NIST 800-171 Compliance

National Institue of Standards and technology (NIST) Special Publication 800-171 or NIST-SP800-171, specifies requirements for non-Federal computer systems that store, process, or transmit Controlled Unclassified Information (CUI), or provide security protection for such systems. You may be required to comply with these requirements for certain government contracts, especially defense related contracts.

To help you meet the 800-171 requirements specified in the NIST-800-171 Rev 1 publication (updated June 2018), Encyro follows the following cyber-security safeguards.

1. Access to information in your Encyro account is controlled using strong passwords*, that must contain characters from all four of uppercase letters, lowercase letters, numbers, and special characters.
2. Each account owner is only allowed to perform authorized transactions. For organization level accounts, fine grained permission controls are offered.
3. Access control is verified on each device a user may access the secured data from.
4. Unsuccessful login attempts are counted and thwarted.
5. You are automatically logged out of your Encyro account if left unattended for more than 15 minutes* (NIST 800-171 requirements for session locks and termination).
6. Cryptographic mechanisms are employed to protect information in transit. Separate encryption keys are used for connection to each device, to limit data leaks in case of key compromises or malicious user logins.
7. All data at rest is protected using FIPS-140-2 validated cryptography.
8. End-to-end encryption from Encyro’s servers to your browser is employed to protect against eves-dropping on any wired or wireless networks (cellular, WiFi, public or shared Wifi in locations such as hotels, in-flight, at hot-spots) used for connecting your devices.
9. Encyro provides you with account level audit logs to review your account activity. For organizational accounts, designated administrators are also granted access to account audit logs for other users within your organization. Audit logs are timestamped with network synchronized clock time and are stored on encrypted and secured storage with remote backup.
10. Technology vulnerabilities such as SQL injection attacks, denial of service attacks, and rainbow attacks are addressed using industry standard protection methods.
11. Multiple layers of firewalls are used to prevent unauthorized access to Encyro’s systems.
12. All external or third party systems that Encyro uses to store encrypted data have been reviewed for security safeguards and standards compliance.
13. Encyro does not store any of your data on portable or mobile devices. All data is stored only in highly secure data centers with both physical and digital security safeguards.
14. All application software, platform software, and configuration changes are reviewed for security, recorded in timestamped systems, and tested in sand-boxed environments before deployment in production.
15. Incident handling procedures to preserve stored data, restore access to it, and recover losses are in place.
16. Triple redundancy encrypted backups within each data center and encrypted replication at two or more distant data centers is employed.
17. Organizational security measures including personnel screening and training are in place.
18. Risk assessments and vulnerability scans are performed as required. Threat models are maintained and updated to provide an accurate analysis of system boundaries, threats, and corresponding safeguards. All security concerns are noted immediately upon discovery and prioritized for implementation as needed.
19. Our systems are constantly monitored and automated alerts are sent to Encyro’s senior management in case of any unexpected system level issues.

*You must activate your compliance settings to meet these requirements. When logged in to Encyro, go to Settings and click on Compliance in the left panel to review your current settings. Here you may enable strong passwords and automatic log-off upon inactivity, among other options.

Additional security safeguards in use at Encyro are described here.

Note that the NIST 800-171 requirements apply to all your data storage and processing, and not just for the data stored or transmitted using Encyro. To enhance the security of your computers at your office as well as laptops or mobile devices used in field operations or at other sites, you may wish to consult our security blog, for articles on enforcing screen locks for all users (when they leave their computer unattended), whole disk encryption, enforcing strong passwords, encrypting your WiFi network, and physical device security.

For additional assistance, do not hesitate to contact us.