skip to Main Content

You Need Ransomware Protection for Your CUI

Today we ask the question every DIB company should have asked and answered for itself:

“Do NIST SP 800-171, and therefore CMMC Levels 1, 2, and 3,[1] require complete and unconditional protection of CUI from ransomware?”

The answer of course is yes.

You probably knew that, but does your CUI storage and collaboration vendor also know? Unless it is RegDOX, it does not seem that they do.

Here is What They Should Know:

NIST SP 800-171 is a set of cybersecurity requirements developed by the National Institute of Standards and Technology (NIST). It is for non-federal organizations that handle Controlled Unclassified Information (CUI) such as ITAR technical data and national security information. These NIST requirements include specific security controls that organizations must implement to protect the confidentiality, integrity, and availability of CUI.

Various security controls required by NIST SP 800-171 are intended as a group, and designed specifically, to protect CUI against ransomware. NIST groups them together with “destructive malware, insider threats, and even honest user mistakes.”[2] These security controls specifically require the implementation of processes that not just detect and but also prevent exposing CUI to the execution of malicious code and activities.

Thus, for example:

NIST SP 800-171 Control 3.8.1 requires system media containing CUI to be physically controlled and securely stored. Control 3.8.9 has a correspondingly unequivocal and absolute security requirement that CUI is backed up at storage locations that are kept confidential.  Likewise absolute are the requirements of Controls 3.9.2 and 3.13.16, respectively. Which state that a company “ensure” organizational systems containing CUI be protected and that CUI itself be protected at rest.

Therefore, to comply with NIST SP 800-171, a company must implement ransomware protection as part of its cybersecurity program. Without ransomware protection, the company could not fully comply with the unconditional security controls required by NIST SP 800-171. This failure would leave a company vulnerable to ransomware attacks that could compromise the confidentiality, integrity, and availability of CUI. Further, it would be a pre-ransom-attack violation of NIST SP 800-171 and the CMMC.

Merely encrypting backups is not sufficient protection against ransomware. That protection and the security of multi-factor authentication, biometrics, certificates, and the like do not protect against entire accounts. Therefore, complete access being blocked.

By The Numbers:

As reported by Veeams in its Ransomware Trends Report, 97% of these attacks target backup repositories, but only 54% of data subject to ransomware attacks was encrypted. Ransom was paid by 88% of companies, but even at that, 34% of the companies making ransom payments did not recover their data.

And the threat is only increasing. One source of ransomware known as “Royal” is boasting 19 victims just this February. Its activities are eclipsed by those of the “LockBit”, “BlackCat”, and “Vice Society” groups of cyber-ransom criminals.

The only reasonable protection – and the only CMMC-complaint protection – comes with adopting an absolute ransom protection program and protocol. Despite what most online data storage services may believe, it does not come from mere content encryption or backups.

Such a ransomware protection program for CUI is commercially offered, it seems, uniquely by RegDOX for its ITAR/CMMC Secure Data Room Service customers.

Let us tell you how it is done and make sure your company is protected:
LockBox Recovery Solution | RegDOX Solutions

 

[1] The CMMC 2.0 program which will cover Foundational Level 1 (15 practices), Advanced Level 2  (110 NIST SP 800-171 practices), and Expert Level 3 (110+ practices based on NIST SPs 800-171 and 800-172), was announced and made effective November 30, 2022.  Implementation is pending CMMC 2.0 Rulemaking.  See the statement of the DoD’s Chief information Officer here.

[2] See NIST SP 1800-25 (Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events) and NIST SP 1800-26 (Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events), both published December 2020, and NIST SP 1800-11 (Data Integrity: Recovering from Ransomware and Other Destructive Events), published September 2020).  All online references accessed on March 6, 2023.

 

To Try Out Our Solution For Free: Click Here

To Get in Contact with Us: Click Here or Reach us by:

Phone: (800) 517-3171

Email: sales@regdox.com

Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

Back To Top