Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Similar documents
Executive Order 13556

Outline. Other Considerations Q & A. Physical Electronic

Why is the CUI Program necessary?

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

ISOO CUI Overview for ACSAC

SAC PA Security Frameworks - FISMA and NIST

NIST Special Publication

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

New Process and Regulations for Controlled Unclassified Information

DFARS Defense Industrial Base Compliance Information

DFARS Cyber Rule Considerations For Contractors In 2018

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

Managed Trusted Internet Protocol Service (MTIPS) Enterprise Infrastructure Solutions (EIS) Risk Management Framework Plan (RMFP)

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

Agency Guide for FedRAMP Authorizations

Cybersecurity Risk Management

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Does a SAS 70 Audit Leave you at Risk of a Security Exposure or Failure to Comply with FISMA?

Special Publication

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

David Missouri VP- Governance ISACA

NIST Security Certification and Accreditation Project

SYSTEMS ASSET MANAGEMENT POLICY

INFORMATION ASSURANCE DIRECTORATE

Tinker & The Primes 2017 Innovating Together

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

SECURITY & PRIVACY DOCUMENTATION

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

Security and Privacy Governance Program Guidelines

Information Systems Security Requirements for Federal GIS Initiatives

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

ROADMAP TO DFARS COMPLIANCE

Inspector General. Report on the Peace Corps Information Security Program. Peace Corps Office of. Background FISCAL YEAR 2017

Cybersecurity Challenges

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE INTELLIGENCE COMMUNITY POLICY MEMORANDUM NUMBER

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

Cybersecurity: Incident Response Short

Post-Secondary Institution Data-Security Overview and Requirements

Data Processing Agreement

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

EV^CLMH} MEMORANDUM OF UNDERSTANDING BETWEEN THE FEDERAL BUREAU OF INVESTIGATION AND

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Employee Security Awareness Training Program

GAO INFORMATION SHARING ENVIRONMENT

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

DEFINITIONS AND REFERENCES

Rev.1 Solution Brief

TREASURY INSPECTOR GENERAL FOR TAX ADMINISTRATION

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

INFORMATION ASSURANCE DIRECTORATE

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

We are releasing 7 pages of responsive documents. Pursuant to FOIA, certain information has been redacted as it is exempt from release.

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Reviewed by ADM(RS) in accordance with the Access to Information Act. Information UNCLASSIFIED.

Cellular Site Simulator Usage and Privacy

National Policy and Guiding Principles

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Red Flags/Identity Theft Prevention Policy: Purpose

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

June 1, 2006 FEA Security and Privacy Profile, Version 2.0 Page i

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

INFORMATION ASSURANCE DIRECTORATE

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

Get Compliant with the New DFARS Cybersecurity Requirements

Cybersecurity & Privacy Enhancements

B. To ensure compliance with federal and state laws, rules, and regulations, including, but not limited to:

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Webinar will start soon

Privacy Policy on the Responsibilities of Third Party Service Providers

EVALUATION REPORT. Independent Evaluation of NRC s Implementation of the Federal Information Security Management Act (FISMA) for Fiscal Year 2011

Information Security Program

Virginia Commonwealth University School of Medicine Information Security Standard

Greg Pannoni, Associate Director

Handbook Webinar

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Appendix 12 Risk Assessment Plan

MNsure Privacy Program Strategic Plan FY

Number: USF System Emergency Management Responsible Office: Administrative Services

FedRAMP Security Assessment Framework. Version 2.1

INFORMATION ASSURANCE DIRECTORATE

TEL2813/IS2820 Security Management

UCOP ITS Systemwide CISO Office Systemwide IT Policy

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

Security Management Models And Practices Feb 5, 2008

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

STAFF REPORT. January 26, Audit Committee. Information Security Framework. Purpose:

Framework for Improving Critical Infrastructure Cybersecurity

Appendix 12 Risk Assessment Plan

Checklist: Credit Union Information Security and Privacy Policies

Transcription:

Outline Why protect CUI? Impacts to National Security Current Practices CUI Program & Existing Agency Practices Information Security Reform CUI Registry 32CFR2002 NIST SP 800-171 (Rev 1) Federal Acquisition Regulation Implementation Leveraging Existing Resources Costs and Budget for FY18 Implementation Reporting Understanding the CUI Program 2

Why protect CUI? The loss or improper safeguarding of CUI could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; significant damage to organizational assets; significant financial loss; or significant harm to individuals that does not involve loss of life or serious life threatening injuries The loss or improper safeguarding of CUI has a direct impact on national security 3

Impacts to National Security The OPM Data breach is a significant CUI incident - Personnel files of 4.2 million former and current government employees. - Security clearance background investigation information on 21.5 million individuals. OPM failed to implement a longstanding requirement to use multi-factor authentication for network access. The intelligence and counterintelligence value of the stolen background investigation information for a foreign nation cannot be overstated, nor will it ever be fully known. The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation September 7, 2016. Government expense (to notify and protect those impacted) = $350 Million 4

Current Practices Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires safeguarding or dissemination controls, resulting in: Inefficient patchwork system with more than 100 different policies and markings across the executive branch Inconsistent marking and safeguarding of documents Unnecessarily restrictive dissemination policies Impediments to authorized information sharing 5

CUI Program & Existing Agency Practices The CUI Program is based on existing information safeguarding practices Built in consultation with affected agencies (Data calls, CUI Advisory Council, working groups, etc) Agencies are currently protecting sensitive information CUI Program is a refinement and standardization of: What the Executive branch protects; and How information is protected. 6

Information Security Reform Clarifies and limits what to protect Defines safeguarding Promotes authorized information sharing Reinforces existing legislation and regulations 7

CUI Registry The CUI Registry is the repository for all information, guidance, policy, and requirements on handling CUI. www.archives.gov/cui The CUI Registry is a catalogue of what the Executive branch should be protecting. The CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures. Categories and Subcategories Limited Dissemination Controls Marking Guidance CUI Notices Training and awareness Annual Reports to the President 8

32 CFR 2002 Implements the CUI Program Establishes policy for designating, handling, and decontrolling information that qualifies as CUI Effective : November 14, 2016 Describes, defines, and provides guidance on the minimum protections (derived from existing agency practices) for CUI Physical and Electronic Environments Marking Sharing Destruction Decontrol Emphasizes unique protections described in law, regulation, and/or Government-wide policies (authorities) 9

NIST Special Publication 800-171 (Revision 1) Agencies must use NIST SP 800-171 when establishing security requirements to protect CUI s confidentiality on non-federal information systems. The NIST 800-171 is intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations. Establishes requirements for protecting CUI at the Moderate Confidentiality Impact Value. Non-tailorable requirements Flexibility in how to meet requirements 10

Federal Acquisition Regulation (FY18) Contracts To promote standardization, the CUI Executive Agent plans to sponsor a Federal Acquisition Regulation (FAR) clause that uniformly apply the requirements contained in the 32 CFR Part 2002 and NIST SP 800-171 to industry. 11

Oversight to Industry System for Award Management Three tiers: Agency risk management decision based on CUI type, quantity, and purpose Certification Documentation Validation https://www.sam.gov Certification Documentation Validation 12

Implementation CUI Notice 2016-01, Implementation Guidance for the Controlled Unclassified Information Program Allows for flexibility in meeting established milestones. Implementation activities began on November 14, 2016 (effective date of 32 CFR 2002) Implementation includes: Program Management Policy Training Physical Safeguarding Incidents Systems Self Inspection Contracts and agreements Executive Branch Implementation = 3-5 years 13

Leveraging Existing Resources Most agencies have existing SBU policies, training, and programs Agencies should leverage existing resources throughout implementation Reallocate existing resources (personnel, funding, and time) to focus on CUI Implementation Implementation activities in FY17 are administrative in nature. Existing resources can be used to: Identify and modify policy Develop training Assess systems 14

Costs and Budget for FY 18 OMB A-11 Circular (July 2016), Section 31.15, requires that agency budget estimates consider the implementation of the CUI Program. Agency estimates should reflect: Development of internal policies to phase-in and transition to the CUI program; Development and implementation of training programs to inform affected employees of their responsibilities when handling CUI; Assessment and any transition of information systems which handle or are used to process CUI; Implementation of physical safeguarding as required for CUI; and Development of an internal agency CUI self-inspection program. 15

Implementation Reporting ISOO, as the CUI Executive Agent, will monitor agency implementation actions Agencies must assert and demonstrate implementation progress Agencies must report annually to ISOO November 1 st Agencies convey projected implementation dates based on established implementation plans 16

Understanding the CUI Program CUI Basic versus CUI Specified Limitations of Agency Policy Controlled Environments Systems Requirements: Moderate NIST SP 800-171 (Rev 1) Marking CUI Banner, Designator, Specified, Portion, Limited Dissemination Control Markings Bulk & Systems (splash screens) Legacy Information, derivative use. Handbook & Coversheets Destruction 17

Two types of CUI: Basic and Specified CUI Basic = LRGWP identifies an information type and says protect it. Examples include: Agriculture, Ammonium Nitrate, Water Assessments, Emergency Management, Bank Secrecy, Budget, Comptroller General, Geodetic Product Information, Asylee, Visas, Information Systems Vulnerabilities, Terrorist Screening, Informant, Privilege, Victim, Death Records CUI Specified = LRGWP identifies an information type and says to protect it, and also includes one or more specific handling standards for that information. Examples include: Sensitive Security Information, Student Records, Personnel, Source Selection, Nuclear, Safeguards Information, NATO Restricted, NATO Unclassified, Federal Grand Jury, Witness Protection, DNA, Criminal History Records, Financial Records, Export Control, Protected Critical Infrastructure Information, Controlled Technical Information 18

Limitations on applicability Limitations on applicability of agency CUI policies Agency policies pertaining to CUI do not apply to entities outside that agency unless the CUI Executive Agent approves their application and publishes them in the CUI Registry. Agencies may not levy any requirements in addition to those contained in the Order, this Part, or the CUI Registry when entering into contracts, treaties, or other agreements about handling CUI by entities outside of that agency. 19

General Safeguarding Policy Agencies must safeguard CUI at all times in a manner that minimizes the risk of unauthorized disclosure while allowing for access by authorized holders. For categories designated as CUI Specified, personnel must also follow the procedures in the underlying law, regulation, or Government-wide policy that established the specific category or subcategory involved. Safeguarding measures that are authorized or accredited for classified information are sufficient for safeguarding CUI. 20

Controlled Environments Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers and managed access controls) for protecting CUI from unauthorized access or disclosure. When outside a controlled environment, you must keep the CUI under your direct control or protect it with at least one physical barrier. You or the physical barrier must reasonably protect the CUI from unauthorized access or observation. Reception Area used to control access to workspace. 21

System Requirements: Moderate Systems that store or process CUI must be protected at the Moderate Confidentiality Impact Value. FIPS PUB 199 & 200 NIST SP-800-53 (Risk Based Tailoring) Government Systems Security Controls 22

NIST Special Publication 800-171 (Revision 1) Agencies must use NIST SP 800-171 when establishing security requirements to protect CUI s confidentiality on non-federal information systems. The NIST 800-171 is intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations. Establishes requirements for protecting CUI at the Moderate Confidentiality Impact Value. Non-tailorable requirements Flexibility in how to meet requirements 23

When to use the NIST SP 800-171 Use the NIST SP 800-171 when a non-federal entity: Receives CUI incidental to providing a service or product to the Government outside or processing services. Examples: producing a study, conducting research, creating a training program, building an aircraft or ship, etc. In these instances, the Government is only concerned with the confidentiality of the information and the CUI is regarded as the asset requiring protection. Do NOT use the NIST SP 800-171 when a non-federal entity: Collects or maintains CUI as part of a Government function (e.g., census takers or records storage). Builds an information system or operates an information system for the Government (an email provider, or payroll system). Provides processing services for the Government (a cloud service provider) In these instances, the Government has a concern in the confidentiality, integrity, and availability of the information system and the system is the asset requiring protection. Agencies may require these systems to meet additional requirements the agency sets for its own internal systems. 24

Marking CUI Agencies must uniformly and conspicuously apply CUI markings to all CUI prior to disseminating it unless otherwise specifically permitted by the CUI Executive Agent. The CUI banner marking must appear, at a minimum, at the top center of each page containing CUI June 27, 2013 Department of Good Works Washington, D.C. 20006 MEMORANDUM FOR THE DIRECTOR From: John E. Doe, Chief Division 5 Subject: (U) Examples CONTROLLED (U) We support the President by ensuring that the Government protects and provides proper access to information to advance the national and public interest. (CUI) We lead efforts to standardize and assess the management of classified and controlled unclassified information through oversight, policy development, guidance, education, and reporting. 25 CONTROLLED Portion Marking = Best Practice 18

Marking CUI: Banner Marking The CUI Banner Marking may include up to three elements: The CUI Control Marking (mandatory) may consist of either the word CONTROLLED or the acronym CUI. CUI Category or Subcategory Markings (mandatory for CUI Specified). CUI Control Markings and Category Markings are separated by two forward slashes (//). When including multiple categories or subcategories in a Banner Marking they are separated by a single forward slash (/). Limited Dissemination Control Markings. CUI Control Markings and Category Markings are separated from Limited Dissemination Controls Markings by a double forward slash (//). 26

CUI Specified In the CUI Registry, if the authority that relates to the information is indicated to be specified, documents must be marked to indicate that CUI Specified is present in the document. Add SP- before any category/subcategory markings where the authority is followed by an asterisk. 27

Bulk & System Markings Agencies may authorize or require the use of alternate CUI indicators on IT systems, websites, browsers, or databases through agency CUI policy. These may be used to alert users of the presence of CUI where use of markings has been waived by the agency head. 28

Marking Handbook & Cover Sheets 29

Legacy Information and Markings Legacy Information is unclassified information that an agency marked as restricted from access or dissemination in some way, or otherwise controlled, prior to the CUI Program. All legacy information is not automatically CUI. Agencies must examine and determine what legacy information qualifies as CUI Discontinue all use of legacy markings 30

Destruction Unreadable, Indecipherable, and Irrecoverable NIST SP 800-88, Guidelines for Media Sanitization Destroy paper using cross cut shredders that produce particles that are 1mm by 5 mm. NOT APPROVED APPROVED 31

Questions? 32

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback