Anyone have experience with NIST 800-171 in a SaaS environment?

mnorton
Badge

anyone have experience with NIST 800-171 in a saas environment? Especially interested in vulnerability scans

This topic has been closed for comments

23 replies

bert.smith
Userlevel 2
Badge +2

As far as doing a self gap assessment, yes. In terms of official review, no.



Sent via Slack Thread
cdubs
Rank
Userlevel 3
Badge +4

As a former customer, yes! Something we went through. The big call out that we needed to map from a framework compliance standpoint was the following:

• CUI (Controlled Unclassified Information) - File Audit (scan data at rest), File Grid, User Grid, Shared With, Groups, App Permissions, Real Time Reports)
• Access Controls (Role Based Privileges)
• Security Controls (Least Privilege & Time Based Access Controls)
• Centralized Detection (Files Grid, Dashboard, Alerts Triggered)
• DLP (Content Scanning)
• Retention (Audit Logs in BCX)
• DLP Policies (Alerts + Workflows)
• Trusted Applications (Flash panel on 3rd party apps, but now we have Discover!)



Sent via Slack Thread
while(!(succeed = try()));
cdubs
Rank
Userlevel 3
Badge +4

Hopefully that helps @mnorton



Sent via Slack Thread
while(!(succeed = try()));
cdubs
Rank
Userlevel 3
Badge +4

Since BetterCloud is leveraging GCP, all Google Cloud services are in scope for NIST 800-171



Sent via Slack Thread
while(!(succeed = try()));
mnorton
Badge

Thanks @cdubs, thats a great outline. We’ve mapped a lot of that in our SSP, but any idea on SCAP compliant scans for SaaS? That’s the biggest question mark for us now, not sure how to run a vulnerability scan on our GSuite instance.



Sent via Slack Thread
cdubs
Rank
Userlevel 3
Badge +4

@mnorton ah I see. I have heard of SCAP and tools that can be used to benchmark compliance on local OS or even Google Chrome. As it pertains to SaaS, this might lean more towards how Google's GCP performs a vulnerability scan.

Tagging @mike-bc to see if he has heard of this or knows someone's shoulder we can tap on.



Sent via Slack Thread
while(!(succeed = try()));
cdubs
Rank
Userlevel 3
Badge +4

For added context: https://cloud.google.com/container-registry/docs/vulnerability-scanning



Sent via Slack Thread
while(!(succeed = try()));
cdubs
Rank
Userlevel 3
Badge +4

Also this: https://cloud.google.com/security/compliance/nist800-171



Sent via Slack Thread
while(!(succeed = try()));
bert.smith
Userlevel 2
Badge +2

Not familiar with GCP's side but I know there are others with a shared-responsibility model for cloud providers.



Sent via Slack Thread
cdubs
Rank
Userlevel 3
Badge +4

Got it, makes sense. Going to see if we can dig something up on our end!



Sent via Slack Thread
while(!(succeed = try()));
mnorton
Badge

thank you both!



Sent via Slack Thread
cmathis

What's the specific control you're trying to meet with SCAP for SaaS?



Sent via Slack Thread
cmathis

What's the specific control you're trying to meet with SCAP for SaaS?



Sent via Slack Thread
mnorton
Badge

@cmathis We are being required to perform monthly vulnerability scans on all of our systems, but most of our systems are SaaS. My understanding based on shared responsibility models is that there needs to be a way to check/report on what controls we have enabled in the SaaS tool that are actually in our realm to control. The entire 800-171 framework does not seem to work super well with SaaS (a lot of controls don’t apply/don’t make sense) so I’m trying to figure how other folks have implemented this.



Sent via Slack Thread
mnorton
Badge

@cmathis We are being required to perform monthly vulnerability scans on all of our systems, but most of our systems are SaaS. My understanding based on shared responsibility models is that there needs to be a way to check/report on what controls we have enabled in the SaaS tool that are actually in our realm to control. The entire 800-171 framework does not seem to work super well with SaaS (a lot of controls don’t apply/don’t make sense) so I’m trying to figure how other folks have implemented this.



Sent via Slack Thread
cmathis

My understanding is that we can rely on FedRAMP certifications for actual SaaS, and do monitoring on cloud hosted services that we run using something like Nessus.



Sent via Slack Thread
cmathis

No SaaS partner will let you scan their environment.



Sent via Slack Thread
bert.smith
Userlevel 2
Badge +2

That’s where I see CMMC making improvements on outdated framework controls.



Sent via Slack Thread
cmathis

There are ways to map CMMC to NIST 800-171 and show that you're doing what you need to be doing.



Sent via Slack Thread
mnorton
Badge

I was afraid of having to migrate to FedRAMP tools, that would definitely be the more compliant option and check off boxes more clearly (but $$$). CMMC is definitely the more updated framework and probably where we will look towards next



Sent via Slack Thread
cmathis

It' depends on your contract. My last federal contract was 5+ years ago, and we had few SaaS tools. Today I don't have a requirement, but I'm focusing on FedRAMP compliant or GovCloud tools, when I can. Within reason. Google is now FedRAMP moderate across Workspace, and High in some places. But Slack...I'm never going to get Slack certified. There we just have to use policy to say that things related to the contract can't be on Slack.



Sent via Slack Thread
cmathis

It's also why these companies just stick with Microsoft across the board.



Sent via Slack Thread
mnorton
Badge

Slack was actually just FedRAMP moderate authorized earlier this year
https://marketplace.fedramp.gov/#!/product/slack?sort=productName&productNameSearch=Slack



Sent via Slack Thread
Terms & ConditionsCookie settings