Meraki

Community

Compliance Discussion: NIST 800-171 capable with Meraki Full Stack?

WadeAlsup
A model citizen
‎Feb 22 2018 1:53 PM
‎Feb 22 2018 1:53 PM

Compliance Discussion: NIST 800-171 capable with Meraki Full Stack?

Hi all, I debated putting this in the Network-Wide but figured this might be a better place. 

 

I was just hoping to find out if anyone here falls under NIST 800-171 compliance and are achieving this using the Meraki full stack? 

 

If so, are you having to incorporate any other vendor products to meet specific network requirements? 

 

I've only started diving into this, so take it easy on me 😉


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
0 Kudos
10 Replies 10
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 22 2018 2:12 PM
‎Feb 22 2018 2:12 PM

I have nothing to do with 800-171.

 

Note that only meta-data goes to the Meraki cloud, not actual customer data (or in your case "controlled" data").  You might have to be careful around AMP - but it could only possibly submit something that was sent over an unsecured channel - would hopefully no one wanting 800-171 would be doing.

 

When I have worked with Government bodies, once I explain the different between meta data and their actual user data they seem to be ok.

 

You can also look at the general "trust" page:

https://meraki.cisco.com/trust

In response to PhilipDAth
WadeAlsup
A model citizen
‎Feb 22 2018 2:28 PM
‎Feb 22 2018 2:28 PM

At this point, I don't think I'm quite as worried about the "cloud-controller" meeting the compliance requirements. Most of the controls around that can be put into place easily enough. 

 

I don't know, however, if the Meraki VPN (both client and site-to-site) holds up to the standards required. FIPS 140-2 Validated encryption, I believe. Hoping to hear some more input around that. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
0 Kudos
In response to WadeAlsup
SunshineJulie
New here
‎Apr 8 2019 2:12 PM
‎Apr 8 2019 2:12 PM

Have you discovered anymore offline?
0 Kudos
In response to SunshineJulie
WadeAlsup
A model citizen
‎Apr 9 2019 5:10 AM
‎Apr 9 2019 5:10 AM

Sorry @SunshineJulie but I really haven't. I went through an assessment as best as I could at the time. We've tabled this for the time being as we're not currently under this requirement. 


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
0 Kudos
In response to WadeAlsup
Propho
Conversationalist
‎Apr 20 2020 9:02 AM
‎Apr 20 2020 9:02 AM

Hi Wade,

Did you happen to find any further details on this?  I know that you can't find any Meraki gear listed here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search

 

My inquiry to Cisco didn't yield a good response either as I think they didn't really understand the question.  I've read rumors that this is in the works and supposed to be completed in May but I think "rumor" is the key word there.

0 Kudos
In response to Propho
WadeAlsup
A model citizen
‎Apr 22 2020 1:28 PM
‎Apr 22 2020 1:28 PM

Hi @Propho, unfortunately I didn't find any further details at the time.


Found this helpful? Give me some Kudos! (click on the little up-arrow below) and If my reply solved your issue, please mark it as a solution 🙂
0 Kudos
In response to WadeAlsup
ptsy
New here
‎Jan 14 2021 12:36 PM
‎Jan 14 2021 12:36 PM

Have you had any luck in finding our if the Meraki Stack are NIST 800-171 compliant?

0 Kudos
In response to ptsy
iQueMeraki
New here
‎Feb 6 2021 9:56 AM
‎Feb 6 2021 9:56 AM

I see this thread is a couple of years old. I am hoping there has been an update to the Meraki Line of products and NIST. Has anyone found out anymore regarding if Meraki MX and Full stack are NIST  800-171 Complaint?

0 Kudos
PhilipDAth
Kind of a big deal
Kind of a big deal
‎Feb 6 2021 12:05 PM
‎Feb 6 2021 12:05 PM

I don't know anything about NIST 800-171, but reading about it, this seems to be the key points required:

 

https://www.kelsercorp.com/blog/everything-you-need-to-know-about-nist-800-171 

 

  1. Access Control: Who is authorized to view this data?
  2. Awareness and Training: Are people properly instructed in how to treat this info?
  3. Audit and Accountability: Are records kept of authorized and unauthorized access? Can violators be identified?
  4. Configuration Management: How are your networks and safety protocols built and documented?
  5. Identification and Authentication: What users are approved to access CUI and how are they verified prior to granting them access?
  6. Incident Response: What’s the process if a breach or security threat occurs, including proper notification.
  7. Maintenance: What timeline exists for routine maintenance, and who is responsible?
  8. Media Protection: How are electronic and hard copy records and backups safely stored? Who has access?
  9. Physical Protection: Who has access to systems, equipment and storage environments?
  10. Personnel Security: How are employees screened prior to granting them access to CUI?
  11. Risk Assessment: Are defenses tested in simulations? Are operations or individuals verified regularly?
  12. Security Assessment: Are processes and procedures still effective? Are improvements needed?
  13. System and Communications Protection: Is information regularly monitored and controlled at key internal and external transmission points?
  14. System and Information Integrity: How quickly are possible threats detected, identified and corrected?

 

It doesn't seem like there is anything Meraki can do to be "compliant".  It seems like these are things you need to do. 

0 Kudos
In response to PhilipDAth
iQueMeraki
New here
‎Feb 6 2021 12:22 PM
‎Feb 6 2021 12:22 PM

@PhilipDAth I get what you're saying however there are requirements for those working on DoD contracts. More specifically, I am trying to determine or get Meraki to provide a document that may speak to FAR 52.204-25 (Prohibition on Contracting for Certain Telecommunications and Video Surveillance Services or Equipment) and GSAR 552.204-70. Thx for the comments...great argument. Any additional  contribution would be helpful Community!

 

 

0 Kudos
Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
© 2024 Cisco Systems, Inc.