Presentation is loading. Please wait.

Presentation is loading. Please wait.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

Published byBennett Wagstaff Modified over 9 years ago

Similar presentations

Presentation on theme: "NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled."— Presentation transcript:

1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

2 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 First, some definitions.

3 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended. -- E.O. 13556 Controlled Unclassified Information

4 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4 Controlled Unclassified Information Supports federal missions and business functions… … that affect the economic and national security interests of the United States.

5 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. -- Federal Information Security Management Act 40 U.S.C., Sec. 11331 Federal Information System

6 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 An information system that does not meet the criteria for a federal information system. -- NIST SP 800-171 Nonfederal Information System

7 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7 An entity that owns, operates, or maintains a nonfederal information system. -- NIST SP 800-171 Nonfederal Organization

8 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8 Nonfederal Organizations Some Examples  Federal contractors.  State, local, and tribal governments.  Colleges and universities.

9 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 The protection of sensitive, unclassified federal information while residing in nonfederal information systems and environments of operation is of paramount importance to federal agencies—and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. -- NIST SP 800-171 An urgent need… A national imperative.

10 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10 Executive Order 13556 Controlled Unclassified Information November 10, 2010 The Order —  Designated the National Archives and Records Administration (NARA) as the Executive Agent for Controlled Unclassified Information (CUI).  Directed NARA to implement a governmentwide CUI Program to standardize the way the Executive branch handles unclassified information that requires protection.  Established an open and uniform program to manage unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy.

11 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11 CUI Registry www.archives.gov/cui/registry/category-list.html  Identifies the exclusive categories and subcategories of unclassified information that require safeguarding and dissemination controls consistent with law, federal regulation, and Government-wide policies.  Serves as the central repository for the posting of and access to the categories and subcategories, associated markings, and applicable safeguarding, dissemination, and decontrol procedures.

12 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12 The Big Picture A three-part plan for the protection of CUI  Development of 32 CFR Part 2002.  Development of NIST SP 800-171.  Development of single Federal Acquisition Regulation (FAR) Clause.

13 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13 NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Initial Public Draft November 2014

14 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14 Purpose and Applicability  To provide federal agencies with recommended requirements for protecting the confidentiality of CUI when such information resides in nonfederal information systems and organizations.  The security requirements apply only to components of nonfederal information systems that process, store, or transmit CUI.

15 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15 Basic and derived security requirements are obtained from FIPS 200 and NIST SP 800-53 initially — and then tailored appropriately to eliminate requirements that are:  Primarily the responsibility of the federal government (i.e., uniquely federal requirements).  Related primarily to availability.  Assumed to be routinely satisfied by nonfederal organizations without any further specification. Security Requirements

16 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16  Individuals with system development life cycle responsibilities.  Program managers, information owners, mission/business owners, system owners, acquisition officials.  Individuals with information system, security, or risk management and oversight responsibilities.  Authorizing officials, chief information officers, chief information security officers, information system/security managers.  Individuals with security assessment and monitoring responsibilities.  Auditors, system evaluators, assessors, independent verifiers and validators, analysts. Target Audience

17 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17 Assumption #1  Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal or nonfederal information systems.

18 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18 Assumption #2  Safeguards or countermeasures implemented to protect CUI are consistent in both federal and nonfederal environments.

19 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19 Assumption #3  The confidentiality impact value for CUI is no lower than moderate in accordance with Federal Information Processing Standards (FIPS) Publication 199.

20 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20  Access Control.  Audit and Accountability.  Awareness and Training.  Configuration Management.  Identification and Authentication.  Incident Response.  Maintenance.  Media Protection.  Physical Protection.  Personnel Security.  Risk Assessment.  Security Assessment.  System and Communications Protection  System and Information Integrity. Obtained from FIPS 200 and NIST Special Publication 800-53. Security Requirements 14 Families

21 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21 Structure of Security Requirements  Security requirements have a well-defined structure that consists of the following components:  Basic security requirement section.  Derived security requirements section.  References section.

22 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22 Security Requirement Configuration Management Example Basic Security Requirement: Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and establish and enforce security configuration settings for information technology products employed in organizational information systems. Derived Security Requirements: a.Analyze the security impact of changes prior to implementation; b.Employ the principle of least functionality by configuring the information system to provide only essential capabilities; c.Restrict, disable, and prevent the use of nonessential functions, ports, protocols, and services; and d.Apply deny by exception (blacklist) policy to prevent the use of unauthorized software. References: NIST Special Publication 800-53. Configuration Management | CM-2; CM-4; CM-5; CM-6; CM-7; CM-7(1); CM-7(2); CM-7(4); CM-8.

23 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23 The road ahead.

24 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24 On the Horizon… Proposed 32 CFR Part 2002, Controlled Unclassified Information  NARA is issuing a Federal regulation, or directive (currently in coordination with OMB), to establish the required CUI security controls and markings governmentwide.  Requirements for the protection of CUI at the moderate confidentiality impact value in the proposed rule are based on applicable governmentwide standards and guidelines issued by NIST, and applicable policies established by OMB.

25 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25 On the Horizon… Standard Federal Acquisition Regulation (FAR) Clause  The CUI Executive Agent also anticipates establishing a single Federal Acquisition Regulation (FAR) clause that will apply the requirements of the proposed CUI rule and NIST SP 800-171 to contractor environments.  This will further promote standardization to help nonfederal organizations meet the current range and types of contract clauses, where differing requirements and conflicting guidance from federal agencies gives rise to confusion and inefficiencies.

26 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26 In the Interim… Using NIST Special Publication 800-171 on a voluntary basis  Until the formal process of establishing a single FAR clause takes place, and where necessitated by exigent circumstances, NIST SP 800-171 may be referenced in contract specific requirements on a limited basis— consistent with acquisition and regulatory requirements.

27 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27 NIST Special Publication 800-171 Public Comment Period November 18, 2014 – January 16, 2015 National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Copies available at: csrc.nist.gov Send comments to: sec-cert@nist.gov

28 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

29 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 NISTNARA/ISOO Dr. Ron RossDr. Pat Viscuso (301) 975-5390(202) 357-5313 ron.ross@nist.gov patrick.viscuso@nara.gov NISTNARA/ISOO Kelley Dempsey Mark Riddle (301) 975-2827 (202) 357-6864 kelley.dempsey@nist.gov mark.riddle@nara.gov Comments: sec-cert@nist.govWeb: csrc.nist.gov

Download ppt "NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled."

Similar presentations

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.

PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
Www.eia.gov U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,

U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.

Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.

FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Data Ownership Responsibilities & Procedures

Data Ownership Responsibilities & Procedures
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.

Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.

Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.

Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
The Islamic University of Gaza

The Islamic University of Gaza
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.

National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works

Security Controls – What Works
Information Security Policies and Standards

Information Security Policies and Standards
Data Management Awareness January 23, 2008 1 University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.

Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Session 3 – Information Security Policies

Session 3 – Information Security Policies
Dr. Ron Ross Computer Security Division

Dr. Ron Ross Computer Security Division
Complying With The Federal Information Security Act (FISMA)

Complying With The Federal Information Security Act (FISMA)
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.

Similar presentations

Ads by Google