COMPLIANCE

Simple Solutions for New Regulatory Challenges

By Industry:

Supply chain security, firmware security, and device integrity have become priorities across a wide range of industry standards and regulations.

This has created a security gap as most organizations lack in-house expertise in these critical areas, and their existing cybersecurity tools don’t meet the detailed regulatory requirements for their industry.

Eclypsium is purpose-built to solve these problems, providing organizations with a simple, highly automated platform for ensuring the security of their technology supply chains and the integrity of their devices and underlying firmware.

Multiple blue dots

NIST Guidance on Supply Chain Security and Firmware Integrity

Many industry cybersecurity regulatory standards adopt supply chain security and firmware integrity guidance from NIST, such as the FBI Criminal Justice Information System (CJIS) requirements and Centers for Medicaid and Medicare Services Acceptable Risk Safeguards (ARS).

High-level Security Goals

Executive Order 14028

Improving the Nation’s Cybersecurity

Technical Controls to Implement Those Goals

NIST SP 800-53

Security and Privacy Controls for Information Systems and Organizations.

Detailed Guidance on Key Topics

Supply Chain
NIST SP 800-161

Cybersecurity supply chain risk Management Practices

Integrity
NIST SP 1800-34

Validating the Integrity of Computing Devices

Firmware
NIST SP 800-193

Platform Firmware Resiliency Guidelines

High-Level Direction

At the highest level, Executive Order 14028 Improving the Nation’s Cybersecurity defined a variety of security priorities and gave NIST and other agencies mandates to deliver on those priorities. The Executive Order put a focus on the importance of supply chain security,  firmware, and device integrity. You can read more on this topic here (PDF).

Security Controls to Execute the Vision

At the technical level, NIST SP 800-53 defines the actual security controls that should be used to protect systems and assets. While EO 14028 provides the direction, SP 800-53 defines how to do it. SP 800-53 is an incredibly influential document and is the parent document that many industry-specific regulations are based on. And once again, supply chain, integrity, and firmware are key points in the latest revision of SP 800-53. These topics are addressed across many controls and control families with notable examples including SI-7 Software, Firmware, and Information Integrity and an entire new control group (SR) dedicated to Supply Chain Risk Management. Learn more in our blog post.

Detailed Technical Guidance

Security practice is more than just a set of technical controls, so in addition to SP 800-53, NIST also produced detailed guidance on key topics. Not surprisingly, supply chain, integrity, and firmware all received their own special publications. These special publications are listed below along with more information on how organizations can use Eclypsium to implement each of them.

Industry and Agency Regulations

Federal agencies and regulatory bodies have used these sources to craft detailed policies and requirements that are tuned to their unique needs and risk profiles. Often, regulations begin at a federal agency and then spread to state and local governments as well as the private sector. This is because several regulations focus on the protection of federal data that is shared with non-federal organizations. For example, CJIS regulations define how the FBI’s data must be protected when used by outside agencies. Here are a few key examples:

Defense Industrial Base

NIST SP 800-171 sets detailed requirements for how non-federal organizations must protect Controlled Unclassified Information (CUI). The Defense Industrial Base (DIB) includes all organizations that contract with the DoD. This includes all organizations that contract with the DoD as well as manufacturers that supply products and services to federal agencies. So broadly speaking, SP 800-171 applies to the extended DoD supply chain. 

SP 800-171 largely follows the controls defined in SP 800-53 described earlier. As such, supply chain security, system integrity, and firmware are all heavily represented. This includes specific requirements in the areas of Access Control, Configuration Management, Incident Response, Maintenance, Risk Assessment, Security Assessment, System and Communication Protection, and System and Information Integrity.

Eclypsium provides an automated and vendor-agnostic approach to meeting these many requirements. The platform provides scanning and assessment of assets and components to proactively validate their integrity, find and remediate vulnerabilities, and detect and respond to implants and threats.

  • Read our white paper to learn more about how Eclypsium can help address NIST SP 800-171 requirements.

Law Enforcement

The FBI’s Criminal Justice Information Services division (CJIS) shares critical data such as fingerprints and criminal histories with a wide range of state and local law enforcement agencies. The CJIS Security Policy defines auditable cybersecurity requirements for how those agencies must protect the FBI’s information.

The CJIS Security Policy heavily relies on security controls defined in NIST’s SP 800-53. As such, device and firmware integrity have become hard requirements for the latest round of CJIS audits. 

Eclypsium provides a simple way for law enforcement agencies to meet these new firmware and integrity requirements without the need for specialized skills or time-consuming analysis. Scans can quickly verify the integrity of critical code and assets and provide guidance to remediate any problems that are found. 

  • Read our blog for more information on how Eclypsium can help address CJIS Security Policy Requirements.
  • Read our case study to learn more about how Eclypsium helped Florida Law Enforcement agencies achieve CJIS compliance.

Healthcare and Insurance

CMS Acceptable Risk Safeguards (ARS) define how Medicare and Medicaid data must be protected both within the CMS and also when shared with outside organizations such as healthcare and insurance providers.  

The technical requirements are based on NIST’s SP 800-53 security controls and other federal regulations such as FedRAMP. The CMS ARS puts a strong focus on firmware and supply chain security. This includes requirements tied to SI-07 – Software, Firmware, and Information Integrity as well as SR – Supply Chain Risk Management. 

Once again, Eclypsium provides the key to easily address these new requirements. Automated scans can verify the integrity of all critical code and components within a wide range of asset types. These scans can also validate the authenticity of newly acquired assets and verify that they meet all specifications defined by vendor software bill of materials (SBOMs). Read here for more information on how Eclypsium can help address CMS Security Policy Requirements.

  • Read our blog for more information on how Eclypsium can help address CMS ARS Requirements.

Financial Services

As the most heavily regulated industry in the private sector, financial services organizations are unsurprisingly facing increased pressure to improve firmware and supply chain security. Often these changes are the result of updates to the security frameworks that are already in use. For example, NIST’s Cybersecurity Framework (CSF) is one of the most heavily used security frameworks in financial services. The CSF in turn directly references SP 800-53 and its focus on firmware and supply chain security described above.

Additionally, industry-specific best practices such as the FFIEC IT Examination Handbook have been updated with an increased focus on supply chain and firmware security. Section II.C.14 is dedicated to safeguarding against risks and attacks in the technology supply chain including:

  • Only making purchases through reputable sellers who demonstrate an ability to control their own supply chains.
  • Purchasing hardware and software through third parties to shield the institution’s identity.
  • Reviewing hardware for anomalies.
  • Using automated software testing and code reviews for software.
  • Regularly reviewing the reliability of software and hardware items purchased through activity monitoring and evaluations by user groups.

Likewise, the document calls out the need to closely monitor firmware and low-level code, particularly in the context of vulnerability and configuration management.

  • Read our case study to learn more about how First Financial achieved FFIEC compliance by securing their firmware.

IT Equipment Manufacturing

The U.S. Office of Management and Budget (OMB) has established enhanced requirements to ensure technology providers are following NIST’s Secure Software Development Framework (SSDF) guidelines. This supply chain security attestation requires technology vendors to be accountable for the security of their whole product—even open source and third-party components that they did not build themselves. The burden falls on the “producer of the end product,” meaning the vendor or manufacturer that packages the components together, not the upstream suppliers or the downstream resellers. 

And like other industry requirements, the government specifically calls out that these requirements extend to firmware by specifically defining ‘software’ as “…firmware, operating systems, applications, and application services (e.g., cloud-based software), as well as products containing software.” 

Eclypsium vastly simplifies the security attestation process by providing verification and assurance for the software, firmware, and hardware components within IT infrastructure.

  • Read our blog for more information on how Eclypsium can help address attestation requirements established by EO 14028 and associated SSDF practices and tasks.

Utilities

The North American Transmission Forum (NATF) developed CIP-010-3 R1 Part 1.6 specifically targeting “Software Integrity & Authenticity”. The requirement notably defines the issue in the context of supply chain risk management, requiring organizations to develop “security controls for supply chain management for industrial control system hardware, software, and services associated with bulk electric system operations”. Specifically, Part 1.6 requires organizations to:

  • Verify software authenticity to ensure that the software being installed in the BES Cyber System is from a legitimate source.

  • Verify software integrity to ensure that the software being installed in the BES Cyber System has not been modified from its original obtained source.

Eclypsium provides an automated method to verify software authenticity and integrity as defined by CIP-010-3 R1 Part 1.6. The platform maintains an up-to-date library of valid industry firmware and software and performs cryptographic checks to ensure that the firmware has not been altered or tampered with. The platform can provide ongoing monitoring to identify any unexpected changes after the code or asset has been deployed. Eclypsium likewise can automatically identify vulnerabilities in critical code including code that is not properly signed by the vendor.

Other Regulated Industries

NIST publications such as SP 800-53 and the Cybersecurity Framework are used by organizations of all sizes and industries as a way to ensure a comprehensive approach to security. Likewise, many industry-specific regulations are heavily modeled on or reference these core NIST documents. 

This means that heavily regulated industries will increasingly need to include supply chain security, asset integrity, and firmware security as part of their security practices. Eclypsium provides the simplest, most comprehensive way to address these emerging needs with a bare minimum of new effort. 

© 2024 Eclypsium, Inc.