureisseparationofstatelesscomponentsfromstate-fullcomponentsallowinggreatflexibilityindeployingthesolution.

TolearnmoreabouthowtheFileCloudplatformcanhelpyourorganizationcomplywithNIST800-171regulations,pleasecontactusatsales@codelathe.com.

Diagram2.FileCloud High-AvailabilityArchitecture

FileCloud NIST 800-171 Compliance Guide · Regulation Supplement (DFARS) minimum security standards...

Documents

Transcript of FileCloud NIST 800-171 Compliance Guide · Regulation Supplement (DFARS) minimum security standards...

Security Standards Compliance NIST SP 800-53 Revision 5 … · 2019. 7. 24. · G. Protecting Controlled Unclassified Information in Non-federal Systems and Organizations, NIST SP-800-171,

FISMA Compliance in Higher Education · o NIST SP 800-53 o NIST SP 800-53A ... new list of the key control activities (mapped to NIST) ... • Cloud computing challenges 28. 15

NIST 800-171 Simplifying CUI and DFARS Compliance

for the Federal PKI Management Authority NIST RMF compliance

FileCloud on AWS High Availability Architecture · PDF fileFileCloud on AWS – High Availability Architecture 1. Introduction FileCloud enables organizations to run their own file

Automated Security Compliance and MeasurementAutomated Security Compliance and Measurement Stephen Quinn & Peter Mell Computer Security Division NIST

Compliance Audit Readiness · Track missing patches outside of patch window Compliance Standards Audit security policy against PCI, NIST, HIPPA & more Insider Threat Incident Response

NIST 800-171 & CMMC Compliance Scoping Guideexamples.complianceforge.com/cmmc/guide.pdf · substitute for professional services. If you have compliance questions, you are encouraged

FFIEC and NIST: What You Need to Know About Two Prevalent New IT Security Compliance Frameworks

Compliance Security - Cyber Security Summit...Cyber Security Summit | October 23-25, 2017 | Minneapolis, MN | cybersecuritysummit.org Compliance ≠ Security NIST 800-53 R4 Control

FileCloud Enterprise Edition Value Proposition€¦ · FileCloud Retention Policies -Types • Legal Hold Freezes digital content to aid discovery or legal challenges • Archival

NIST 800-171 & CMMC Compliance Scoping Guideexamples.complianceforge.com/nist-800-171/NIST 800... · This document is intended to help companies comply with NIST 800-171 and prepare

NIST 800-53 Compliance Controls Guide · 2019-06-23 · 2 NIST 800-53 Compliance Controls GUIDE AC Access Control—21 Controls Capabilities Summary Number of controls McAfee Active

Automating Compliance: Architecting for FedRAMPHIGH and … · 2018-10-03 · Automating Compliance: Architecting for FedRAMPHIGH and NIST Workloads Steve Horvath, VP Strategy & Vision.

Vigilant Learn Security and Compliance Memorandum · VIGILANT LEARN SECURITY AND COMPLIANCE MEMORANDUM ... performing as expected. The standards, based upon NIST 800-53 controls,

NIST 800-171 EXPLAINED - · PDF fileapply to any organization. | Rapid7.com Compliance uide NIST 800-171 4 ... controls of NIST 800-171 have become a very important measure for security

NIST - US Furniture Compliance Requirements

Achieving NIST 800-53v5 Compliance with FortiGate: An ...

COMPLIANCE IN THE CLOUD - Wild Apricotsia-web.wildapricot.org/resources/Documents/345-430pm - Compliance... · • NIST SP 800-171 with mapping to NIST 800-53 Relevant ... What is

Microsoft Azure Compliance Offerings · CIS Controls map to many established standards and regulatory frameworks, including the NIST Cybersecurity Framework (CSF), NIST SP 800-53,