CUI compliance: The proxy approach
- By Andrew Hosch
- Apr 02, 2018
The Dec. 31 deadline for federal agencies' compliance with the National Institute of Standards and Technology's SP 800-171 Rev. 1 guidelines has come and gone, but implementing NIST requirements for controlled unclassified information (CUI) in a widespread manner -- without taking on extra complexity and cost -- can still be accomplished.
Instead of taking a scattershot approach, in many cases the user and administrative access can be limited via a single proxy. That way, all the NIST controls can be centralized at one place. Logging, multifactor authentication, session timeout -- along with all other controls -- can be located at the proxy. In addition to being easier to set up and maintain, this approach can be less expensive when compared to applying controls all over the site.
The proxy approach can also be used to protect legacy systems that would otherwise be expensive to upgrade and protect.
Some types of proxies include Windows Remote Desktop, virtual desktop technologies like Citrix, virtual private networks and reverse proxies such as Squid. The most effective proxy depends on what kinds of systems are being protected.
The approaches below are meant to illustrate how implementing single-point interfaces can help protect CUI. Single-point solutions are created by isolating the CUI onto a segmented network and then putting a proxy-like technology in front that is intended for both access and management.
Scenario 1: A single Windows system running a web-based application that doesn’t support session timeout, encrypted connections or other CUI mandates.
Approach: Place a Remote Desktop server in front of the system to provide encryption and session timeout and to act as a central location for logging. This single point can also have multifactor authentication applied to it.
Scenario 2: A long-standing suite of applications and systems with multiple technologies contains an entire CUI workflow.
Approach: Consolidate the systems onto a single network. Place a VPN system in front to provide encryption and session timeout and to act as a central location for logging and monitoring. This single point can also have MFA applied to it.
Scenario 3: Multiple projects come into and out of existence based on different contracts. Different people need access to different projects. Data ingress and egress are especially important.
Approach: Establish enclaves on a secure cloud -- one for each project. In each enclave, set up a transition zone between the outside and the inside systems where data ingress and egress will be examined. Place a multifactor VPN in front of the enclave, and control access to each at the enclave point.
Applying NIST controls can seem overwhelming. But if the CUI can be consolidated onto a protected network where it can be physically isolated, applying a single point proxy can accelerate and simplify compliance.
Andrew Hosch runs the security and development groups at Base2 Solutions.