Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Similar documents
Executive Order 13556

SAC PA Security Frameworks - FISMA and NIST

NIST Special Publication

DFARS Defense Industrial Base Compliance Information

Why is the CUI Program necessary?

Cybersecurity Challenges

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

Department of Defense Cybersecurity Requirements: What Businesses Need to Know?

Get Compliant with the New DFARS Cybersecurity Requirements

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

Tinker & The Primes 2017 Innovating Together

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

ROADMAP TO DFARS COMPLIANCE

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

DFARS Cyber Rule Considerations For Contractors In 2018

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

INTRODUCTION TO DFARS

DFARS Safeguarding Covered Defense Information The Interim Rule: Cause for Confusion and Request for Questions

Cybersecurity Risk Management

INFORMATION ASSURANCE DIRECTORATE

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

Special Publication

Why you should adopt the NIST Cybersecurity Framework

New Process and Regulations for Controlled Unclassified Information

Handbook Webinar

Agency Guide for FedRAMP Authorizations

INFORMATION ASSURANCE DIRECTORATE

FedRAMP Security Assessment Framework. Version 2.0

2017 SAME Small Business Conference

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Outline. Other Considerations Q & A. Physical Electronic

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

Compliance with NIST

Cybersecurity in Acquisition

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

INFORMATION ASSURANCE DIRECTORATE

DoDD DoDI

Vol. 1 Technical RFP No. QTA0015THA

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

DRAFT. NIST MEP CYBERSECURITY Self-Assessment Handbook

INFORMATION ASSURANCE DIRECTORATE

DFARS , NIST , CDI

FedRAMP Security Assessment Framework. Version 2.1

NIST Security Certification and Accreditation Project

Safeguarding Unclassified Controlled Technical Information

The NIST Cybersecurity Framework

Top 10 ICS Cybersecurity Problems Observed in Critical Infrastructure

Cyber Security Challenges

DFARS Requirements for Defense Contractors Must Be Satisfied by DECEMBER 31, 2017

How to implement NIST Cybersecurity Framework using ISO WHITE PAPER. Copyright 2017 Advisera Expert Solutions Ltd. All rights reserved.

SYSTEMS ASSET MANAGEMENT POLICY

Cybersecurity Presidential Policy Directive Frequently Asked Questions. kpmg.com

Cyber Security Challenges

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Information Technology Security Plan Policies, Controls, and Procedures Protect: Identity Management and Access Control PR.AC

ISOO CUI Overview for ACSAC

BUILDING CYBERSECURITY CAPABILITY, MATURITY, RESILIENCE

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

A company built on security

Security Management Models And Practices Feb 5, 2008

Information Security Policy

Checklist: Credit Union Information Security and Privacy Policies

TEL2813/IS2820 Security Management

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Quick Start Strategy to Compliance DFARS Rob Gillen

fips185 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Another Cook in the Kitchen: The New FAR Rule on Cybersecurity

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

The Common Controls Framework BY ADOBE

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

Streamlined FISMA Compliance For Hosted Information Systems

Implementation Plan for the UW-Madison Cybersecurity Risk Management Policy. August 10, 2017 version

EXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

Cyber Attacks & Breaches It s not if, it s When

New Guidance on Privacy Controls for the Federal Government

Advanced Cyber Risk Management Threat Modeling & Cyber Wargaming April 23, 2018

INFORMATION ASSURANCE DIRECTORATE

NIST SP , Revision 1 CNSS Instruction 1253

Rev.1 Solution Brief

SECURITY & PRIVACY DOCUMENTATION

UW-Madison Cybersecurity Risk Management Policy

Information Security Controls Policy

INFORMATION ASSURANCE DIRECTORATE

UCOP ITS Systemwide CISO Office Systemwide IT Policy

The FAR Basic Safeguarding Rule

Safeguarding unclassified controlled technical information (UCTI)

ManTech Advanced Systems International 2018 Security Training Schedule

Information Security Issues in Research

INFORMATION ASSURANCE DIRECTORATE

Protecting the Nation s Critical Assets in the 21st Century

INFORMATION ASSURANCE DIRECTORATE

Annex 3 to NIST Special Publication Recommended Security Controls for Federal Information Systems

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Transcription:

https://www.csiac.org/ Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP800-171 Revision 1) Today s Presenter: Wade Kastorff SRC, Commercial Cyber Security Services February 21, 2017 Moderator: Steve Warzala swarzala@quanterion.com

NIST Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Evolutionary Process 2017 SRC, Inc.

We are here to discuss What is the government attempting to protect? Changes to NIST SP 800-171 Revision 1 Discoveries and Experiences Implementing NIST SP 800-171 Revision 1 3

What is the government attempting to protect? Controlled Unclassified Information 4

Controlled Unclassified Information Controlled Unclassified Information (CUI) is unclassified information that requires additional protections. CUI Registry Categories and Subcategories Agriculture Controlled Technical Information Critical Infrastructure Subcategories: Ammonium Nitrate Chemical-terrorism Vulnerability Information Critical Energy Infrastructure Information DoD Critical Infrastructure Security Information Physical Security Protected Critical Infrastructure Information Water Assessments Emergency Management Export Control Subcategories: Research CUI Registry Category-Subcategory Markings Category - Subcategory Agriculture Controlled Technical Information Critical Infrastructure Critical Infrastructure-Ammonium Nitrate Critical Infrastructure-Chemical-terrorism Vulnerability Information Critical Infrastructure-Critical Energy Infrastructure Information Critical Infrastructure-DoD Critical Infrastructure Security Information Marking AG CTI CRIT CRITAN CVI CEII DCRIT These are examples of the 129 Registry Categories and Subcategories and 103 Registry Markings. Full list is available at: https://www.archives.gov/cui/registry Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI. 5

Covered Defense Information Controlled Technical Information Technical information with military or space application Subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Information, if disseminated, for distribution statements B through F, using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents. Does not include information that is lawfully publicly available without restrictions. Critical Information (OPSEC) Critical Information (operations security) is specific facts identified through the Operations Security process about: Friendly intentions Capabilities Activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment Export Control Information Export control Information is unclassified information concerning certain: Items Commodities Technology Software Other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives Includes dual use items; items identified in export administration regulations, international traffic in arms (ITAR) regulations, and munitions list; license applications; and sensitive nuclear technology information Additional Definitions Contractor attributional/proprietary information: Information that identifies the contractor(s), whether directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company. Contractor information system: An information system belonging to, or operated by or for, the Contractor. Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI. 6

Challenges with CUI Many government organizations provide differing CUI definitions For specific contractual guidance consult with your contracting officer or security officer Be prepared for change Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI. 7

Changes to NIST 800-171 Revision 1 8

An indicator of things to come 9

Where did Information go? information system [44 U.S.C., Sec. 3502] system A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. See Information System. 10

The Requirements Security requirements for protecting the confidentiality of CUI Chapter three is the heart of the publication and specifies the requirements for compliance, and states in part: Nonfederal organizations should describe in a system security plan, how the specified security requirements are met or how organizations plan to meet the requirements. When requested, the system security plan and any associated plans of action for any planned implementations or mitigations should be submitted to the responsible federal agency/contracting officer to demonstrate the nonfederal organization s implementation or planned implementation of the security requirements. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to an overall risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether or not it is advisable to pursue an agreement or contract with the nonfederal organization. 11

System Security Plan 3.12.4: Develop, document, and periodically update system security plans that describe system boundaries, system environments of operation, how security requirements are implemented, and the relationships with or connections to other systems. 26 Footnote 26: There is no prescribed format or specified level of detail for system security plans. However, organizations must ensure that the required information in 3.12.4 is appropriately conveyed in those plans. 12

Encryption Changes 3.1.19: Encrypt CUI on mobile devices and mobile computing platforms. 21 Footnote 21: Mobile devices and mobile computing platforms include, for example, smartphones, tablets, E- readers, and notebook computers. 3.5.10 Store and transmit only cryptographically-protected passwords. 13

VTC Footnote 3.13.12: Prohibit remote activation 27 of collaborative computing devices and provide indication of devices in use to users present at the device. Footnote 27: Dedicated video conferencing systems, which rely on one of the participants calling or connecting to the other party to activate the video conference, are excluded. 14

Verification and Compliance Finally, NARA, in its capacity as the CUI Executive Agent, also plans to sponsor in 2017, a single Federal Acquisition Regulation (FAR) clause Last paragraph, buried in the middle: The CUI FAR clause will also address verification and compliance requirements for the security requirements in NIST Special Publication 800-171. Reference, NIST SP 800-171r1, Page v 15

Discoveries and Experiences It has been an interesting year 16

Discoveries Large contractors were quick to notify their sub-contractors of NIST SP 800-171 and FAR/DFAR responsibilities Cybersecurity/IT professionals collaborated with various other organizational offices, e.g.: Contracting, Legal, Finance, Compliance, Program Management, and Security Companies identified a need for Cybersecurity professionals Inconsistent guidance -- is consistent Requirements prove to be more difficult to engineer and expensive to deploy Funding must be planned in advance Cybersecurity Training 17

Experiences Government initially unprepared to provide key indicators or guides for data types CUI data was not segregated from other forms of data Workstations with access to CUI in public spaces were left unattended with no screen lock Differing technical methods for protecting access to data In place auditing was insufficient to address requirements CUI data is everywhere test equipment, mobile devices, laboratory equipment, test beds, anechoic chambers, thumb drives, email, back-ups, manufacturing equipment, and products with reused code being shipped 18

Implementing NIST SP 800-171 Where should the organization be on this journey? 19

Roadmap to Implementing NIST 800-171 Establish your cyber security baseline Develop a formal project plan for an enterprise IA program Obtain buy-in from the Executive Leadership Teams and/or Board of Directors Implement the multi-phase IA program plan. Conduct various self-assessment activities during and at the end of identified milestones Validate your cyber security posture at each significant milestone 20

Known Near Term Priorities (Dec 2017) Implement multi-factor authentication Something you know (Password) Something you have (Token, Smartcard) Something you are (biometrics) Develop, deploy, exercise Cyber Incident Response Plan/Program Plan of Actions and Milestones (POA&M) and System Security Plan to demonstrate 171 adherence Controlled Unclassified Information Who is responsible for identifying types of CUI data? Where is CUI data on the enterprise? Can we isolate CUI on the enterprise? 21

References and Links Controlled Unclassified Information: https://www.archives.gov/cui/ NIST SP 800-171r1: https://doi.org/10.6028/nist.sp.800-171r1 22

Questions? 14685 Avion Parkway Chantilly, VA 20151 Phone: 703.961.5500 www.srcinc.com Wade Kastorff 571.299.8372 wkastorff@srcinc.com Chris Prentiss 703.961.5534 cprentiss@srcinc.com 23

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback