NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Similar documents
Why is the CUI Program necessary?

ISOO CUI Overview for ACSAC

Executive Order 13556

Federal Initiatives to Protect Controlled Unclassified Information in Nonfederal Information Systems Against Cyber Threats

SAC PA Security Frameworks - FISMA and NIST

Outline. Why protect CUI? Current Practices. Information Security Reform. Implementation. Understanding the CUI Program. Impacts to National Security

NIST Special Publication

Protecting Controlled Unclassified Information(CUI) in Nonfederal Information Systems and Organizations

2018 SRAI Annual Meeting October Dana Rewoldt, CRA, Associate Director of OIPTT, Iowa State University, Ames, IA, USA

DFARS Defense Industrial Base Compliance Information

Outline. Other Considerations Q & A. Physical Electronic

Cybersecurity Risk Management

New Process and Regulations for Controlled Unclassified Information

Greg Pannoni, Associate Director

OFFICE OF THE UNDER SECRETARY OF DEFENSE 3000DEFENSEPENTAGON WASHINGTON, DC

Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations (NIST SP Revision 1)

Tinker & The Primes 2017 Innovating Together

Special Publication

CYBER SECURITY BRIEF. Presented By: Curt Parkinson DCMA

Rocky Mountain Cyberspace Symposium 2018 DoD Cyber Resiliency

Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

Cyber Security Challenges

DFARS Cyber Rule Considerations For Contractors In 2018

Updates to the NIST Cybersecurity Framework

PilieroMazza Webinar Preparing for NIST SP December 14, 2017

DOD s New Cyber Requirements: Impacts on DOD Contractors and Subcontractors

National Policy and Guiding Principles

Smart Grid Standards and Certification

Cybersecurity & Privacy Enhancements

Industry Perspectives on Active and Expected Regulatory Actions

MANUAL OF UNIVERSITY POLICIES PROCEDURES AND GUIDELINES. Applies to: faculty staff students student employees visitors contractors

INFORMATION ASSURANCE DIRECTORATE

NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

FedRAMP: Understanding Agency and Cloud Provider Responsibilities

UNCLASSIFIED. FY 2016 Base FY 2016 OCO

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Get Compliant with the New DFARS Cybersecurity Requirements

Cybersecurity for Government Contractors: Preparing for Cyber Incidents in 2017

fips185 U.S. DEPARTMENT OF COMMERCE/National Institute of Standards and Technology

Preparing for NIST SP January 23, 2018 For the American Council of Engineering Companies

Assessing Security Requirements for Controlled Unclassified Information

IMPROVING CYBERSECURITY AND RESILIENCE THROUGH ACQUISITION

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Controlled Unclassified Information (CUI) and FISMA: an update. May 12, 2017 Mark Sweet, Nancy Lewis, Grace Park Stephanie Gray, Alicia Turner

ISAO SO Product Outline

STUDENT GUIDE Risk Management Framework Step 1: Categorization of the Information System

Cybersecurity Challenges

Safeguarding Controlled Unclassified Information and Cyber Incident Reporting. Kevin R. Gamache, Ph.D., ISP Facility Security Officer

Strengthening the Cybersecurity of Federal Networks and Critical Infrastructure

Information Collection Request: The Department of Homeland. Security, Stakeholder Engagement and Cyber Infrastructure

Compliance with NIST

Rev.1 Solution Brief

FedRAMP Security Assessment Framework. Version 2.0

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Guide to Understanding FedRAMP. Version 2.0

HIPAA Security and Privacy Policies & Procedures

The NIST Cybersecurity Framework

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

THE WHITE HOUSE. Office of the Press Secretary. EMBARGOED UNTIL DELIVERY OF THE PRESIDENT'S February 12, 2013 STATE OF THE UNION ADDRESS

FedRAMP Digital Identity Requirements. Version 1.0

INTRODUCTION TO DFARS

Cybersecurity and Data Privacy

existing customer base (commercial and guidance and directives and all Federal regulations as federal)

DHS Cybersecurity: Services for State and Local Officials. February 2017

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

GAO INFORMATION SHARING ENVIRONMENT

MYTH vs. REALITY The Revised Cybersecurity Act of 2012, S. 3414

DEFENSE LOGISTICS AGENCY AMERICA S COMBAT LOGISTICS SUPPORT AGENCY. Cyber Security. Safeguarding Covered Defense Information.

Mitigation Framework Leadership Group (MitFLG) Charter DRAFT

The HITRUST CSF. A Revolutionary Way to Protect Electronic Health Information

Framework for Improving Critical Infrastructure Cybersecurity

Views on the Framework for Improving Critical Infrastructure Cybersecurity

79th OREGON LEGISLATIVE ASSEMBLY Regular Session. Senate Bill 90

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Guide for Assessing the Security Controls in Federal Information Systems

New Cyber Rules. Are You Ready? Bob Metzger, RJO Dave Drabkin, DHG Tom Tollerton, DHG. Issues in Focus Webinar Series. government contracting

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

Information Systems Security Requirements for Federal GIS Initiatives

Section One of the Order: The Cybersecurity of Federal Networks.

Interagency Advisory Board HSPD-12 Insights: Past, Present and Future. Carol Bales Office of Management and Budget December 2, 2008

2017 SAME Small Business Conference

ROADMAP TO DFARS COMPLIANCE

DFARS Compliance. SLAIT Consulting SECURITY SERVICES. Mike D Arezzo Director of Security Services. SLAITCONSULTING.com

COMPLIANCE SCOPING GUIDE

Dr. Emadeldin Helmy Cyber Risk & Resilience Bus. Continuity Exec. Director, NTRA. The African Internet Governance Forum - AfIGF Dec 2017, Egypt

Safeguarding of Unclassified Controlled Technical Information. SAFEGUARDING OF UNCLASSIFIED CONTROLLED TECHNICAL INFORMATION (NOV 2013)

UNITED STATES OFFICE OF PERSONNEL MANAGEMENT

Agency Guide for FedRAMP Authorizations

MNsure Privacy Program Strategic Plan FY

Privacy and Proxy Service Provider Accreditation. ICANN58 Working Meeting 11 March 2017

Cybersecurity Planning Lunch and Learn

Why you should adopt the NIST Cybersecurity Framework

The National Medical Device Information Sharing & Analysis Organization (MD-ISAO) Initiative Session 2, February 19, 2017 Moderator: Suzanne

NY DFS Cybersecurity Regulations August 8, 2017

The NIS Directive and Cybersecurity in

Cloud Computing Standard 1.1 INTRODUCTION 2.1 PURPOSE. Effective Date: July 28, 2015

INFORMATION ASSURANCE DIRECTORATE

For Official Use Only

CyberUSA Government Cyber Opportunities for your Region: The Federal Agenda - Federal, Grants & Resources Available to Support Community Cyber

ACR 2 Solutions Compliance Tools

Transcription:

NISP Update NDIA/AIA John P. Fitzpatrick, Director May 19, 2015

Agenda Cybersecurity Information Sharing and the NISP NISP Working Group Update CUI Program Update 2

Executive Order 13691 Promoting Private Sector Cybersecurity Information Sharing Secretary of DHS has the lead encourage the development and formation of Information Sharing and Analysis Organizations (ISAOs) common set of voluntary standards [to] further the goal of creating robust information sharing related to cybersecurity risks and incidents..standards shall address contractual agreements, business processes, operating procedures, technical means, and privacy protections 3

Executive Order 13691 Promote Sharing = Private sector to private sector, as well as with the government In some instances, with some ISAOs, DHS may seek to share classified national security information EO13681 amends EO 12829 National Industrial Security Program Names DHS as having responsibility for CIPP policy within the NISP DHS joins other CSAs DoD, DNI, DoE and NRC Facility clearances when storing/processing CNSI DHS hybrid for entities new to NISP 4

SAP Working Group Overview Industry requested re-establishment of the SAP working group through NISPPAC to address industry issues/concerns which included: - Joint SAP Implementation Guide (JSIG) requirements. Status on publication of the four DoD volumes Timeframe for release to coincide with Conforming Change 2 Transition from JAFAN and NISPOM supplement to JSIG - Implementation of Risk Management Framework (RMF) - Two person integrity (TPI) and System access and approval process - Program Security Offices mandating requirements inconsistently across programs. ISOO held meetings with Agencies authorized to create SAPs and NISP Industry and Contractor Special Security Working Group (CSSWG) Reps - Concern over replacement for NISPOM SAP Supplement - Replaced by Appendix D of Conforming Change 2 Meetings - Held on March 10,2014 and May, 5, 2015 With ISOO, SAP Agencies, and Industry Next meeting week of July 6, 2015 at National Archives. 5

Policy Integration Working Group Established to enhance the integration between NISP guidance and other authoritative guidance in the government NISPPAC Industry expressed concern over the fracturing of the NISP Establish a coordination process for policy impacting NISP industry and agencies Critical infrastructure programs Cyber security Controlled unclassified information Insider threat programs First meeting Jan 2015. Next meeting June 2015 PIWG Representation includes NISP CSAs, CSOs & NISPPAC Reps

CUI Approach for Contractor Environment Government E.O. 13556 Registry 32 CFR 2002 NIST SP 800-171 FAR Industry Until the formal process of establishing a single FAR clause takes place, the CUI requirements in NIST SP 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. 7

Three-part Plan for CUI Protection Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide. NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations. Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors. 8

Draft CUI Regulation Out for Comment Proposed Rule 32 CFR 2002 Controlled Unclassified Information is in the Federal Register Comments Due 7 July Open Meeting 28 May 0930 hrs at National Archives on Pennsylvania Ave Offer: separate meeting with your group Link here: http://tinyurl.com/ne5o5qd 9

CUI Policy Status Proposed Rule to Final Projected CUI Policy Timeline as of 5 May 2015 2015 2016 OMB Mar Apr May Jun Jul Aug Sep Oct Nov Dec Jan Feb Mar Apr May OIRA Review Proposed Stage Interagency Comment & Adjudication OIRA Review Final Stage * EA Archivist Review Public Comment EA Adjudication Publish Prepare Final Rule Proposed Rule Archivist Review CFR Published CFR Effective * Unlikely to require full 90 days 10

CUI Phased Implementation - FAR & NIST Day 0 6 Months Year 1 Year 3-4 Development Planning Readiness Initiation Final Phases Develop CUI Program Elements and Timeline Collaborate with NIST on Development of Standards for Industry Conduct Planning Activities for Implementation Collaborate with the FAR Council on Development of the FAR Prepare Environment and Workforce for the CUI Transition Begin Implementation of CUI Practices Begin Phase Out of Obsolete Practices Full Implementation of the CUI Program NIST FAR NIST Standards and Guidelines for Industry June 2015 NIST SP 800-171 can be used provisionally Federal Acquisition Regulation (FAR) Development Initial Operating Capability (IOC) Full Operating Capability (FOC) 11

Online Registry http://www.archives.gov/cui 23 Categories 82 Sub-categories 315 unique Control citations 106 unique Sanction citations 12

Handling CUI One uniform and consistent policy applied to a defined and organized body of information 13

Two types: Basic and Specified CUI Basic versus CUI Specified CUI Basic = LRGWP identifies an information type and says protect it. CUI Specified = LRGWP identifies an information type and says protect it but specifies exactly how to should be protected or handled. 14

Contracts Contractors handling CUI on behalf of an agency Executive branch agencies must include a requirement to comply with Executive Order 13556, Controlled Unclassified Information and 32 CFR Part 2002 in all contracts that require a contractor to handle CUI for the agency. The contractual requirement must be consistent with standards prescribed by the CUI Executive Agent. DRAFT 32 CFR 2002 15

NIST Special Publication 800-171 Final Public Comment Period Endsed May 12, 2015 16

Purpose To provide federal agencies with recommended requirements for protecting the confidentiality of CUI When the CUI is resident in nonfederal information systems and organizations. Where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. When the information systems where the CUI resides are not operated by organizations on behalf of the federal government. 17

Applicability CUI requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. 18

Definitions Federal Information System An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. -- Federal Information Security Management Act (40 U.S.C., Sec. 11331) Nonfederal Information System An information system that does not meet the criteria for a federal information system. -- NIST Special Publication 800-171 Nonfederal Organizations An entity that owns, operates, or maintains a nonfederal information system (contractors, SLT, academia). -- NIST Special Publication 800-171 19

Assumptions Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal information systems or nonfederal information systems. Safeguards implemented to protect CUI are consistent in both federal and nonfederal information systems and organizations. CUI is categorized at the moderate confidentiality impact level in accordance with FIPS Publication 199. 20

Additional Assumptions Nonfederal Organizations Have information technology infrastructures in place. Are not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI. Have safeguarding measures in place to protect their information. May also be sufficient to satisfy the CUI requirements. May not have the necessary organizational structure or resources to satisfy every CUI security requirement. Can implement alternative, but equally effective, security measures. Can implement a variety of potential security solutions. Directly or through the use of managed services. 21

Security Control Requirements The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. The FIPS Publication 200 security requirements and the security controls in the moderate baseline, the requirements and controls are tailored to eliminate requirements that are: Allows for compensation measures to meet FIPS 200 targets 1. Uniquely federal (i.e., primarily the responsibility of the federal government); 2. Not directly related to protecting the confidentiality of CUI; or 3. Expected to be routinely satisfied by nonfederal organizations without specification. 22

Marking Handbook 23

DRAFT Banner Marking The banner marking consists of the CUI control marking, category markings (if required), and dissemination control markings. CUI Control Marking Category Marking (if required) Dissemination Control Marking CONTROLLED//Categories or Subcategories//Dissemination Top center of each page containing CUI The CUI control marking (the word CONTROLLED or the acronym CUI ) is mandatory for all CUI banners. Category markings are mandatory in the case of CUI Specified, and for CUI Basic when required by agency policy. Either complete category names or abbreviations may be used in banners to designate the categories of CUI contained within the document. All dissemination control markings must be approved by the CUI EA and published in the CUI Registry. Access to and dissemination of CUI must be allowed as extensively as necessary, consistent with or in furtherance of a Lawful Government Purpose. 24

Coversheet Consolidation

New Coversheets: Optional Forms Optional Form 901. Basic CUI Coversheet. Acceptable for all forms of CUI. Optional Form 902. Category/Subcategory CUI Coversheet. Acceptable for all forms of CUI. Categories or Subcategories can be identified in the spaces provided. Optional Form 903. Detailed CUI Coversheet. Acceptable for all forms of CUI. The space indicated can be used to convey specific categories or subcategories used, special instructions, or relevant points of contact. 26

Questions? 27

Overview of the CUI Program 28

Executive Order 13556 Established CUI Program Executive Agent (EA) to implement the E.O. and oversee department and agency actions to ensure compliance An open and uniform program to manage all unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy 29

Approved CUI Categories 23 Categories 82 Subcategories Agriculture 1. Agriculture Controlled Technical Information 2. Copyright Copyright 3. Critical Infrastructure Critical Infrastructure Export 4. Emergency Control Management Emergency 5. Export Control Management Financial 6. Financial Foreign Government 7. Foreign Government Geodetic Product Information 8. Geodetic Product Information Immigration 9. Immigration Information Systems Vulnerability 10. Information Information Systems Vulnerability Information Intelligence 11. Intelligence 12. Law Law Enforcement Enforcement Legal 13. Legal NATO 14. NATO Nuclear 15. Patent Nuclear 16. Privacy Patent Proprietary Business 17. Privacy Safety Act Information 18. Proprietary Business Statistical 19. Safety Act Information Tax 20. Statistical Transportation 21. Tax 22. Transportation Bank Secrecy DNA Investigation Financial Health Information Personnel Census Investment Survey 30

Contact Information Information Security Oversight Office Attn: CUI Program National Archives and Records Administration 700 Pennsylvania Avenue, N.W., Room 100 Washington, DC 20408-0001 (202) 357-6870 (voice) (202) 357-6871/6872 (fax) cui@nara.gov www.archives.gov/cui 31

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback