TAR rules, just like other federal rules make it very difficult for small business to function. The rules are written specifically without specifics. They tell you what must be done, but not the how to do it. The rules are written that way to leave it up to businesses to come up with the solutions for compliance that fit their business needs. Where most small businesses want, “Just tell me what I need to do and how to do it and I will figure a way to get it done.”
——–Non used wall data ports to be “inactive”.
You can either disable the ports at the switch for unused jacks, or install a NAC/NAP software. The idea is to keep unknown devices from plugging into your network and capturing regulated data.
——–Workstation chassis intrusion detection.
This is to know if someone opened the case on a computer and either removed the hard drive or cloned the hard disk, copying off any regulated data. WFIW, most Dell business class desktops have this intrusion detection switch already installed.
——–BIOS passwords
You apply a bios password to keep bad guys from changing your boot settings so they can boot from a usb flash drive getting around any system locks on the OS. FWIW, you should have the workstation set to only boot from the hard drive and all other boot devices must be disabled.
——–Active Directory auditing and changes
This is required to show that no one made changes to AD permissions without proper authorization. Both Netwrix and a few others in the community have AD auditing tools that can help here.
——–Data inventory and security tiering.
This is just about know where your regulated data is and who has access to it. It is much easier to wall off regulated data onto its own file server or network share where access can be restricted to ONLY those people who need access to their bits of the regulated data to do their specific job.
——–Enable HDD encryption on all mobile devices.
Here it is a given, you need some type of full hard drive encryption with pre-boot authorization. Its been a while since I looked at the regulations, but your FDE may need to support fips 140-2. For your mobile devices you can provide a company owned sandbox for regulated files and emails. If you use something like good for enterprise application you can grant user’s access to company mail and services within the sandbox. And you have the ability to turn off sandbox access remotely. But the last thing you need is to mix regulated data (emails) with the user’s personal emails on their mobile device. That is a regulatory quagmire.
——–Dedicated LUN for ITAR files and activity
Again this is about putting all regulated data into one bucket, and knowing who has access to that bucket. Consider using the principle of least privileges here.
——–Attachment tagging per domain
Again this is intended to protect sensitive data from going places it shouldn’t You may be able to comply with this, with end user training. I.E don’t send regulated data via email, unless it is encrypted. And know who you are sending it to.
——–Cell phones
Its not so much about cell phones as a phone, its more about a cell phone as a portable storage device. Unless you have usb port control (and certain circumstances even if you do), don’t allow users to plug cell phones or portable storage devices into computers where regulated data exists, even for charging purposes. I do remember something about a key logger being installed on a suspect computer and that key logger was introduced because of a suspicious cell phone was plugged into a computer for “charging only” reasons. Was not a fun time in that office trying to explain that.
——–VPN audit
VPN access must only be granted to those individuals who need it to perform the function of their job. Again, this is intended to control who has access to regulated data. Its best to have your regulated data in a location that can’t be access (walled off) remotely. What you have now is a big hole, and an auditor will dig a bigger one for you. I suggest that you get control of this resource quickly. You should also look into two factor authentication (i.e. something you have and something you know)
——–EOL and compliance
Regulated data must be protected at all times. Running out of date or unpatched software is a regulatory no-no. Consider how many vulnerabilities have come out since Exchange 2003 went EOS. Everything should be current, patched and supported (not meaning you have a support contract).
You will find out if you want to sell to the government you will need to spend some money. But also look at it as if you didn’t have these regulations, you’d still be running exchange 2003 in 2023. Us this as an opportunity to get your environment current.