2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Transcription

1 2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

2 Controlled Unclassified Information Regulations: Practical Processes and Negotiations A DFAR Case Study a fairytale study about CUI Governmentlandia, its Gala 7012 Cybersecurity Ball, and Securella How Securella: navigated the cyber choices and the 7012 Ball intrigue acted boldly working with a magic IT wand of glittering Cyber controls hurried to meet midnight timelines slipped into a perfect cyber slipper for her research information foot CELEBRATED in a cyber secured research environment with glittering controls 2

3 What is Controlled Unclassified Information (CUI)? Controlled Unclassified Information (CUI)-32 CFR chap XX (c) - Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls ( 3

4 Controlled Unclassified Information Regulations: CUI Regulations-require management and safeguarding practices for CUI information which impact: federal agencies, state, tribal and local governments academia industry 4

5 Controlled Unclassified Information Regulations: CUI What is the Controlled Unclassified Information (CUI) program? CUI Program s initial goal: standardize procedures develop consistent CUI definitions provide a uniform method of marking and safeguarding CUI eliminate needless restrictions 5

6 CUI REGISTRY CUI Program, provides management tools for marking, safeguarding, sending, disseminating, using, destroying, managing and protecting unclassified information. CUI Registry -lists an index of categories and subcategories -provides descriptions -identifies the basis for CUI controls 6

7 Index of CUI From Registry Critical Infrastructure Defense Export Control Financial Immigration Intelligence International Agreements Law Enforcement Legal Natural and cultural Resources NATO Nuclear Patent Privacy Procurement and Acquisition Proprietary Business Information Provisional Statistical Tax Transportation 7

8 DFAR and Dept. of Defense Thanks to TPAC at Georgia Tech Enterprise Innovation Institute, the Georgia Tech Procurement Assistance Center (TPAC) for producing this short training video for compliance with DFAR

9 Controlled Unclassified Information (CUI) Program How did we get here (DFAR )? /11 Commission Report-recommended across agency data sharing Executive Order established Controlled Unclassified Information (CUI) program with: National Archives and Records Administration (NARA) was Executive Agent (EA) of compliance by agencies NARA formed CUI Office Director for the Information Security Oversight Office (ISOO) is Director of CUI Office CFR Part 2002-Controlled Unclassified Information is effective (NIST SP Revision 1 implementation deadline Dec. 2017) 9

10 Controlled Unclassified Information Regulations: CUI NARA joined with NIST and the Department of Defense to develop Special Publication (SP) , Revision 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. This outlines the Security information Systems and physical environment controls for managing the safeguarding requirements for CUI. 10

11 Defense Federal Acquistion Regulation Supplement DFARS DFARS requires contractors to protect CUI security. To protect CUI in nonfederal information systems, NIST (a non-regulatory agency of the U.S. Department of Commerce) developed a special publication- NIST SP Revision 1 NIST Revision 1 provides 14 families of security controls and 110 security requirements for adequate cybersecurity for information systems. 11

12 National Institute of Standards and Technology (NIST) Special Publication (SP) Revision 1 To comply with regulations to implement safeguards for the security of CUI, contractors had to comply with NIST SP Revision 1 s list of cybersecurity measures for 110 security requirements by Dec. 31,

13 NIST 14 Security Families Access Control Awareness and Training Audit and Accountability Configuration Management Identification and Authentication Incident Response Maintenance Media Protection Personnel Security Physical Protection Risk Assessment Security Assessment System and Communications Protection System and Information Integrity 13

14 NIST Revision 1 Compliance Plans-SSP & POA DOD guidance indicates that compliance with NIST is shown with two plans: System Security Plan (SSP) Plan of Action (POA) (with Milestones) (POAM) System Security Plan (SSP)-describes implemented and not yet implemented security requirements. Plan of Action-lists when and how: unimplemented requirements will be implemented, planned mitigations will be used and deficiencies will be remedied. 14

15 Announcement of the Gala 7012 Cybersecurity Ball 15

16 Controlled Unclassified Information (CUI) related FAR and DFAR clauses. Controlled Unclassified Information (CUI)- Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government- wide policy requires or permits an agency to handle using safeguarding or dissemination controls ( DFARS Clause Safeguarding Covered Defense Information and Cyber Incident Reporting- at ISU triggers need for review by Export Control, and IT DFARS Clause Disclosure of Information- at ISU triggers need for publication waiver, Export control & IT review if not removable DFARS Clause Compliance With Safeguarding Covered Defense Information Controls- Found in Solicitation- If Project is not fundamental research, may want to consider budgeting for any appropriate IT compliance costs in proposal FARS Clause Basic Safeguarding of Contractor Information Systems- may want to consider IT Security

17 Gala 7012 Cybersecurity Ball bring choices 17

18 FAR Clause Basic Safeguarding of Covered Contractor Information Systems- If information cannot be publically released and it is provided by or generated for Federal agency under agreement then the associate University information/computer system must have minimum basic safeguards in place This clause will be flowed down to any subcontractor Applying the NIST SP Revision 1 security requirements, is suggested to comply with the CUI Federal Acquisition Regulation (FAR) clause NIST Self Assessment Handbook T.HB.162

19 The intrigue at the Gala 7012 Cybersecurity Ball! 19

20 DFARS Clause Disclosure of Information- WATCH OUT CLAUSE Under this Clause Information Cannot be Released At Iowa State University, if clause is not removable, this clause triggers Request for Publication Waiver consideration of use of graduate students on project Need for Export Control Review/IT Security Review Exceptions allowing release of information are: if you receive prior written approval to release information; or, If you receive prior written notice that: A) information is not CUI and B) the contracting officer in writing states information is fundamental research

21 The Sisters 21

22 DFARS Clause Safeguarding Covered Defense Information and Cyber Incident Reporting- Government has created a standard for treating CUI - information that needs safeguarding or dissemination controls- CUI can be from Government or created by PI Requires implementing NIST SP Revision 1 security on the relevant information systems - Government will mark covered information with Controlled either in contract or when provided- PI should likewise appropriately mark Need to control access to Information with adequate security including IT security if it is CUI CUI is present - security must be in place - IT will need to understand the Information environment and then put in place the appropriate IT security

23 ISU Process for CUI 23

24 Fairy Godmothers are welcome! 24

25 NIST Revision 1 NIST Revision 1 Checklist List which systems, labs, offices, and personnel will have CUI Minimize information systems and environment of CUI Limit Access to CUI Analyze Existing and Missing Controls under NIST SP Revision 1 Evaluate costs for needed physical and infrastructure controls Use template for System Security Plan, and Plan of Action for remedying missing controls Institute 72-hour Cyber incident reporting Train CUI users on CUI in best practices, security risks Build in continuous monitoring 25

26 Training on CUI security ISU has workshops provided by IT on NIST security controls ISOO provides 7 online videos to help researchers understand CUI Marking CUI Marking commingled CUI Controlled Environments Destruction of CUI Lawful Government Purpose Freedom of Information Act FAQs -about CUI and FOIA. Freedom of Information Act Panel Discussion (updated August 7, 2018): 26

27 Securella 27

28 Is a CUI waiver request appropriate? Is a CUI Waiver request needed? 1) Analyze: Is the research ITAR? Or otherwise export controlled? Get facts on statement of work from PI; Ask PI why this is Fundamental Research; Discuss Fundamental Research position & get export control s decision. Yes, move forward with CUI cybersecurity controls. No, analyze for CUI. 1) Analyze: Will CUI be received or generated? Yes, move forward with CUI cybersecurity controls. No, draft a CUI waiver request.

29 The cybersecurity dance 29

30 CUI Waiver Request Elements of a CUI Waiver request 1) Request Waiver of DFAR CUI and DFAR ) Cite-Fundamental Research memorandum May 24, 2010 from the Under Secretary of Defense 3) Provide Explanation and State Facts - To show why this research work is fundamental research Use factual, detailed explanation concerning deliverables under scope of research If any government information is to be received, show how information is in public knowledge Use any related previous publications on this type of research to show fundamental research Explain why the CUI category does not fit this research (if needed) Clearly establish and state researcher will not receive or generate CUI 4) Request A Written Statement from Contracting Officer Stating Research is fundamental research, not CUI and publication restriction is self deleting.

31 Waiver Request Letter Re: Request for Recognition of Fundamental Research Dear Sponsor: University (name) respectfully requests that Sponsor request the Contract Officer to remove of waiver the DFARS clauses and from the UNIVERSITY subcontract under Sponsor s prime (contract Title) CUSTOMER CONTRACT XXXXXX-XX-X-XXXX. The purpose of DFARS clause is to establish a policy for information that qualifies as controlled unclassified information (CUI). UNIVERSITY is conducting fundamental research under this subcontract. Because UNIVERSITY will not receive or generate CUI, the policy and the clauses implementing protection of such CUI are not applicable to this subcontract and should be removed through waiver or self-deletion. DFARS clause , and DFARS should not be used with fundamental research, when CUI is not involved in the work, according to NARA s comments in 32 CFR and he Undersecretary of Defense Memo of May 24, UNIVERSITY s Work is fundamental research and CUI will not be involved. A. NOTES: Why University s subcontract work is not CUI? Show that University s work is fundamental research. Provide the facts and explanation concerning subcontractor s work that is in the statement of work. Focus on nature of the subcontract work, and fully describe why it is fundamental research. If a lot of work under subcontract uses published techniques, cite publications of these techniques. Example: The University s research is fundamental research, to develop use of generic (not specific to any covered information) techniques to detect certain subclass of XXXX. These are fundamental, well known and published techniques applied at system level. University will only demonstrate these known techniques in a generic setting without the use of any CUI. University will then deliver these techniques and their results which fundamental research results and not CUI to Sponsor. UNIVERSITY will not have access to any sensitive, specific CUI of interest to Government or receive any such CUI from the Government. UNIVERSITY will not have access to any CUI or covered defense information in this work. B. OPTIONAL NOTES: If Contracting officer ask you to prove why this work should not be treated as CUI, then provide the category/ subcategory and an explanation concerning why subcontractor s work in the statement of work does not fit a category/subcategory. Focus on nature of the subcontract work, and fully describe why it is instead fundamental research outside of such category. C. As indicated above, this subcontractor work is fundamental research and as such the University anticipates that its researcher will publish, release and disseminate the work to the public. There is no anticipation that any covered defense information or controlled unclassified information will be needed, used or generated in this work. The University respectfully requests a waiver of thesedfars clauses, for this fundamental research work. Removal of these clauses complies with the comments of the National Archives and Records Administration s (NARA) Comments in 32 CFR which states contracts or solicitations for projects in which CUI will not be involved should not include requirements for handling CUI. and with the statements of the Undersecretary of Defense Memo of May 24, 2010 which states DoD fully supports free and scientific exchanges and dissemination of research results to the maximum extent possible. That letter also indicates that, The DoD will place no other restrictions on the conduct or reporting of unclassified fundamental research, except as otherwise required by applicable federal statutes, regulations, or executive orders II. Summary and Request for Action UNIVERSITY will not receive, access, or generate CUI; therefore, the UNIVERSITY requests the Contracting Officer to please remove the DFARS and the DFARS clauses from UNIVERSITY s subcontract and indicate in writing that University s work is fundamental research. Alternatively, if the Contracting Officer cannot delete or remove theses clauses, then the UNIVERSITY respectfully requests that the Government s Contracting Officer provide a written statement that this subcontract work is fundamental research that does not involve CUI and thus the mandatory flow down clauses associated with CUI handling requirements are waived or are to be considered self-deleting. Please contact me with your written response, or if you need any questions addressed. Thank you. Sincerely, 31

32 UNDER SECRETARY OF DEFENSE MEMO RE: FUNDAMENTAL RESEARCH 32

33 Hurry, Hurry! Time is running out! 33

34 Waiver Request Responses Case 1-Export Controlled status and DFARs and are retained Case 2-DFARs and are not clearly waived by contracting officer; thus are presumed retained Case 3-2-DFARs and are in writing by Contracting Officer waived. 34

35 Securella s slipper fits! 35

36 They contracted for Happily Ever After! 36

37 Resources NIST Handbook 162, NIST MEP Cybersecurity, Self-Assessment Handbook, For Assessing NIST SP Security Requirements in Response to DFARS Cybersecurity Requirements; CUI Registry (see istry/category-list) Under Secretary of Defense May 24, 2010 memo on fundamental Research Policy/2010%20Policy%20Memor anda/fundamentalresearch.pdf Under Secretary of Defense May 24, 2010 memo on fundamental Research Policy/2010%20Policy%20Memor anda/fundamentalresearch.pdf CUI training Videos from ISOO 018/08/06/cui-updated-trainingvideos/ Georgia Tech Enterprise Innovation Institute, the Georgia Tech Procurement Assistance Center (TPAC) 37

38 Thank you! Questions? Dana Rewoldt, CRA, Iowa State University, Ames, Iowa US 38