NIST 800-171 | SYSTEM AND INFORMATION INTEGRITY
System integrity and information integrity controls and requirements are designed to ensure federal systems/information is accurate and can be validated.
The integrity of information is critical which is primarily managed through all the traffic incoming into the system, applications & software installed and frequently checking the entire system to ensure nothing unapproved has changed. Examples of these types of controls are checksum, hash comparisons of downloaded files, FIM or file integrity monitoring and scanning for viruses. These are the basic provisions.
Family Name: System and Information Integrity
3.14.1 Identify, report, and correct information and information system flaws in a timely manner.
Organizations identify systems that are affected by announced software and firmware flaws including potential vulnerabilities resulting from those flaws and report this information to designated personnel with information security responsibilities.
Security-relevant updates include:
Organizations also address flaws discovered during
Incident response activities
System error handling
Organizations can take advantage of available resources such as the Common Weakness Enumeration (CWE) or Common Vulnerabilities and Exposures (CVE) databases in remediating flaws discovered in organizational systems.
NIST Special Publication 800-40 provides guidance on patch management technologies.
3.14.2 Provide protection from malicious code at appropriate locations within organizational information systems.
Appropriate locations include system entry and exit points
Electronic mail servers
Malicious code includes:
A variety of technologies and methods exist to limit or eliminate the effects of malicious code:
Secure coding practices
Configuration management and control
Trusted procurement processes
Monitoring practices to help ensure that software performs what its purpose and nothing more
NIST Special Publication 800-83 provides guidance on malware incident prevention.
3.14.3 Monitor information system security alerts and advisories and take appropriate actions in response.
The United States Computer Emergency Readiness Team (US-CERT) generates security alerts and advisories to maintain situational awareness across the federal government and in NonFederal organizations.
Software vendors, subscription services, and relevant industry information sharing and analysis centers (ISACs) may also provide security alerts and advisories.
Security directives are issued by designated organizations with the responsibility and authority to issue such directives.
3.14.4 Update malicious code protection mechanisms when new releases are available.
Update malicious code protection mechanisms cannot always detect such code.
3.14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
See discussion for 3.14.2
3.14.6 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
External monitoring includes the observation of events occurring at the system boundary
Part of perimeter defense
Internal monitoring includes the observation of events occurring within the system.
Organizations can monitor systems by observing audit record activities in real time or by observing other system aspects.
System monitoring capability is achieved through a variety of tools and techniques:
Intrusion detection systems
Intrusion prevention systems
Malicious code protection software
Audit record monitoring software
Network monitoring software
System monitoring is an integral part of continuous monitoring and incident response programs.
Unusual or unauthorized activities or conditions related to inbound and outbound communications traffic include:
Internal traffic that indicates the presence of malicious code in systems
Unauthorized exporting of information
Signaling to external systems
Evidence of malicious code is used to identify potentially compromised systems or system components.
NIST Special Publication 800-94 provides guidance on intrusion detection and prevention systems.
3.14.7 Identify unauthorized use of the information system.
See discussion for 3.14.6
NIST 800-171 Mappings:
FAR Clause 52.204-21 b.1.xii
NIST SP 800-171 Rev 1 3.14.1
NIST CSF v1.1 RS.CO-2, RS.MI-3
CERT RMM v1.2 VAR:SG2.SP2
NIST SP 800-53 Rev 4 SI-2
UK NCSC Cyber Essentials
AU ACSC Essential Eight
AU ACSC Essential Eight