Hi all, I debated putting this in the Network-Wide but figured this might be a better place.
I was just hoping to find out if anyone here falls under NIST 800-171 compliance and are achieving this using the Meraki full stack?
If so, are you having to incorporate any other vendor products to meet specific network requirements?
I've only started diving into this, so take it easy on me 😉
I have nothing to do with 800-171.
Note that only meta-data goes to the Meraki cloud, not actual customer data (or in your case "controlled" data"). You might have to be careful around AMP - but it could only possibly submit something that was sent over an unsecured channel - would hopefully no one wanting 800-171 would be doing.
When I have worked with Government bodies, once I explain the different between meta data and their actual user data they seem to be ok.
You can also look at the general "trust" page:
At this point, I don't think I'm quite as worried about the "cloud-controller" meeting the compliance requirements. Most of the controls around that can be put into place easily enough.
I don't know, however, if the Meraki VPN (both client and site-to-site) holds up to the standards required. FIPS 140-2 Validated encryption, I believe. Hoping to hear some more input around that.
Sorry @SunshineJulie but I really haven't. I went through an assessment as best as I could at the time. We've tabled this for the time being as we're not currently under this requirement.
Did you happen to find any further details on this? I know that you can't find any Meraki gear listed here: https://csrc.nist.gov/projects/cryptographic-module-validation-program/validated-modules/search
My inquiry to Cisco didn't yield a good response either as I think they didn't really understand the question. I've read rumors that this is in the works and supposed to be completed in May but I think "rumor" is the key word there.
Hi @Propho, unfortunately I didn't find any further details at the time.