NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication 800-171 Protecting Controlled.

Slides:



Advertisements
Similar presentations
PRESENTATION ON MONDAY 7 TH AUGUST, 2006 BY SUDHIR VARMA FCA; CIA(USA) FOR THE INSTITUTE OF INTERNAL AUDITORS – INDIA, DELHI CHAPTER.
Advertisements

USG INFORMATION SECURITY PROGRAM AUDIT: ACHIEVING SUCCESSFUL AUDIT OUTCOMES Cara King Senior IT Auditor, OIAC.
U.S. Energy Information Administration Independent Statistics & Analysis Controlled Unclassified Information FCSM Conference Jacob Bournazian,
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 4: Effective Integration.
Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
FIPS 201 Personal Identity Verification For Federal Employees and Contractors National Institute of Standards and Technology Information Technology Laboratory.
Data Ownership Responsibilities & Procedures
Conversation on the Chemical Facility Anti-Terrorism Standards (CFATS) and Critical Infrastructure Protection Chemical-Terrorism Vulnerability Information.
Congress and Contractor Personal Conflicts of Interest May 21, 2008 Jon Etherton Etherton and Associates, Inc.
Coping with Electronic Records Setting Standards for Private Sector E-records Retention.
The Islamic University of Gaza
National Institute of Standards and Technology 1 NIST Guidance and Standards on System Level Information Security Management Dr. Alicia Clay Deputy Chief.
Security Controls – What Works
Information Security Policies and Standards
Data Management Awareness January 23, University of Michigan Administrative Information Services Data Management Awareness Unit Liaisons January.
Session 3 – Information Security Policies
Dr. Ron Ross Computer Security Division
Complying With The Federal Information Security Act (FISMA)
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
SEC835 Database and Web application security Information Security Architecture.
DFARS & What is Unclassified Controlled Technical Information (UCTI)?
HIPAA PRIVACY AND SECURITY AWARENESS.
Briefing Outline CUI Program Phased Implementation
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information Security Standards Promoting Trust, Transparency, and Due Diligence E-Gov Washington Workshop.
1 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Federal Government Perspectives on Secure Information Sharing Technology Leadership Series August 14,
Other Laws (Primarily for E-Government) COEN 351.
Applied Technology Services, Inc. Your Partner in Technology Applied Technology Services, Inc. Your Partner in Technology.
HQ Expectations of DOE Site IRBs Reporting Unanticipated Problems and Review/Approval of Projects that Use Personally Identifiable Information Libby White.
NIST Special Publication Revision 1
Theme: classification & distribution of government control of FEA.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
Certification and Accreditation CS Phase-1: Definition Atif Sultanuddin Raja Chawat Raja Chawat.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Integrated Enterprise-wide Risk Management Protecting Critical Information Assets and Records FIRM Forum.
National Institute of Standards and Technology 1 The Federal Information Security Management Act Reinforcing the Requirements for Security Awareness Training.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
The Value of Common Criteria Evaluations Stuart Katzke, Ph.D. Senior Research Scientist National Institute of Standards & Technology 100 Bureau Drive;
Disaster Recover Planning & Federal Information Systems Management Act Requirements December 2007 Central Maryland ISACA Chapter.
NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Managing Risk in New Computing Paradigms Applying FISMA Standards and Guidelines to Cloud Computing Workshop.
1 © Material United States Department of the Interior Federal Information Security Management Act (FISMA) April 2008 Larry Ruffin & Joe Seger.
The Culture of Healthcare Privacy, Confidentiality, and Security Lecture d This material (Comp2_Unit9d) was developed by Oregon Health and Science University,
Federal Information Security Management Act (FISMA) By K. Brenner OCIO Internship Summer 2013.
Data Governance 101. Agenda  Purpose  Presentation (Elijah J. Bell) Data Governance Data Policy Security Privacy Contracts  FERPA—The Law  Q & A.
Of XX Data Rights, Intellectual Property, Information Technology and Export Controls in Government Contracting Fernand Lavallee, Partner, Jones Day ©2015.
NIST Computer Security Framework and Grids Original Slides by Irwin Gaines (FNAL) 20-Apr-2006 Freely Adapted by Bob Cowles (SLAC/OSG) for JSPG 13-Mar-2007.
July 1, 2004Computer Security: Art and Science © Matt Bishop Slide #1-1 Risk Management Process Frame = context, strategies Assess = determine.
Configuring Electronic Health Records Privacy and Security in the US Lecture b This material (Comp11_Unit7b) was developed by Oregon Health & Science University.
Presented by Eliot Christian, USGS Accessibility, usability, and preservation of government information (Section 207 of the E-Government Act) April 28,
Internal Audit Section. Authorized in Section , Florida Statutes Section , Florida Statutes (F.S.), authorizes the Inspector General to review.
For Official Use Only (FOUO) and Similar Designations NPS Security Office
HHS Security and Improvement Recommendations Insert Name CSIA 412 Final Project Final Project.
Important acronyms AO = authorizing official ISO = information system owner CA = certification agent.
NIST SP800 53R4 WMISACA Conferance April 2016 By Dean E Brown CISSP, ISSMP, CSSLP, MCSD Owner – ITSecurityAxioms.com 262 Barrington Cir Lansing, MI
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP.
Safeguarding CDI - compliance with DFARS
Introduction for the Implementation of Software Configuration Management I thought I knew it all !
Presenter: Mohammed Jalaluddin
Computer Security Division Information Technology Laboratory
Introduction to the Federal Defense Acquisition Regulation
Risk Management and Compliance
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Briefing Outline Executive Order 13556
Matthew Christian Dave Maddox Tim Toennies
Supplier Information Session Safeguarding Covered Defense Information and Cyber Incident Reporting, DFARS August 16, 2016 Christian Ortego.
UConn NIST Compliance Project
MBUG 2018 Session Title: NIST in Higher Education
EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO
HQ Expectations of DOE Site IRBs
Internal Control Internal control is the process designed and affected by owners, management, and other personnel. It is implemented to address business.
Part 1: Controlled Unclassified Information (CUI)
Presentation transcript:

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1 Information System Security Association-Washington D.C. NIST Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2 First, some definitions.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3 Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order of December 29, 2009, or the Atomic Energy Act, as amended. -- E.O Controlled Unclassified Information

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4 Controlled Unclassified Information Supports federal missions and business functions… … that affect the economic and national security interests of the United States.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5 An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. -- Federal Information Security Management Act 40 U.S.C., Sec Federal Information System

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6 An information system that does not meet the criteria for a federal information system. -- NIST SP Nonfederal Information System

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7 An entity that owns, operates, or maintains a nonfederal information system. -- NIST SP Nonfederal Organization

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8 Nonfederal Organizations Some Examples  Federal contractors.  State, local, and tribal governments.  Colleges and universities.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9 The protection of sensitive, unclassified federal information while residing in nonfederal information systems and environments of operation is of paramount importance to federal agencies—and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. -- NIST SP An urgent need… A national imperative.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 10 Executive Order Controlled Unclassified Information November 10, 2010 The Order —  Designated the National Archives and Records Administration (NARA) as the Executive Agent for Controlled Unclassified Information (CUI).  Directed NARA to implement a governmentwide CUI Program to standardize the way the Executive branch handles unclassified information that requires protection.  Established an open and uniform program to manage unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11 CUI Registry  Identifies the exclusive categories and subcategories of unclassified information that require safeguarding and dissemination controls consistent with law, federal regulation, and Government-wide policies.  Serves as the central repository for the posting of and access to the categories and subcategories, associated markings, and applicable safeguarding, dissemination, and decontrol procedures.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12 The Big Picture A three-part plan for the protection of CUI  Development of 32 CFR Part  Development of NIST SP  Development of single Federal Acquisition Regulation (FAR) Clause.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13 NIST Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Initial Public Draft November 2014

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14 Purpose and Applicability  To provide federal agencies with recommended requirements for protecting the confidentiality of CUI when such information resides in nonfederal information systems and organizations.  The security requirements apply only to components of nonfederal information systems that process, store, or transmit CUI.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15 Basic and derived security requirements are obtained from FIPS 200 and NIST SP initially — and then tailored appropriately to eliminate requirements that are:  Primarily the responsibility of the federal government (i.e., uniquely federal requirements).  Related primarily to availability.  Assumed to be routinely satisfied by nonfederal organizations without any further specification. Security Requirements

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16  Individuals with system development life cycle responsibilities.  Program managers, information owners, mission/business owners, system owners, acquisition officials.  Individuals with information system, security, or risk management and oversight responsibilities.  Authorizing officials, chief information officers, chief information security officers, information system/security managers.  Individuals with security assessment and monitoring responsibilities.  Auditors, system evaluators, assessors, independent verifiers and validators, analysts. Target Audience

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17 Assumption #1  Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal or nonfederal information systems.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18 Assumption #2  Safeguards or countermeasures implemented to protect CUI are consistent in both federal and nonfederal environments.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19 Assumption #3  The confidentiality impact value for CUI is no lower than moderate in accordance with Federal Information Processing Standards (FIPS) Publication 199.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 20  Access Control.  Audit and Accountability.  Awareness and Training.  Configuration Management.  Identification and Authentication.  Incident Response.  Maintenance.  Media Protection.  Physical Protection.  Personnel Security.  Risk Assessment.  Security Assessment.  System and Communications Protection  System and Information Integrity. Obtained from FIPS 200 and NIST Special Publication Security Requirements 14 Families

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21 Structure of Security Requirements  Security requirements have a well-defined structure that consists of the following components:  Basic security requirement section.  Derived security requirements section.  References section.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22 Security Requirement Configuration Management Example Basic Security Requirement: Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and establish and enforce security configuration settings for information technology products employed in organizational information systems. Derived Security Requirements: a.Analyze the security impact of changes prior to implementation; b.Employ the principle of least functionality by configuring the information system to provide only essential capabilities; c.Restrict, disable, and prevent the use of nonessential functions, ports, protocols, and services; and d.Apply deny by exception (blacklist) policy to prevent the use of unauthorized software. References: NIST Special Publication Configuration Management | CM-2; CM-4; CM-5; CM-6; CM-7; CM-7(1); CM-7(2); CM-7(4); CM-8.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23 The road ahead.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24 On the Horizon… Proposed 32 CFR Part 2002, Controlled Unclassified Information  NARA is issuing a Federal regulation, or directive (currently in coordination with OMB), to establish the required CUI security controls and markings governmentwide.  Requirements for the protection of CUI at the moderate confidentiality impact value in the proposed rule are based on applicable governmentwide standards and guidelines issued by NIST, and applicable policies established by OMB.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25 On the Horizon… Standard Federal Acquisition Regulation (FAR) Clause  The CUI Executive Agent also anticipates establishing a single Federal Acquisition Regulation (FAR) clause that will apply the requirements of the proposed CUI rule and NIST SP to contractor environments.  This will further promote standardization to help nonfederal organizations meet the current range and types of contract clauses, where differing requirements and conflicting guidance from federal agencies gives rise to confusion and inefficiencies.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26 In the Interim… Using NIST Special Publication on a voluntary basis  Until the formal process of establishing a single FAR clause takes place, and where necessitated by exigent circumstances, NIST SP may be referenced in contract specific requirements on a limited basis— consistent with acquisition and regulatory requirements.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27 NIST Special Publication Public Comment Period November 18, 2014 – January 16, 2015 National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD Copies available at: csrc.nist.gov Send comments to:

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29 Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA NISTNARA/ISOO Dr. Ron RossDr. Pat Viscuso (301) (202) NISTNARA/ISOO Kelley Dempsey Mark Riddle (301) (202) Comments: csrc.nist.gov

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.