Yes, I am exaggerating. Call it artistic license. But ComplyUp and NIST 800-171 are beginning to rewire my brain.
This afternoon I held two meetings in a row. In the first meeting, we reviewed where one of our customers stood in its NIST 800-171 compliance. In today’s meeting we reviewed NIST requirements for physical security. One challenge we faced: the customer is a startup and does not really have any physical presence yet. They are in the couch surfing, WeWork life stage. Developers work from home or a shared working space.
NIST 800-171 and Office Visitors
Some of the NIST 800-171 requirements talked about the need to keep office visitors from viewing sensitive information on someone’s computer. Or seeing sensitive information sitting on a printer. Here are some of the NIST 800-171 requirements.
- Has the facility/building manager designated building areas as “sensitive” and designed physical security protections (including guards, locks, cameras, card readers, etc.) to limit physical access to the area to only authorized employees?
- Are output devices such as printers placed in areas where their use does not expose data to unauthorized individuals?
- Are lists of personnel with authorized access developed and maintained, and are appropriate authorization credentials issued?
- The requirements do not matter to the startup today. But there will be offices in the future. And we can expect that NIST 800-171 will matter as those offices are planned out.
Fast Forward to Floor Plans
On to my second meeting. We were reviewing floor plans and pictures of an office space. A startup had approached us, asking if we could take care of building out their IT network. Our CTO made a visit to the office space (his recommendation: do not visit a warehouse when the outdoor temperature is a record high) to see how complex the project might be.
As we reviewed the office floor plan, I thought about NIST 800-171. The startup told us they would be hosting visitors (customers and investors) from time to time. As I looked at the plan showing where the engineering workstations were to be located, I had to ask. Would we need to shield the startup’s sensitive information from the eyes of visitors?
It is commonplace to apply NIST 800-171 standards to organizations, systems, and applications that already exist. First, we build it. Then we worry about security. Yes, security people cringe when they hear that sentiment. But try talking to someone developing the next Web3 service (whatever that is) about the need for security. You may as well talk to your dog about security. At least your dog will stare at you, waiting to see if they get a cookie at the end of the conversation.
Balancing Today and Tomorrow
Startup people understand how critical it is to focus. Lose your focus and lose your lead. Do we broach the NIST 800-171 requirements now? Probably not. The startup has many more existential threats than NIST 800-171. Walk before you run.
As an analogy, we talked about the startup’s conference room. They want to have a state-of-the-art conference setup. We told the startup they will need to hire an audio engineer to get the acoustics right. So, when we saw in the floor plan that the conference room would be open to the rest of the space, we thought that would be a problem. It will be hard to control the audio experience in that open-concept conference room. But that is a problem for another day (and a more qualified consultant).
And so it is with NIST 800-171. We will think about how we would handle the NIST requirements down the road. For now, that is where we will leave them.