The operational standards included in SAM-Protect have been developed to meet the requirements of the NIST SP 800-171 Standard - Protecting Controlled Unclassified Information (CUI) in Non-federal Information Systems and Organizations.
While NIST SP 800-171 specifically applies to organizations using government information, it is equally applicable to organizations that have a desire to mitigate information security risk by implementing comprehensive measures and mechanisms to ensure that information and information systems are utilized and managed in accordance with the best practice security principles of confidentiality, integrity and availability.
At the Dashboard overview of the system we have used Functions derived from the NIST Cybersecurity Framework, however we have added a Manage Function and, as there was no reference within NIST SP 800-171 to the Recover Function, this was omitted from our system. The Categories represent the major headings in NIST SP 800-171 with the addition of Governance and Remediation Response.
The individual controls within SAM-Protect are derived from the sources quoted within NIST SP 800-171 (e.g., relevant security controls) and include NIST SP 800-53 r5 and ISO/IEC 27002:2013 Standards. Where practicable, references to the CIS Controls v6.1 are also included, as these complement the other sources and provide a pragmatic and practical approach to enhancing information system security.
Where important security controls have not been able to be correlated with the NIST SP 800-171 Security Requirements we have taken the liberty of adding these in separate work plans.
SAM-Protect Management Methodology
SAM-Protect tracks compliance against five major functional requirements for the protection of information
At the base level of SAM-Protect are the Workplans with targets derived from the Relevant Security Requirements documented within NIST SP 800-171. Establishing the level of completeness within these Workplans allows you to develop an overall picture of how effective your NIST SP 800-171 related controls are, and quickly identify areas that need extra activity.
The requirements documented within each work plan are cross referenced to the source where applicable.
In common with all of the SAM for Compliance systems, integrated Action and Task Managers help you through the remediation and improvement process, while the built in Reports give you the ability to easily communicate your compliance status with the Executive or compliance bodies.