As many manufacturing companies are aware, NIST 800-171 and DFARS compliance are top of mind, particularly when working with a cloud-based software vendor. We have prepared the checklist below to demonstrate all the key elements of NIST compliance and how we satisfy them. If you have any questions, do not hesitate to reach out!
For starters, all data retrieved from factory equipment is sent over an encrypted communication line to our cloud service. Access to this data is controlled by cryptographic key while in flight and at rest in the cloud. Any sensitive data, such as G code information, is not sent to the cloud by default, unless requested for customer specific features.
Access to your web portal is limited to the United States by default, and can be locked down further to your specific facility by request. Datanomix only employs U.S Citizens, and does not use any offshore contractors.
- Access Control: Data is only accessible to you, the end customer, and our support team. This is controlled by IP address, authentication, geo-location, and cryptographic keys.
- Awareness and Training: Our team conducts quarterly reviews of our cybersecurity infrastructure and policies, and makes recommendations and adjustments in line with best practices.
- Audit and Accountability: Records are stored indefinitely of accesses to both your web portal and our internal systems. Accesses from new or unexpected locations are flagged and notifications are sent to Datanomix Support when detected.
- Configuration Management: We worked directly with the Microsoft Azure team to build a secure network architecture, that includes the use of cryptographic keys for services of ours to have access to any of the data within our system.
- Identification and Authentication: Only Datanomix employees and authorized customers have access to data.
- Incident Response: If a breach occurs, the customer in question will be notified of the timing and nature of the breach within 4 hours.
- Maintenance: The Datanomix team takes full responsibility for maintaining the latest security patches on all of its underlying systems. Updates are taken automatically as dictated by security notices and bulletins from our providers.
- Media Protection: Backups of data are stored in Microsoft Azure, accessible only by cryptographic key, and segmented by customer.
- Physical Protection: Datanomix employees and Microsoft Azure employees are the only ones with access to physical devices that contain data.
- Personnel Security: Datanomix only has U.S. based employees, all of whom are American citizens. Customers authorize their own users for access.
- Risk Assessment: Logs are assessed in real-time for potential access threats, and notifications of any attempted, unexpected accesses are sent to Datanomix Support.
- Security Assessment: Datanomix continually reviews the latest security practices and recommendations of its vendors, such as Microsoft Azure, and implements such architecture or service changes where appropriate.
- System and Communications Protection: Data is encrypted in transit and at rest, and protected from access using cryptographic keys.
- System and Information Integrity: Possible threats are identified systematically in real-time, with human awareness occurring within 6 hours in the worst case.