Data Loss Prevention
for NIST Compliance

Discover how Endpoint Protector can support requirements for NIST SP 800-171, Revision 2 and NIST SP 800-53, Revision 5.

Table of Contents

  1. NIST SP 800-53, Revision 5 vs NIST 800-171, Revision 2
  2. Who has to comply?
  3. Examples of CUI
  4. NIST compliance with Endpoint Protector
  5. Considerations for your organization

NIST SP 800-53, Revision 5 vs NIST 800-171, Revision 2

The NIST Cybersecurity Framework (CSF) provides a common language for expressing and discussing cybersecurity risk. NIST has produced more than 200 special publications covering many aspects of cybersecurity risk management for different industries and use cases. The most widely recognized and used is NIST 800-53 (Revision 5), a set of specific security and privacy controls for federal information systems and organizations.

A subset of controls has also been published for non-federal entities (e.g. a supplier or contractor) that shares, collects, processes, stores or transmits “Controlled Unclassified Information (CUI)” on behalf of a federal government agency. This is called NIST 800-171 (Revision 2).

Who has to comply?

NIST SP 800-53,
Revision 5

Federal agencies and organizations operating under the authority of the United States government. Some contractors or suppliers may also be asked to comply, depending on the data type.

NIST 800-171,
Revision 2

Any organization that handles Controlled Unclassified Information (CUI) on behalf of the U.S. federal government or operates as a contractor, subcontractor, or service provider for the US government

Examples of CUI

CUI refers to sensitive but unclassified information that requires safeguarding and protection, as its unauthorized disclosure could cause damage to national security, economic interests, or personal privacy. Some examples of CUI include:

  1. Export-controlled information, such as technical data related to defense articles, software, and technology.
  2. Financial information, including tax return information, financial account numbers, and credit reports.
  3. Law enforcement information, such as criminal investigations, sensitive security information, and intelligence information.
  4. Personal information, such as social security numbers, medical records, and personally identifiable information (PII).
  5. Controlled technology, including information related to nuclear facilities, biological agents, and chemical weapons.

These are just a few examples of the types of information that may be considered CUI. It's important to note that the specific categories and definitions of CUI may vary depending on the organization, the industry, and the regulatory framework involved.

NIST compliance with Endpoint Protector

Given its breadth, no one solution will fulfill all NIST SP 800-53, Revision 5 or NIST 800-171, Revision 2 requirements. Instead, organizations should look to combine multiple technologies, and processes, to meet their stated goals.

Here are some examples of where Endpoint Protector by CoSoSys can be applied to meet the needs outlined in specific NIST Framework Categories and Sub-Categories. For in-depth documentation, please check out our article on NIST Cybersecurity Framework.

Control the use of removable storage media

Use Endpoint Protector’s Device Control solution to manage the use of USB drives, and other portable storage devices connected to employee endpoints. This includes USB Flash drives, external HDDs, SD Cards, and even storage media connected via Bluetooth (e.g. smartphones). Learn more about Endpoint Protector Device Control.

NIST SP 800-53, Revision 5

Subcategories met with Device Control:

  • PR.DS-1: Data-at-rest is protecte
  • PR.PT-2: Removable media is protected

Controls met with Device Control:

  • MP-7: Media Use

NIST 800-171, Revision 2

Subcategories met with Device Control:

  • PR.PT-2: Removable media is protected
  •  

Controls met with Device Control:

  • 3.8.7: Control the use of removable media

Protect against data leaks

Use Endpoint Protector Device Control and Content Aware Protection to protect data from being exfiltrated at the employee endpoint (interface). This spans potential exfiltration of CUI through hardware devices (e.g. USB drives, external HDDs, Bluetooth connected devices, printers, and more); and also through software applications, e.g. email, Slack, file uploads etc. Learn more about Endpoint Protector Content Aware Protection.

NIST SP 800-53, Revision 5

Subcategories met with Device Control and Content Aware Protection:

  • PR.DS-5: Protections against data leaks are implemented

Controls met with Device Control and Content Aware Protection:

  • SC-7: Boundary Protection
  • SC-7(10) Prevent Exfiltration

NIST 800-171, Revision 2

Subcategories met with Device Control and Content Aware Protection:

  • PR.DS-5: Protections against data leaks are implemented

Controls met with Device Control and Content Aware Protection:

  • 3.13.1: Monitor, control, and protect communications at external boundaries
  • 3.9.2: Ensure that organizational systems containing CUI are protected during and after personnel actions such as terminations and transfers

Encrypt data transported via removable media

For organizations that require the use of portable media for the movement of data (e.g. USB flash drives), Endpoint Protector’s Enforced Encryption functionality removes the need for specialist (and expensive) hardware-based solutions, and instead applies AES 256bit encryption to files sent to any USB storage device approved for use by the organization.

NIST SP 800-53, Revision 5

Subcategories met with Enforced Encryption:

  • PR.DS-2: data in transit is protected

Controls met with Enforced Encryption:

  • SC-8: Protect the confidentiality of transmitted information
  • SC-8(1) Cryptographic Or Alternate Physical Protection

NIST 800-171, Revision 2

Not Applicable to NIST 800-171, Revision 2

Considerations for your organization

Remember, given its breadth, no one solution will fulfill all NIST Cybersecurity Framework requirements. Instead, organizations should look to combine a multiple technologies, and processes, to meet their stated goals.

Organizations should also look to understand the Control Baseline required to cover their systems by determining the criticality and sensitivity of the information to be processed, stored, or transmitted by those systems. Not all of the controls listed here apply to all Control Baseline requirements (low-impact, moderate-impact, and high-impact), as well as the privacy control baseline. Organizations should conduct a thorough evaluation of Endpoint Protector to ensure it meets your own unique compliance needs and organizations are solely responsible for determining the appropriateness of using Endpoint Protector by CoSoSys to achieve their NIST compliance.

Multi-OS

Endpoint Protector can cover your Windows, macOS, and Linux machines through a single admin console.

Deployment

Multiple deployment options to meet your requirements - including on-premise or cloud.

Data Controls

Protect PII, PCI, PHI, source code or other types of IP or CUI.

Request Demo
check mark

Your request for Endpoint Protector was sent!
One of our representatives will contact you shortly to schedule a demo.

* Your privacy is important to us. Check out our Privacy Policy for more information.