Special Publication

Transcription

1 Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP

2 What is Information Security? Personnel Security Cybersecurity Operational Security Privacy Contingency Planning & Disaster Recovery Physical Security 2

3 Our appe)te for advanced technology is rapidly exceeding our ability to protect it.

4 We are vulnerable because our information technology is fragile and susceptible to a wide range of threats including: natural disasters. structural failures. cyber attacks. human errors.

5 NIST Cybersecurity Guidance FIPS Special Publications NISTIR

6 NIST Special Publica)on Rev 1 Protec)ng Controlled Unclassified Informa)on in Nonfederal Informa)on Systems and Organiza)ons December 2016 h-p://nvlpubs.nist.gov/nistpubs/specialpublica>ons/nist.sp r1.pdf

7 Controlled Unclassified Information Supports federal missions and business functions that affect the economic and national security interests of the United States.

8 Nonfederal Organiza)ons Some Examples Federal contractors, and subcontractors. State, local, and tribal governments. Colleges and universities.

9 Why is this all necessary? Over 100 different ways of characterizing SBU information. No common definition or protocols. Information inconsistently marked. Common definition and standardize processes and procedures. 9

10 The CUI Registry Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls. Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

11 CUI Registry Manufacturing Category-Subcategory: Category Description: Subcategory Description: Marking: Proprietary Business Information-Manufacturer Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications. Relating to the production of a consumer product to include that of a private labeler. MFC 11

12 The Big Picture Plan for the protec=on of CUI Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide. NIST Special Publication to define security requirements for protecting CUI in nonfederal information systems and organizations. Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication to contractors. DFAR clause requires compliance to NIST Special Publication

13 Assump)ons Nonfederal Organizations Have information technology infrastructures in place. Not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI. Have safeguarding measures in place to protect their information. May also be sufficient to satisfy the CUI requirements. May not have the necessary organizational structure or resources to satisfy every CUI security requirement. Can implement alternative, but equally effective, security measures. Can implement a variety of potential security solutions. Directly or through the use of managed services.

14 Access Control. Audit and Accountability. Awareness and Training. Configuration Management. Identification and Authentication. Incident Response. Security Requirements Maintenance. 14 Families Media Protection. Physical Protection. Obtained from FIPS 200 and Personnel Security. NIST Special Publication Risk Assessment. Security Assessment. System and Communications Protection System and Information Integrity.

15 Structure of Security Requirements Security requirements have a well-defined structure that consists of the following components: Basic security requirements section. Derived security requirements section.

16 Security Requirement Awareness and Training Example Basic Security Requirements: Ensure that managers, systems administrators, and users of organiza)onal informa)on systems are made aware of the security risks associated with their ac)vi)es and of the applicable policies, standards, and procedures related to the security of those organiza)onal informa)on systems Ensure that organiza)onal personnel are adequately trained to carry out their assigned informa)on security-related du)es and responsibili)es. Derived Security Requirements: Provide security awareness training on recognizing and repor)ng poten)al indicators of insider threat.

17 Security Requirement Awareness and Training Example Basic Security Requirements: Ensure that organiza)onal personnel are adequately trained to carry out their assigned informa)on security-related du)es and responsibili)es. Mee:ng the Requirement: Basic security awareness training to new employees. Security awareness training to users when informa)on system changes. Annual security awareness refresher training.

18 Security Requirement Awareness and Training Example Basic Security Requirements: Ensure that organiza)onal personnel are adequately trained to carry out their assigned informa)on security-related du)es and responsibili)es. Mee:ng the Requirement: Security awareness and training policy. Security awareness training materials. Security plan; training records; other relevant documents or records. Personnel with responsibili)es for security awareness training.

19 Security Requirement Configura>on Management Example Basic Security Requirements: Establish and maintain baseline configura)ons and inventories of organiza)onal informa)on systems (including hardware, sosware, firmware, and documenta)on) throughout the respec)ve system development life cycles Establish and enforce security configura)on seungs for informa)on technology products employed in organiza)onal informa)on systems. Derived Security Requirements: Track, review, approve/disapprove, and audit changes to informa)on systems Analyze the security impact of changes prior to implementa)on Define, document, approve, and enforce physical and logical access restric)ons associated with changes to the informa)on system

20 Security Requirement Configura>on Management Example Basic Security Requirements: Establish and maintain baseline configura)ons and inventories of organiza)onal informa)on systems (including hardware, sosware, firmware, and documenta)on) throughout the respec)ve system development life cycles. Mee:ng the Requirements: Develops, documents and maintains a current baseline configura)on of the informa)on system Configura)on control in place.

21 Security Requirement Configura>on Management Example Basic Security Requirements: Establish and maintain baseline configura)ons and inventories of organiza)onal informa)on systems (including hardware, sosware, firmware, and documenta)on) throughout the respec)ve system development life cycles. Mee:ng the Requirements: Configura)on management policy; procedures and plan. Documenta)on for Enterprise architecture or informa)on system design. Informa)on system configura)on seungs and associated documenta)on. Change control records. Personnel with configura)on management responsibili)es. System/network administrator.

22 Security Requirement Access Control Example Basic Security Requirements: Limit system access to authorized users, processes ac)ng on behalf of authorized users, or devices (including other systems) Limit system access to the types of transac)ons and func)ons that authorized users are permi]ed to execute. Derived Security Requirements: Control the flow of CUI in accordance with approved authoriza)ons Separate the du)es of individuals to reduce the risk of malevolent ac)vity without collusion Employ the principle of least privilege, including for specific security func)ons and privileged accounts Use non-privileged accounts or roles when accessing non-security func)ons Prevent non-privileged users from execu)ng privileged func)ons and audit the execu)on of such func)ons Limit unsuccessful logon a]empts.

23 Security Requirement Access Control Example Derived Security Requirements: Limit unsuccessful logon a]empts. Mee:ng the Requirements: Limit number of consecu)ve invalid logon a]empts allowed during a )me period. Account lockout )me period automa)cally enforced by the informa)on system when max number of unsuccessful logon a]empts is exceeded. Locks the account/node un)l released by an administrator. Delays next logon prompt according to the organiza)on-defined delay algorithm. Access control policy and procedures addressing unsuccessful logon a]empts. Personnel with informa)on security responsibili)es; system developers; system/ network administrators

24 Security Requirement Access Control Example Derived Security Requirements: Limit unsuccessful logon a]empts. Mee:ng the Requirements: Access control policy and procedures addressing unsuccessful logon a]empts. Personnel with informa)on security responsibili)es; system developers; system/ network administrators

25 DFARS If the Offeror proposes to vary from any of the security requirements specified by NIST SP that are in effect at the >me the solicita>on is issued or as authorized by the Contrac>ng Officer, the Offeror shall submit to the Contrac>ng Officer, for considera>on by the DoD Chief Informa>on Officer (CIO), a wri-en explana>on of (A) (B) Why a par>cular security requirement is not applicable; or How an alterna>ve but equally effec>ve, security measure is used to compensate for the inability to sa>sfy a par>cular requirement and achieve equivalent protec>on. 25

26 Meeting SP Some security controls may not be applicable to your environment. Build off you are currently doing. Other ways to meet the requirements. 26

27 Meeting SP More cost effective approach Isolate CUI into its own security domain by applying architectural design concepts Security domains may employ physical separation, logical separation, or a combination of both. Use the same CUI infrastructure for multiple government contracts or agreements. 27

28 NIST MEP Activities Help MEP Centers assist small manufacturers meet Training FAQs Guidance Tools Work with NIST to develop A Develop criteria for selecting cybersecurity assessors Closely monitor DFAR developments 28

29 Contact Info: Pat Toth NIST MEP