ISOO CUI Overview for ACSAC

Similar documents
Why is the CUI Program necessary?

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Executive Order 13556

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

SAC PA Security Frameworks - FISMA and NIST

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

NIST Special Publication

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Outline. Other Considerations Q & A. Physical Electronic

Click to edit Master title style

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

DFARS Defense Industrial Base Compliance Information

AB1-3 Keeping People Safe and Secure in Federal Facilities

New Process and Regulations for Controlled Unclassified Information

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Cybersecurity Risk Management

National Policy and Guiding Principles

Section One of the Order: The Cybersecurity of Federal Networks.

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

National Science and Technology Council. Interagency Working Group on Digital Data

THE WHITE HOUSE. Office of the Press Secretary EXECUTIVE ORDER

National Strategy for CBRNE Standards

UCOP ITS Systemwide CISO Office Systemwide IT Policy

THE WHITE HOUSE Office of the Press Secretary EXECUTIVE ORDER

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

ESTABLISHMENT OF AN OFFICE OF FORENSIC SCIENCES AND A FORENSIC SCIENCE BOARD WITHIN THE DEPARTMENT OF JUSTICE

DFARS Cyber Rule Considerations For Contractors In 2018

Presidential Executive Order on Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Cybersecurity & Privacy Enhancements

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

ROADMAP TO DFARS COMPLIANCE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Special Publication

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Introduction brief to the ISCe Satellite and Communications Conference

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Get Compliant with the New DFARS Cybersecurity Requirements

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

Security and Privacy Governance Program Guidelines

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

FISMA Cybersecurity Performance Metrics and Scoring

The U.S. National Spatial Data Infrastructure

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

UNITED STATES OFFICE OF PERSONNEL MANAGEMENT

Information Systems Security Requirements for Federal GIS Initiatives

INFORMATION ASSURANCE DIRECTORATE

Statement of Organization, Functions, and Delegations of Authority: Office of the

INFORMATION ASSURANCE DIRECTORATE

INTRODUCTION TO DFARS

PD 7: Homeland Security Presidential Directive 7: Critical Infrastructure Identification, Prioritization, and Protection

David Missouri VP- Governance ISACA

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

MNsure Privacy Program Strategic Plan FY

Legal, Ethical, and Professional Issues in Information Security

Exploring the Maturity of Risk Management Process in Government: An Integrated ERM Model at the U.S. Department of Education

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Red Flags/Identity Theft Prevention Policy: Purpose

The President s Spectrum Policy Initiative

The Office of Infrastructure Protection

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Streamlined FISMA Compliance For Hosted Information Systems

Safeguarding unclassified controlled technical information (UCTI)

NASA Policy Directive

Information Security Issues in Research

-Eight types of cyber data, (Sec. 708(7))

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

INFORMATION ASSURANCE DIRECTORATE

Tinker & The Primes 2017 Innovating Together

ICGI Recommendations for Federal Public Websites

Investigating Insider Threats

Policies and Procedures Date: February 28, 2012

GAO. HOMELAND SECURITY OMB s Temporary Cessation of Information Technology Funding for New Investments

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

NATIONAL INFORMATION SHARING STRATEGY

DHS Cybersecurity: Services for State and Local Officials. February 2017

Cybersecurity Challenges

Industry Perspectives on Active and Expected Regulatory Actions

Standard for Security of Information Technology Resources

The FAR Basic Safeguarding Rule

Actions to Improve Chemical Facility Safety and Security A Shared Commitment Report of the Federal Working Group on Executive Order 13650

Cybersecurity and Data Privacy

INFORMATION ASSURANCE DIRECTORATE

Technical Conference on Critical Infrastructure Protection Supply Chain Risk Management

National Counterterrorism Center

Privacy Act; System of Records; Amendment of the EPA Personnel Emergency

S To require certain agencies to conduct assessments of data centers and develop data center consolidation and optimization

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Smart Cards & Credentialing in the Federal Government

Department of Homeland Security Updates

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

High Confidence Transportation Cyber-Physical Systems: Automotive, Aviation, and Rail

Transcription:

ISOO CUI Overview for ACSAC

Briefing Outline ISOO Overview Overview of the CUI Program CUI and IT Implementation CUI and NIST Standards and Guidelines NIST SP 800-171 CUI Approach for the Contractor Environment FAR Rule 2

What is the Information Security and Oversight Office? Oversee the Executive Branch s system for classifying, safeguarding, and declassifying classified information Located at the National Archives, but receive policy guidance from the National Security Advisor Director appointed by the Archivist of the United States with the approval of the President Primary responsibilities. We administer: E.O. 13526, Classified National Security Information E.O. 12829, National Security Industrial Program E.O. 13556, Controlled Unclassified Information E.O. 13549, Classified National Security Information Program for State, Local, Tribal and Private Sector Entities E.O. 13587 Senior Info Sharing/Safeguarding Steering Committee 3

Overview of the CUI Program 4

Why is the CUI Program necessary? Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting in: An inefficient patchwork system with more than 100 different policies and markings across the executive branch Inconsistent marking and safeguarding of documents Unclear or unnecessarily restrictive dissemination policies Impediments to authorized information sharing 5

What are the benefits of the CUI Program? One uniform, shared, and transparent system for safeguarding and disseminating CUI that: Establishes common understanding of CUI control Promotes information sharing Reinforces existing legislation and regulations Clarifies difference between CUI controls and FOIA exemptions 6

Executive Order 13556 Established CUI Program Executive Agent (EA) to implement the E.O. and oversee department and agency actions to ensure compliance An open and uniform program to manage all unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy 7

Approved CUI Categories 23 Categories 82 Subcategories Agriculture Controlled Technical Information Critical Infrastructure Emergency Management Export Control Financial Foreign Government Information Geodetic Product Information Immigration Information Systems Vulnerability Information Intelligence Law Enforcement Legal North Atlantic Treaty Organization (NATO) Nuclear Patent Privacy Procurement and Acquisition Proprietary Business Information SAFETY Act Information Statistical Tax Transportation Information related to proceedings in judicial or quasi-judicial settings. Subcategories: Administrative Proceedings Collective Bargaining Federal Grand Jury Privilege Witness Protection Refers to personal information, or, in some cases, personally identifiable information, as defined in OMB-M-07-16, or means of identification as defined in 18 USC 1028(d)(7). Subcategories: Contract Use Death Records Genetic Information Health Information Inspector General Military Personnel Student Records 8

Online Registry http://www.archives.gov/cui 23 Categories 82 Subcategories 315 unique Control citations 106 unique Sanction citations 9

Handling CUI One uniform and consistent policy applied to a defined and organized body of information 10

Key EA Activities Phases Key D/A Activities Phased Implementation Day 0 Day 180 Year 1 Year 3-4 Planning Readiness Initiation Final Identify and initiate planning activities for CUI implementation Publish 32 CFR Part 2002 Rule & Supplemental Guidance (Day 0) Augment Registry Provide Awareness Materials & Products Consult with OMB & Provide Budget Guidance Review Agency Policies Develop & Publish Policy* Develop Training/Awareness Develop IT Transition Plan Continue Internal Budget Planning Develop Self-Inspection Plan Develop Process to Manage CUI Status Challenges Prepare environment and workforce for the CUI transition Publish CUI Training (Day 180) Provide Additional Guidance as needed Establish Schedule for On-site Reviews Provide Training Support & Consultation Begin implementation of CUI practices Begin Phase Out of obsolete practices Oversee Executive Branch Implementation Resolve Disputes & Complaints Initiate On-site Reviews Monitor & Report on Phased Implementation Assert Physical Safeguarding* Conduct Training* Initiate Awareness Prepare IT Transition Continue Internal Budget Planning Initiate CUI Implementation Handle Recognize Receive Initiate IT Transition Permit Creation of CUI Initiate Self-Inspection Program Full Implementation of the CUI program Oversee Executive Branch Implementation Collect Reporting Data Eliminate Old Markings Assure use of only New Markings Complete IT Transition Meet Refresher Training Requirements As of 3/17/15 IOC FOC *Required for IOC 11

What is needed to implement a CUI Program? E.O. 13556 Sec. 5. Implementation (b): After a review of agency plans, and in consultation with affected agencies and the Office of Management and Budget, the Executive Agent shall establish deadlines for phased implementation by agencies. 180 Days Year 1 Year 3-4 Policy Roles and Responsibilities Identify CUI handled Specialized implementation Suitable physical environment Training (of all affected personnel) Basic Specified Implementers Program Leads Suitable electronic environment Moderate Confidentiality 12

CUI and IT Implementation This order shall be implemented in a manner consistent with applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology, and applicable policies established by the Office of Management and Budget, Section 6(a)3, Executive Order 13556. Future CUI guidance where it addresses IT issues, must be aligned to Federal policies. 13

CUI and NIST Standards In accordance with FIPS Publication 199, CUI Basic is categorized at the moderate confidentiality impact level. Agencies must also apply the appropriate requirements and controls from FIPS Publication 200 and NIST SP 800-53 to CUI consistently with any riskbased tailoring decisions that they make. (proposed CUI regulation). 14

NIST Special Publication 800-171. ISOO collaborated with NIST and DoD on developing NIST Special Publication 800-171, Protecting Controlled Unclassified Information (CUI) in Non-Federal Systems and Organizations, June 2015, to represent the technical standards and guidelines for Moderate Confidentiality in the contractor environment. 15

NIST Special Publication 800-171 Appropriately tailored security control baseline for Moderate Confidentiality based on applicability to the contractor environment of operations. Requirement descriptions based on FIPS Publication 200 with specified understandings of the Moderate Confidentiality Impact level for protection of CUI for the contractor environment. Descriptions will allow for the use of compensating security controls, namely those providing equivalent or comparable protection. Document development followed standard NIST processes involving comment from public to include industry. 16

CUI and NIST Guidelines CUI categories and subcategories will be incorporated as information types into the next revision of the NIST Special Publication 800-60, where the work of the CUI Executive Agent will be integrated. The NIST SP 800-60 will reflect Moderate Confidentiality for all CUI categories and subcategories. The assignment of Integrity and Availability security impact levels will follow standard NIST processes. 17

CUI Approach for Contractor Environment Government E.O. 13556 Registry 32 CFR 2002 NIST SP 800-171 FAR Industry Until the formal process of establishing a single FAR clause takes place, the CUI requirements in NIST SP 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. 1 Year The Department of Defense revised its DFARS to reference the new publication. 18

FAR Approach Goal the development of a FAR rule to protect CUI in the contractor community, by its reference to: EO 13556 CUI EA issuances Agency CUI implementation policies (e.g., identifying the CUI categories and subcategories to be handled) NIST SP 800-171 Include reporting of security incidents involving compromise 19

FAR Approach Additional Points Additional Features Completion of representations and certifications relevant to CUI in the System for Award Management (SAM) database Requirement to keep current based on any changed status pertaining to CUI representations (e.g., safeguarding capabilities) Future use of SAM database for oversight activities being explored with GSA for possible inclusion in FAR rule 20

CUI Executive Agent Current Efforts Maintain Registry Approve additional CUI categories and subcategories based on agency submissions Provide guidance on provisional approval process for new CUI categories Finalize CUI Policy Undergoing formal OMB process for incorporation in CFR National Implementation Plan (NIP) Work with agencies and OMB to create and execute implementation planning framework, including deadlines for phased implementation CUI Marking Handbook 21

Questions? Emergency Management Agriculture Patent Laws, Regulations, Govt-wide Policies Financial Immigration Law Enforcement Legal CUI Program Privacy Tax Transportation 22

Contact Information Information Security Oversight Office National Archives and Records Administration 700 Pennsylvania Avenue, N.W., Room 100 Washington, DC 20408-0001 (202) 357-5250 (voice) (202) 357-5907 (fax) isoo@nara.gov cui@nara.gov www.archives.gov/isoo or www.archives.gov/cui 23

Back Up Slide The following slide is included for reference. 24

CUI Advisory Council Comprised of Program Managers from the following: Executive Office of the President (elements) General Services Administration (GSA) Social Security Administration (SSA) Environmental Protection Agency (EPA) Department of the Interior (DOI) Nuclear Regulatory Commission (NRC) Department of Transportation (DOT) Department of Labor (DOL) Department of the Treasury Department of Housing and Urban Development (HUD) National Science Foundation (NSF) Department of Homeland Security (DHS) Central Intelligence Agency (CIA) Department of Agriculture (USDA) Department of Commerce (DOC) Department of Justice (DOJ) Federal Bureau of Investigation (FBI) National Aeronautics and Space Administration (NASA) Department of State (DOS) Office of the Director of National Intelligence United States Agency for International Development (USAID) Office of Personnel Management (OPM) Department of Veterans Affairs (VA) Department of Education (ED) Department of Defense (DOD) Department of Health and Human Services (HHS) Department of Energy (DOE) Office of Management and Budget (OMB) President s Cabinet, Chief Financial Officers (CFO) Council member agencies, major stakeholder constituent elements (CIA and FBI), and participants 25

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback