Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.

Slides:



Advertisements
Similar presentations
U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,
Advertisements

Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
TCSEC: The Orange Book. TCSEC Trusted Computer System Evaluation Criteria.
Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled.
Health Insurance Portability and Accountability Act (HIPAA)HIPAA.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
Information Systems Security Officer
CJIS Security Policy.
First Practice - Information Security Management System Implementation and ISO Certification.
Session 3 – Information Security Policies
Dr. Ron Ross Computer Security Division
Complying With The Federal Information Security Act (FISMA)
Information Security Compliance System Owner Training Richard Gadsden Information Security Office Office of the CIO – Information Services Sharon Knowles.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
Panel: Moderator: Michele Iversen Guest Experts: Dr. Ron Ross, Rod Beckstrom, Bob Wandell.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
Information Security Framework & Standards
1 Preparing a System Security Plan. 2 Overview Define a Security Plan Pitfalls to avoid Required Documents Contents of the SSP The profile Certification.
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
Briefing Outline CUI Program Phased Implementation
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
Other Laws (Primarily for E-Government) COEN 351.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
UNCLASSIFIED DITSCAP Primer. UNCLASSIFIED 1/18/01DITSCAP Primer.PPT 2 DITSCAP* Authority ASD/C3I Memo, 19 Aug 92 –Develop Standardized C&A Process DODI.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Working with HIT Systems
Approved for Public Release. Distribution Unlimited. 1 Government Privacy Rick Newbold, JD, MBA, CIPP/G Futures Branch 28.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Policy, Standards and Guidelines Breakout Co-Chairs Victor Hazlewood OCIO Cyber Security, ORNL Kim Milford ISO, University of Rochester.
Special Meeting on Procedures for Information Exchange November 7, 2007 Geneva Session 1 Anne Meininger United States USA WTO TBT Enquiry Point.
For Official Use Only (FOUO) and Similar Designations NPS Security Office
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Dr. Ir. Yeffry Handoko Putra
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.
Safeguarding CDI - compliance with DFARS
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Got DoD Contracts in Your Supply Chain
Presenter: Mohammed Jalaluddin
Computer Security Division Information Technology Laboratory
Safeguarding Covered Defense Information
Software Configuration Management
Introduction to the Federal Defense Acquisition Regulation
Risk Management and Compliance
Safeguarding Covered Defense Information
Briefing Outline Executive Order 13556
Security Awareness Training: System Owners
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
UConn NIST Compliance Project
Final HIPAA Security Rule
An Urgent National Imperative
IT Best Practices for Community Colleges Part 3: Configuration Management Donald Hester March 30, 2010 For audio call Toll Free and use.
County HIPAA Review All Rights Reserved 2002.
MBUG 2018 Session Title: NIST in Higher Education
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
IT Management Services Infrastructure Services
Part 1: Controlled Unclassified Information (CUI)
Presentation transcript:

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security Division Information Technology Laboratory

Controlled Unclassified Information Information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. -- Executive Order 13556

Executive Order 13556 Controlled Unclassified Information November 4, 2010 The Order — Established a governmentwide Controlled Unclassified Information (CUI) Program to standardize the way the Executive branch handles unclassified information that requires protection. Designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or governmentwide policy may be designated as CUI.

Nonfederal Organizations Some Examples Federal contractors. State, local, and tribal governments. Colleges and universities. Make statement about ALL controls being monitoring – it is only the frequency that varies

The CUI Registry www.archives.gov/cui/registry/category-list.html Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls. Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

A three-part plan for the protection of CUI The Big Picture A three-part plan for the protection of CUI Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide. NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations. Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors.

Purpose To provide federal agencies with recommended requirements for protecting the confidentiality of CUI — When the CUI is resident in nonfederal information systems and organizations. Where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. When the information systems where the CUI resides are not operated by organizations on behalf of the federal government.

Applicability CUI requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

CUI Security Requirements Basic and derived security requirements are obtained from FIPS 200 and NIST SP 800-53 initially — and then tailored appropriately to eliminate requirements that are: Uniquely federal (i.e., primarily the responsibility of the federal government). Not directly related to protecting the confidentiality of CUI. Expected to be routinely satisfied by nonfederal organizations without specification.

Security Requirements 14 Families Access Control. Audit and Accountability. Awareness and Training. Configuration Management. Identification and Authentication. Incident Response. Maintenance. Media Protection. Physical Protection. Personnel Security. Risk Assessment. Security Assessment. System and Communications Protection System and Information Integrity. Security Requirements 14 Families Obtained from FIPS 200 and NIST Special Publication 800-53.

Structure of Security Requirements Security requirements have a well-defined structure that consists of the following components: Basic security requirements section. Derived security requirements section.

Configuration Management Example Security Requirement Configuration Management Example Basic Security Requirements: 3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems. Derived Security Requirements: 3.4.3 Track, review, approve/disapprove, and audit changes to information systems. 3.4.4 Analyze the security impact of changes prior to implementation. 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

Two important appendices. Mapping Tables. Mapping CUI Requirements to ISO 27001 and SP 800-53 Security Controls Two important appendices. Tailoring Criteria. Tailoring actions applied to moderate security control baseline.

CUI Find. Isolate. Protect. MANAGE RISK… Make statement about ALL controls being monitoring – it is only the frequency that varies

TRANSPARENCY, TRACEABILITY, TRUST… CUI The 110th Requirement. TRANSPARENCY, TRACEABILITY, TRUST… Make statement about ALL controls being monitoring – it is only the frequency that varies

FEDRAMP MODERATE SATISFIES CUI REQUIREMENTS… Move to the Cloud. FEDRAMP MODERATE SATISFIES CUI REQUIREMENTS… Make statement about ALL controls being monitoring – it is only the frequency that varies

Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899-8930 NIST NARA/ISOO Dr. Ron Ross Dr. Pat Viscuso (301) 975-5390 (202) 357-5313 ron.ross@nist.gov patrick.viscuso@nara.gov Kelley Dempsey Mark Riddle (301) 975-2827 (202) 357-6864 kelley.dempsey@nist.gov mark.riddle@nara.gov Comments: sec-cert@nist.gov Web: csrc.nist.gov

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.