Compliance Discussion: NIST 800-171 capable with Meraki Full Stack?

WadeAlsup
A model citizen

Compliance Discussion: NIST 800-171 capable with Meraki Full Stack?

Hi all, I debated putting this in the Network-Wide but figured this might be a better place. 

 

I was just hoping to find out if anyone here falls under NIST 800-171 compliance and are achieving this using the Meraki full stack? 

 

If so, are you having to incorporate any other vendor products to meet specific network requirements? 

 

I've only started diving into this, so take it easy on me 😉


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal

I have nothing to do with 800-171.

 

Note that only meta-data goes to the Meraki cloud, not actual customer data (or in your case "controlled" data").  You might have to be careful around AMP - but it could only possibly submit something that was sent over an unsecured channel - would hopefully no one wanting 800-171 would be doing.

 

When I have worked with Government bodies, once I explain the different between meta data and their actual user data they seem to be ok.

 

You can also look at the general "trust" page:

https://meraki.cisco.com/trust

WadeAlsup
A model citizen

At this point, I don't think I'm quite as worried about the "cloud-controller" meeting the compliance requirements. Most of the controls around that can be put into place easily enough. 

 

I don't know, however, if the Meraki VPN (both client and site-to-site) holds up to the standards required. FIPS 140-2 Validated encryption, I believe. Hoping to hear some more input around that. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
SunshineJulie
New here

Have you discovered anymore offline?
WadeAlsup
A model citizen

Sorry @SunshineJulie but I really haven't. I went through an assessment as best as I could at the time. We've tabled this for the time being as we're not currently under this requirement. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
Propho
Conversationalist

Hi Wade,

Did you happen to find any further details on this?  I know that you can't find any Meraki gear listed here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

 

My inquiry to Cisco didn't yield a good response either as I think they didn't really understand the question.  I've read rumors that this is in the works and supposed to be completed in May but I think "rumor" is the key word there.

WadeAlsup
A model citizen

Hi @Propho, unfortunately I didn't find any further details at the time.


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
ptsy
New here

Have you had any luck in finding our if the Meraki Stack are NIST 800-171 compliant?

iQueMeraki
New here

I see this thread is a couple of years old. I am hoping there has been an update to the Meraki Line of products and NIST. Has anyone found out anymore regarding if Meraki MX and Full stack are NIST  800-171 Complaint?

PhilipDAth
Kind of a big deal
Kind of a big deal

I don't know anything about NIST 800-171, but reading about it, this seems to be the key points required:

 

https://www.kelsercorp.com/blog/everything-you-need-to-know-about-nist-800-171 

 

  1. Access Control: Who is authorized to view this data?
  2. Awareness and Training: Are people properly instructed in how to treat this info?
  3. Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified?
  4. Configuration Management: How are your networks and safety protocols built and documented?
  5. Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access?
  6. Incident Response: What’s the process if a breach or security threat occurs, including proper notification.
  7. Maintenance: What timeline exists for routine maintenance, and who is responsible?
  8. Media Protection: How are electronic and hard copy records and backups safely stored? Who has access?
  9. Physical Protection: Who has access to systems, equipment and storage environments?
  10. Personnel Security: How are employees screened prior to granting them access to CUI?
  11. Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?
  12. Security Assessment: Are processes and procedures still effective? Are improvements needed?
  13. System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points?
  14. System and Information Integrity: How quickly are possible threats detected, identified and corrected?

 

It doesn't seem like there is anything Meraki can do to be "compliant".  It seems like these are things you need to do. 

iQueMeraki
New here

@PhilipDAth I get what you're saying however there are requirements for those working on DoD contracts. More specifically, I am trying to determine or get Meraki to provide a document that may speak to FAR 52.204-25 (Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment) and GSAR 552.204-70. Thx for the comments...great argument. Any additional  contribution would be helpful Community!

 

 

Get notified when there are additional replies to this discussion.