Why is the CUI Program necessary?

Similar documents
ISOO CUI Overview for ACSAC

Executive Order 13556

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

NIST Special Publication

Outline. Other Considerations Q & A. Physical Electronic

SAC PA Security Frameworks - FISMA and NIST

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

DFARS Defense Industrial Base Compliance Information

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

New Process and Regulations for Controlled Unclassified Information

Special Publication

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Cybersecurity Risk Management

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

Tinker & The Primes 2017 Innovating Together

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Compliance with NIST

UCOP ITS Systemwide CISO Office Systemwide IT Policy

ROADMAP TO DFARS COMPLIANCE

Get Compliant with the New DFARS Cybersecurity Requirements

Cybersecurity Challenges

INTRODUCTION TO DFARS

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Assessing Security Requirements for Controlled Unclassified Information

Rev.1 Solution Brief

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

DFARS Cyber Rule Considerations For Contractors In 2018

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

HIPAA Security and Privacy Policies & Procedures

Information Security Issues in Research

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Interagency Advisory Board Meeting Agenda, December 7, 2009

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Industry Perspectives on Active and Expected Regulatory Actions

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

INFORMATION ASSURANCE DIRECTORATE

Cyber Security Challenges

2017 SAME Small Business Conference

Business Partner Security Standard

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

David Missouri VP- Governance ISACA

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

Safeguarding unclassified controlled technical information (UCTI)

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

MNsure Privacy Program Strategic Plan FY

COMPLIANCE SCOPING GUIDE

Security and Privacy Governance Program Guidelines

Safeguarding Unclassified Controlled Technical Information

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Open Data Policy City of Irving

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

PRIVACY STATEMENT +41 (0) Rue du Rhone , Martigny, Switzerland.

ACTION: Notice of modification to existing systems of records. General and Customer Privacy Act Systems of Records. These modifications are

Legal, Ethical, and Professional Issues in Information Security

8/28/2017. What Is a Federal Record? What is Records Management?

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

SYSTEMS ASSET MANAGEMENT POLICY

FedRAMP Security Assessment Framework. Version 2.0

Red Flags/Identity Theft Prevention Policy: Purpose

Course No. S-3C-0001 Student Guide Lesson Topic 5.1 LESSON TOPIC 5.1. Control Measures for Classified Information

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

5/6/2013. Creating and preserving records that contain adequate and proper documentation of the organization.

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

NASA Policy Directive

Big Brother is Watching Your Big Data: z/os Actions Buried in the FISMA Security Regulation

Cyber Security Challenges

COMPLIANCE IN THE CLOUD

ICBA Summary of FFIEC Cybersecurity Assessment Tool (May 2017 Update)

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

INFORMATION ASSURANCE DIRECTORATE

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

01.0 Policy Responsibilities and Oversight

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Handbook Webinar

DISADVANTAGED BUSINESS ENTERPRISE PROGRAM. Unified Certification Program OKLAHOMA

DEPARTMENT OF HOMELAND SECURITY RECORDS MANAGEMENT HANDBOOK

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

DATA PROCESSING AGREEMENT

Transatlantic Cybersecurity: The Need for Regulatory Coordination

SANMINA CORPORATION PRIVACY POLICY. Effective date: May 25, 2018

The NIST Cybersecurity Framework

FedRAMP Security Assessment Framework. Version 2.1

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Quick Start Strategy to Compliance DFARS Rob Gillen

GAO. HOMELAND SECURITY OMB s Temporary Cessation of Information Technology Funding for New Investments

Information Technology Security Plan Policies, Controls, and Procedures Identify Risk Assessment ID.RA

Transcription:

Why is the CUI Program necessary? Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting in: An inefficient patchwork system with more than 100 different policies and markings across the executive branch Inconsistent marking and safeguarding of documents Unclear or unnecessarily restrictive dissemination policies Impediments to authorized information sharing 2

What are the benefits of the CUI Program? One uniform, shared, and transparent system for safeguarding and disseminating CUI that: Establishes common understanding of CUI control Promotes information sharing Reinforces existing legislation and regulations Clarifies difference between CUI controls and FOIA exemptions 3

Executive Order 13556 Established CUI Program Executive Agent (EA) to implement the E.O. and oversee department and agency actions to ensure compliance An open and uniform program to manage all unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy 4

Where do we begin? Define the world of CUI EO 13556 called for a review of the categories, subcategories, and markings currently used by agencies to control unclassified information. Agencies submitted to the CUI Executive Agent what they were protecting and the basis for that protection Over 2,200 submissions were received Information types were grouped together, legal authorities were examined, and a CUI Registry was published. 5

Approved CUI Categories 23 Categories 84 Subcategories Agriculture Controlled Technical Information Critical Infrastructure Emergency Management Export Control Financial Geodetic Product Information Immigration Information Systems Vulnerability Information International Agreements Intelligence Law Enforcement Legal North Atlantic Treaty Organization (NATO) Nuclear Patent Privacy Procurement and Acquisition Proprietary Business Information SAFETY Act Information Statistical Tax Transportation Information related to proceedings in judicial or quasi-judicial settings. Subcategories: Administrative Proceedings* Collective Bargaining Federal Grand Jury* Privilege Witness Protection* Refers to personal information, or, in some cases, personally identifiable information, as defined in OMB-M-07-16, or means of identification as defined in 18 USC 1028(d)(7). Subcategories: Contract Use Death Records Genetic Information* Health Information* Inspector General* Military Personnel* Student Records* 6

Online Registry http://www.archives.gov/cui 23 Categories 84 Sub-categories 315 Control citations 106 Sanction citations 7

32 CFR 2002 One uniform and consistent policy applied to a defined and organized body of information 8

32 CFR 2002 (June 2016) Implements the CUI Program Establishes policy for designating, handling, and decontrolling information that qualifies as CUI Describes, defines, and provides guidance on the minimum protections for CUI Physical and Electronic Environments Destruction Marking Sharing Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities) These protections must continue as described in the underlying authorities. 9

CUI Basic versus CUI Specified CUI Basic = LRGWP identifies an information type and says protect it. CUI Specified = LRGWP identifies an information type and says protect it but specifies exactly how to should be protected or handled. 10

Implementation Activities within Executive Branch Day 0 180 Year 1 180 Year 2 Policy Training Physical Safeguarding Develop and Publish Policy (Planning) (Planning) Develop and Publish Component Policy Develop and Deploy Training Complete CUI Training Implement Physical Safeguarding Systems Self- Inspection Assessment of Systems Develop Systems Transition Strategy Initiate Internal Oversight 11

NIST Special Publication 800-171 This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. 12

Development of Requirements The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline (i.e., the minimum level of protection required for CUI in federal information systems and organizations), the requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are: 1. Uniquely federal (i.e., primarily the responsibility of the federal government); 2. Not directly related to protecting the confidentiality of CUI; or 3. Expected to be routinely satisfied by nonfederal organizations without specification. 13

CUI Approach for Contractor Environment Government E.O. 13556 Registry 32 CFR 2002 NIST SP 800-171 FAR Industry Until the formal process of establishing a single FAR clause takes place, the CUI requirements in NIST SP 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. 1 Year 14

Questions? 15

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback