information system security plan (issp) for moderate impact … › documents › nist-guide ›...
TRANSCRIPT
Page | 1
Information System Security Plan (ISSP) For Moderate Impact
Control on Non-Federal Information Systems
Insert Version
Approved By: _____________________________________________ Approval Date: __________
Insert Approver Title
Approved By: _____________________________________________ Approval Date: __________
Insert Approver Title
Approved By: _____________________________________________ Approval Date: __________
Insert Approver Title
This is an INSERT NAME OF ORGANISATION internal document. It shall be used and disclosed
externally for evaluation purposes only. Disclosure of this document outside the Government
for any purpose is strictly forbidden.
Page | 2
Table of Contents
Purpose: ........................................................................................................................................................ 3
Instructions: .................................................................................................................................................. 3
Additional Resources: ................................................................................................................................... 3
List of Exhibits and Addendums: ................................................................................................................... 4
Revision History: ........................................................................................................................................... 5
Executive Summary ....................................................................................................................................... 6
System Inventory: ......................................................................................................................................... 6
Security Categorization: ................................................................................................................................ 7
Scope Evaluation for NIST 800-171: .............................................................................................................. 8
Segmentation Considerations ................................................................................................................... 8
Compliance Lifecycle ................................................................................................................................. 9
Scoping Categories .................................................................................................................................. 10
General System Description: ....................................................................................................................... 12
System Environment: .................................................................................................................................. 12
System interconnections/information sharing: .......................................................................................... 12
NIST 800-171 Minimum Controls:............................................................................................................... 13
Global/SFC Valve Compliance App:............................................................................................................. 27
The instruction for using the app are the following: .............................................................................. 28
Troubleshooting and Frequently Ask Questions: .................................................................................... 29
Applicable Laws and Regulations: ............................................................................................................... 29
Acronyms and Definitions: .......................................................................................................................... 30
Terms Defined: ............................................................................................................................................ 34
Page | 3
Purpose:
The Purpose of an information system security plan is to outline the management,
operational, and technical safeguards and countermeasures needed for an information system.
This guide aids in the creation of organization security plan for NIST 800-171 and help outline its
implementation processes.
Instructions:
The organization shall complete this NIST 800-171 information systems security plan
before December 31, 2017 in order to retain all contracts involved with CUI. The ISSP describes
the process and procedures that the contractor will need to ensure the appropriate security or
IT resources that are developed, processed, or used under this contract.
This guide can be used as a template for an organization information systems security
plan. Each section describes the methods that should be used in order to identify or implement
the NIST 800-171 security controls. The first 7 sections of this guide are used to help identify,
track, understand, and collect information on the organization information system. The sections
are: System Identification, General system description, Security categorization, System
inventory, Scope evaluation, System environment, and Interconnections/information sharing.
Contractors should be aware of any other IT certifications like Sarbanes-Oxley (SOX) or
HIPPA. Controls from those documents may apply to NIST 800-171. If so, these controls can be
used as a reference for completing the information systems security plan.
Please note: The purpose, all instructions, and additional resources sections should not be
included in the actual ISSP form. These are used as references to aid the contractor in
completing its information systems security contract requirements.
Any text underlined in the ISSP should either be removed or replaced and all tables and
templates should be completed.
Additional Resources:
Protecting Controlled Unclassified Information on Non-federal Information Systems and
Organizations NIST Special Publication 800-171r1
Assessing Security and Privacy Controls in Federal Information Systems and Organizations NIST
Special Publication 800-53r4
Page | 4
Guide for Developing Security Plans for Federal Information System, NIST Special Publication
800-18
List of Exhibits and Addendums:
A list of Exhibits and Addendums is a helpful way to organize your files that are not in the plan itself. Like
a list of the company’s inventory of devices.
Examples of Exhibits and Addendums:
List of Exhibits
Form Revision Title
Cl-001 ----- Yearly Audit Plan
Cl-002 ----- Vender Letter
Cl-003 ----- Employee computer Operation and Security Policy
Page | 5
List of Addendums
Addendum Revision Title
A ----- System Inventory List
B ----- System Identification
C ----- Controls and Common Control Methods
D ----- Prioritization chart
Revision History:
A revision history help to know whether the plan is up to date with new add-ons.
Example of a Revision History Table:
Date Author Version Change Reference
DD/MM/YYYY Company name here 1.0 Drafted Document
DD/MM/YYYY Company name here
DD/MM/YYYY Company name here
Page | 6
Executive Summary
The objective of system security planning is to improve protection of information
system resources. All federal systems have some level of sensitivity and require protection as
part of good management practice. The protection of a system must be documented in a
system security plan. The completion of system security plans is a requirement of the Office of
Management and Budget (OMB) Circular A-130, “Management of Federal Information
Resources,” Appendix III, “Security of Federal Automated Information Resources,” and” Title III
of the E-Government Act, entitled the Federal Information Security Management Act (FISMA).
The purpose of the system security plan is to provide an overview of the security
requirements of the system and describe the controls in place or planned for meeting those
requirements. The system security plan also delineates responsibilities and expected behavior
of all individuals who access the system. The system security plan should be viewed as
documentation of the structured Process of planning adequate, cost-effective security
protection for a system. It should reflect input from various managers with responsibilities
concerning the system, including information owners, the system owner, and the senior agency
information security officer (SAISO). Additional information may be included in the basic plan
and the structure and format organized according to agency needs, so long as the major
sections described in this document are adequately covered and readily identifiable.
In order for the plans to adequately reflect the protection of the resources, a senior
management official must authorize a system to operate. The authorization of a system to
process information, granted by a management official, provides an important quality control.
By authorizing processing in a system, the manager accepts its associated risk.
Management authorization should be based on an assessment of management,
operational, and technical controls. Since the system security plan establishes and documents
the security controls, it should form the basis for the authorization, supplemented by the
assessment report and the plan of actions and milestones. In addition, a periodic review of
controls should also contribute to future authorizations. Re-authorization should occur
whenever there is a significant change in processing, but at least every three years.
System Inventory:
This section is for Identifying all the different systems and devices located within the
contractor’s/organization’s information system. To aid in this, create a system inventory and a
systems identification addendums.
Page | 7
The reason for creating a systems inventory is that will aid in the later process of
identifying where CUI is located and which devices have access to it. This will help in the later
section Scope Evaluation. There are different way to create the inventory list, Addendum A is a
template that was create to help show the information that should be identify in the list.
After creating the system inventory, look at the different systems and identify the
following: (1) the name of the system, (2) whether it is a major application or general support
system, (3) system information type: Management and Support or Mission-Based. This can be
created in different ways. There is a template located in Addendum B.
Security Categorization:
In this section conduct an FIPS 199 systems Assessment Security Categorization as it
relates to the impact levels for Confidentiality, Integrity, and Availability. Below is a general
potential impact chart for Confidentiality, Integrity, and Availability.
POTENTIAL IMPACT
Security Objective LOW MODERATE HIGH
Confidentiality
Preserve authorized
restrictions on
information access and
disclosure, including
means for protecting
personal privacy and
proprietary.
The unauthorized
disclosure of information
could be expected to
have a limited adverse
effect on organizational
assets, or individuals.
The unauthorized
disclosure of information
could be expected to
have a serious adverse
effect on organizational
assets, or individuals.
The unauthorized
disclosure of information
could be expected to
have a severe or
catastrophic adverse
effect on organizational
assets, or individuals.
Integrity
Guarding against
improper information
modification or
destruction, and includes
ensuring information
nonrepudiation and
authenticity.
The unauthorized
modification or
destruction of
information could be
expected to have a
limited adverse effect on
organizational
operations,
organizational assets, or
individuals.
The unauthorized
modification or
destruction of
information could be
expected to have a
serious adverse effect on
organizational
operations,
organizational assets, or
individuals.
The unauthorized
modification or
destruction of
information could be
expected to have a
severe or catastrophic
adverse effect on
organizational
operations,
Page | 8
organizational assets, or
individuals.
Availability
Ensuring timely and
reliable access to and use
of information.
The disruption of access
to or use of information
or an information system
could be expected to
have a limited adverse
effect on organizational
operations,
organizational assets, or
individuals.
The disruption of access
to or use of information
or an information system
could be expected to
have a serious adverse
effect on organizational
operations,
organizational assets, or
individuals.
The disruption of access
to or use of information
or an information system
could be expected to
have a severe or
catastrophic adverse
effect on organizational
operations,
organizational assets, or
individuals.
Scope Evaluation for NIST 800-171:
NIST 800-171 is focused on protecting the CUI environment, which is where sensitive data (in
regards to US national security) is stored, processes or transmitted.
Segmentation Considerations
Network segmentation should be viewed as a process to isolate system components that store,
process, or transmit CUI from systems that do not. Adequate network segmentation may reduce the
scope of the CUI environment and overall reduce the scope of a NIST 800-171 audit.
To eliminate ambiguity surrounding the term “segmentation” in terms of NIST 800-171 scoping, this
document will use one of the two following terms:
• Isolation – this is achieved when network traffic between two system components is not
permitted.
• Controlled Access – This is achieved when access between system components is restricted to
defined parameters.
o Controlled access is more common than isolation.
o Restrictions may include logical access control, traffic type (e.g., port, protocol or
service), the direction from which the connection is initiated (e.g., inbound, outbound),
etc.
Mechanisms providing the isolation or controlled access functionality may either logical or
physical. Examples of mechanisms include network and host-based firewalls, virtual routing and
switching appliances, and access control lists.
Page | 9
Compliance Lifecycle
The table below outlines the key milestones in achieving and maintaining compliance with
NIST 800-171 requirements.
Confirm the Accuracy of
the Assessment Scope
Document the company’s business processes and data workflows for known
and potential instances where CUI is stored, processed, or transmitted.
After gaining a complete understanding of all people, process, and technology-
related interactions with CUI, identify and document all locations and flows of
CUI across the organization.
Evaluate the Business Need
for Each Location and Flow
of CUI
For each instance identified above, evaluate the business need to handle CUI:
• If CUI is not needed, stop collecting it and securely delete what has
been collected.
• If CUI is required, consider migrating or consolidating it elsewhere in
the CUI environment to reduce scope, improve control, and mitigate
risk.
Use the Decision Tree to
Categorize Systems
Use the Summary of Categories chart to determine whether each system
component is in the scope of assessment, and assign it a specific scoping
sub-category.
Note: The result of categorizing each system component helps identify the
relevant risks to the CUI environment. Completing this step can be used in
support of NIST 800-171 requirement 3.11 (e.g., periodically assess the risk to
organizational operations).
Consider the risk implications of the scoping conclusions and identify potential
opportunities to further reduce assessment scope (e.g., re-architecting
business processes, data flows, and/or the control environment).
Page | 10
Evaluate Scoping
Conclusions and Consider
Further Reducing the Scope
of Assessment
Evaluate each in-scope system component against all NIST 800-171
requirements for applicability and necessity, based on the risk to CUI and the
overall control environment.
Architect, design, implement and document the controls required to
adequately mitigate the identified risk to CUI.
Assess the controls for design and operating effectiveness, at the level of both
the system components and the environment.
Scoping Categories
When it comes down to it, the CUI environment encompasses the people, processes and technology
that stores, processes or transmits CUI.
• Store – When CUI is inactive or at rest (e.g., located on electronic media, system component
memory, paper).
• Process – When CUI is actively being used by a system component (e.g., entered, edited,
manipulated, printed, viewed).
• Transmit – When CUI is being transferred from one location to another (e.g., data in motion).
NIST categorizes system components as being either in or out of the scope fir NIST 800-171, so there
is no official guidance at a more granular-level. This document defines three categories of system
components and highlights the different types of risks associated with each category. This approach
makes it more evident which system components are the most important to protect, based on the types
of risk posed to CUI.
Every system component within the companies computing environment can be categorized into one and
only one of the following:
• Category 1 (High) – System components that process, store or transmit CUI or are not isolated
or restricted through controlled access from other category 1 system components.
• Category 2 (Medium) – System components that have controlled access to a category 1 system
component.
• Category 3 (Low) – System components that are isolated from all category 1 system
components.
Categorizing each system component into one of these categories achieves several key results:
• Identifies all system components that are within the scope of NIST 800-171 compliance;
• Aids in documenting risks to CUI as each system component within the environment is analyzed;
Page | 11
• As category 2 system components are further sub-categorized, helps clarify risks to CUI; and
• Enables the objective evaluation of CUI controls for applicability and necessity.
Summary of Categories
Category Description Method of
Segmentation
CUI?
Vector of
Attack?
In scope for
NIST 800-171?
1a
Devices that store, process or transmit CUI.
N/A
YES
YES
YES
1b
Devices that do not store, process or transmit CUI,
but, are “infected by” Category 1a devices due to
the absence of controlled access or isolation.
N/A
NO
YES
YES
2a
System components which, through controlled
access, provide security services (e.g.,
authentication) to a Category 1 device.
Controlled
Access
NO
YES
YES
2b
System components which, through controlled
access, can initiate an inbound connection to a
Category 1 device.
Controlled
Access
NO
YES
YES
2c
System components which, through controlled
access, can only receive a connection from a
Category 1 device (i.e., cannot initiate a
connection).
Controlled
Access
NO
YES
YES
2d
System components which, through indirect and
controlled access, have the ability to administer
Category 1 devices.
Controlled
Access
NO
YES
YES
3
Systems that do not store, process or transmit CUI.
All network traffic between Category 3 and
Category 1 devices is restricted (isolation).
Isolated
NO
NO
NO
Page | 12
General System Description:
In this section provide a general description of the system the CUI is on. Make sure to
outline what scope the system plays in conducting work for the overall contract and detail the
major functions from the information system. In the next section provide an overview of the
system architecture including hardware and software. Also provide an outline of what types of
data is collected and stored on the system components and identify which organization entity
controls the data.
System Environment:
This is where you would include a system architecture diagram portraying all major functions
within the system. Provide a detailed description of each major function.
For example, description could include:
• Physical location
• Vendors for commercial software
• Groups/entities who have access to major functions
• Operating systems
• Make and Model
• Licensed software for major functions
• Anti-viruses
• Firewalls
• DMZ
• Elements such as:
o Web, database and application servers
o Email services such as Microsoft exchange servers
o Web-based applications and major application components such as web services or
infrastructure products such as software frameworks
o User workstations and workstation software and specialized configurations
o Scientific instruments and medical devices
o Laboratory information systems
Be sure to identify the organization that hosts and manages each major function.
System interconnections/information sharing:
This is where you will outline the major connections to the system, how information is shared,
stored and backed up, and what types of information is transmitted.
Page | 13
For example, detail any connections that occur through public facing web-applications, internal
intranet connections and remote connections to the system. Outline the security measures that are in
place to protect information such as a remote VPN, HTTPS and user agreements.
NIST 800-171 Minimum Controls:
This section is for explain NIST 800-171 and the required controls for contractors. This is the
most important part of this guide because this is what the contractor/organization is required by the
DoD to have implement. Please read through NIST 800-171r1 for more information. This guide works
with the NIST 800-171 Tracking program that we have developed. This program provides an easy and
simple way to track and show the contracts statues in meeting these NIST 800-171 control requirement.
There are a total of 109 basic and derived controls, these controls were developed from NIST
800-53. These controls only need to be implemented on the systems and devices that CUI is stored,
transfer, collect, and process. As was stated above in the scope evaluation section.
There are two other addendums that are important to this section; Controls and Common
Control Methods, and the prioritization sheet. Addendum C Controls and Common Control Methods list
the control description, supplementary guidance from NIST 800-53, and a common control information.
The supplementary guidance is meant to aid in understanding what can be implemented to ensure that
the controls are in place.
Please note: The tracker program focuses on provide the important information about the control and
giving a common control method to become compliant with NIST 800-171. There are sections that will
link to both NIST 800-171 and the supplementary guidance from NIST 800-53. There is a section for
comments so the contractor can specify how they meet that control and they can add any supporting
documentation showing that they meet the control like policies, audit reports etc. The contractor can
indicate their status on each control whether they are compliant, partial compliant, not compliant. If the
contractor is non-compliant there is a section for the contractor to indicate what the revision is going to
be to meet the compliance.
The second addendum is for creating prioritization chart. After using out tracking program and
identifying where the contractor is complaint and not complain on their system. The chart is used to
map out their next step in implementing the controls that are not in place.
Page | 14
NIST Special Publication
800-171
CONTROL NAME CONTROL DESCRIPTION CONTROL NUMBER
3.1 ACCESS CONTROL
Basic Requirements
Account Management Limit information system access to
authorized users, processes acting on
behalf of authorized users, or devices
(including other information systems).
AC 3.1.1
Access Enforcement Limit information system access to the
types of transactions and functions
that authorized users are permitted to
execute.
AC 3.1.2
Derived Requirements
Information Flow Enforcement Control the flow of CUI in accordance
with approved authorizations. AC 3.1.3
Separation of Duties Separate the duties of individuals to
reduce the risk of malevolent activity
without collusion.
AC 3.1.4
Least Privilege Employ the principle of least privilege,
including for specific security functions
and privileged accounts.
AC 3.1.5
Minimizing Admin Usage Use non-privileged accounts or roles
when accessing non-security functions. AC 3.1.6
Non-Privileged User Auditing Prevent non-privileged users from
executing privileged functions and
audit the execution of such functions.
AC 3.1.7
Page | 15
Unsuccessful Logon Attempts Limit unsuccessful logon attempts. AC 3.1.8
System Use Notification Provide privacy and security notices
consistent with applicable CUI rules. AC 3.1.9
Session Lock Use session lock with pattern-hiding
displays to prevent access/viewing of
data after period of inactivity.
AC 3.1.10
Session Termination Terminate (automatically) a user
session after a defined condition. AC 3.1.11
Remote Access Sessions Monitor and control remote access
sessions. AC 3.1.12
Remote Access Cryptography Employ cryptographic mechanisms to
protect the confidentiality of remote
access sessions.
AC 3.1.13
Remote Access Control Points Route remote access via managed
access control points. AC 3.1.14
Remote Access Permissions Authorize remote execution of
privileged commands and remote
access to security-relevant
information.
AC 3.1.15
Wireless Access Authorize wireless access prior to
allowing such connections. AC 3.1.16
Wireless Cryptography Protect wireless access using
authentication and encryption. AC 3.1.17
Access Control for Mobile
Devices
Control connection of mobile devices. AC 3.1.18
Mobile Devices Cryptography Encrypt CUI on mobile devices. AC 3.1.19
Page | 16
Use of External Information
Systems
Verify and control/limit connections to
and use of external information
systems.
AC 3.1.20
Use of External Storage Devices Limit use of organizational portable
storage devices on external
information systems.
AC 3.1.21
Publically Accessible Content Control information posted or
processed on publicly accessible
information systems.
AC 3.1.22
3.2 AWARENESS AND TRAINING
Basic Requirements
Security Awareness Training Ensure that managers, systems
administrators, and users of
organizational information systems are
made aware of the security risks
associated with their activities and of
the applicable policies, standards, and
procedures related to the security of
organizational information systems.
AT 3.2.1
Role-Based Security Training Ensure that organizational personnel
are adequately trained to carry out
their assigned information security-
related duties and responsibilities.
AT 3.2.2
Derived Requirements
Insider Threat Training Provide security awareness training on
recognizing and reporting potential
indicators of insider threat.
AT 3.2.3
3.3 AUDIT AND ACCOUNTABILITY
Basic Requirements
Page | 17
Audit Events Create, protect, and retain information
system audit records to the extent
needed to enable the monitoring,
analysis, investigation, and reporting of
unlawful, unauthorized, or
inappropriate information system
activity.
AU 3.3.1
Audit Generation Ensure that the actions of individual
information system users can be
uniquely traced to those users so they
can be held accountable for their
actions.
AU 3.3.2
Derived Requirements
Audit Accountability Review and update audited events. AU 3.3.3
Response to Audit Processing
Failure
Alert in the event of an audit process
failure. AU 3.3.4
Audit Review, Analysis, and
Reporting
Use automated mechanisms to
integrate and correlate audit review,
analysis, and reporting processes for
investigation and response to
indications of inappropriate,
suspicious, or unusual activity.
AU 3.3.5
Audit Redaction and Report
Generation
Provide audit reduction and report
generation to support on-demand
analysis and reporting.
AU 3.3.6
Time Stamps Provide an information system
capability that compares and
synchronizes internal system clocks
with an authoritative source to
generate time stamps for audit
records.
AU 3.3.7
Protection of Audit Information Protect audit information and audit
tools from unauthorized access,
modification, and deletion.
AU 3.3.8
Page | 18
Audit Information Access Limit management of audit
functionality to a subset of privileged
users.
AU 3.3.9
3.4 CONFIGURATION MANAGMENT
Basic Requirements
Baseline Configuration Establish and maintain baseline
configurations and inventories of
organizational information systems
(including hardware, software,
firmware, and documentation)
throughout the respective system
development life cycles.
CM 3.4.1
Configuration Settings Establish and enforce security
configuration settings for information
technology products employed in
organizational information systems.
CM 3.4.2
Derived Requirements
Configuration Change Control Establish and enforce security
configuration settings for information
technology products employed in
organizational information systems.
CM 3.4.3
Security Impact Analysis Analyze the security impact of changes
prior to implementation. CM 3.4.4
Access Restrictions for Change Define, document, approve, and
enforce physical and logical access
restrictions associated with changes to
the information system.
CM 3.4.5
Least Functionality Employ the principle of least
functionality by configuring the
information system to provide only
essential capabilities.
CM 3.4.6
Page | 19
Use of Non-essential items Restrict, disable, and prevent the use
of nonessential programs, functions,
ports, protocols, and services.
CM 3.4.7
Blacklist Apply deny-by-exception (blacklist)
policy to prevent the use of
unauthorized software or deny-all,
permit-by-exception (whitelisting)
policy to allow the execution of
authorized software.
CM 3.4.8
User-Installed Software Control and monitor user-installed
software. CM 3.4.9
3.5 IDENTIFICATION AND AUTHENTICATION
Basic Requirements
Identification and
Authentication
Identify information system users,
processes acting on behalf of users, or
devices.
IA 3.5.1
Authenticator Management Authenticate (or verify) the identities
of those users, processes, or devices,
as a prerequisite to allowing access to
organizational information systems.
IA 3.5.2
Derived Requirements
Multifactor Authentication
Access
Use multifactor authentication for local
and network access to privileged
accounts and for network access to
non-privileged accounts.
IA 3.5.3
Identifier Management Employ replay-resistant authentication
mechanisms for network access to
privileged and non-privileged accounts.
IA 3.5.4
Reuse of Identifiers Prevent reuse of identifiers for a
defined period. IA 3.5.5
Page | 20
Disable Identifiers Disable identifiers after a defined
period of inactivity. IA 3.5.6
Password Complexity Enforce a minimum password
complexity and change of characters
when new passwords are created.
IA 3.5.7
Password Reuse Prohibit password reuse for a specified
number of generations. IA 3.5.8
Temporary Passwords Allow temporary password use for
system logons with an immediate
change to a permanent password.
IA 3.5.9
Password Protection Store and transmit only encrypted
representation of passwords. IA 3.5.10
Authenticator Feedback Obscure feedback of authentication
information. IA 3.5.11
3.6 INCIDENT RESPONSE
Basic Requirements
Incident Response Training Establish an operational incident-
handling capability for organizational
information systems that includes
adequate preparation, detection,
analysis, containment, recovery, and
user response activities.
IR 3.6.1
Incident Handling Track, document, and report incidents
to appropriate officials and/or
authorities both internal and external
to the organization.
IR 3.6.2
Derived Requirements
Incident Response Testing Test the organizational incident
response capability. IR 3.6.3
Page | 21
3.7 MAINTENANCE
Basic Requirements
Controlled Maintenance Perform maintenance on
organizational information systems. MA 3.7.1
Maintenance Tools Provide effective controls on the tools,
techniques, mechanisms, and
personnel used to conduct system
maintenance.
MA 3.7.2
Derived Requirements
Off-site Maintenance Ensure equipment removed for off-site
maintenance is sanitized of any CUI. MA 3.7.3
Maintenance Media Testing Check media containing diagnostic and
test programs for malicious code
before the media are used in the
information system.
MA 3.7.4
Nonlocal Maintenance Require multifactor authentication to
establish nonlocal maintenance
sessions via external network
connections and terminate such
connections when nonlocal
maintenance is complete.
MA 3.7.5
Maintenance Personnel Supervise the maintenance activities of
maintenance personnel without
required access authorization.
MA 3.7.6
3.8 MEDIA PROTECTION
Basic Requirements
Media Access Protect (i.e., physically control and
securely store) information system MP 3.8.1
Page | 22
media containing CUI, both paper and
digital.
Media Storage Limit access to CUI on information
system media to authorized users. MP 3.8.2
Media Sanitization Sanitize or destroy information system
media containing CUI before disposal
or release for reuse.
MP 3.8.3
Derived Requirements
Media Marking Mark media with necessary
CUI markings and distribution
limitations.
MP 3.8.4
Media Transport Control access to media containing CUI
and maintain accountability for media
during transport outside of controlled
areas.
MP 3.8.5
Media Transport Cryptography Implement cryptographic mechanisms
to protect the confidentiality of
information stored on digital media
during transport outside of controlled
areas unless otherwise protected by
alternative physical safeguards.
MP 3.8.6
Media Use Control the use of removable media on
information system components. MP 3.8.7
Portable Storage Use Prohibit the use of portable storage
devices when such devices have no
identifiable owner.
MP 3.8.8
Information System Backup Protect the confidentiality of backup
CUI at storage locations. MP 3.8.9
3.9 PERSONNEL SECURITY
Basic Requirements
Page | 23
Personnel Screening Screen individuals prior to authorizing
access to information systems
containing CUI.
PS 3.9.1
Personnel Termination/Transfer Ensure that CUI and information
systems containing CUI are protected
during and after personnel actions
such as terminations and transfers.
PS 3.9.2
3.10 PHYSICAL SECURITY
Basic Requirements
Physical Access Authorizations Limit physical access to organizational
information systems, equipment, and
the respective operating environments
to authorized individuals.
PE 3.10.1
Monitoring Physical Access Protect and monitor the physical
facility and support infrastructure for
those information systems.
PE 3.10.2
Derived Requirements
Physical Access Control Escort visitors and monitor visitor
activity. PE 3.10.3
Physical Access Logs Maintain audit logs of physical access. PE 3.10.4
Physical Access Devices Control and manage physical access
devices. PE 3.10.5
Alternate Work Site Enforce safeguarding measures for CUI
at alternate work sites (e.g., telework
sites).
PE 3.10.6
3.11 RISK ASSESSMENT
Basic Requirements
Page | 24
Risk Assessment Periodically assess the risk to
organizational operations (including
mission, functions, image, or
reputation), organizational assets, and
individuals, resulting from the
operation of organizational
information systems and the
associated processing, storage, or
transmission of CUI.
RA 3.11.1
Derived Requirements
Vulnerability Scanning Scan for vulnerabilities in the
information system and applications
periodically and when new
vulnerabilities affecting the system are
identified.
RA 3.11.2
Vulnerability Remediation Plan Remediate vulnerabilities in
accordance with assessments of risk. RA 3.11.3
3.12 SECURITY ASSESSMENT
Basic Requirements
Security Assessments Periodically assess the security controls
in organizational information systems
to determine if the controls are
effective in their application.
CA 3.12.1
Plan of Action and Milestones Develop and implement plans of action
designed to correct deficiencies and
reduce or eliminate vulnerabilities in
organizational information systems.
CA 3.12.2
Continuous Monitoring Monitor information system security
controls on an ongoing basis to ensure
the continued effectiveness of the
controls.
CA 3.12.3
3.13 SYSTEMS AND COMMUNICATION PROTECTION
Page | 25
Basic Requirements
Boundary Protection Monitor, control, and protect
organizational communications (i.e.,
information transmitted or received by
organizational information systems) at
the external boundaries and key
internal boundaries of the information
systems.
SC 3.13.1
Security Engineering Principles Employ architectural designs, software
development techniques, and systems
engineering principles that promote
effective information security within
organizational information systems.
SC 3.13.2
Derived Requirements
Functionality Separation Separate user functionality from
information system management
functionality (e.g., privileged user
functions).
SC 3.13.3
Information in Shared
Resources
Prevent unauthorized and unintended
information transfer via shared system
resources.
SC 3.13.4
Public Access Network
separation
Implement subnetworks for publicly
accessible system
Components that are physically or
logically separated from internal
networks.
SC 3.13.5
Deny-by-Exception Deny network communications traffic
by default and allow network
communications traffic by exception
(i.e., deny all, permit by exception).
SC 3.13.6
Disable Split Tunneling Prevent remote devices from
simultaneously establishing non-
remote connections with the
information system and
SC 3.13.7
Page | 26
communicating via some other
connection to resources in external
networks.
Transmission and
Confidentiality and Integrity
Implement cryptographic mechanisms
to prevent unauthorized disclosure of
CUI during transmission unless
otherwise protected by alternative
physical safeguards.
SC 3.13.8
Network Disconnect Terminate network connections
associated with communications
sessions at the end of the sessions or
after a defined period of inactivity.
SC 3.13.9
Cryptographic Key
Establishment and
Management
Establish and manage cryptographic
keys for cryptography employed in the
information system.
SC 3.13.10
Cryptographic Protection Employ FIPS-validated cryptography
when used to protect the
confidentiality of CUI.
SC 3.13.11
Collaborative Computing
Devices
Prohibit remote activation of
collaborative computing devices and
provide indication of devices in use to
users present at the device.
SC 3.13.12
Mobile Code Control and monitor the use of mobile
code. SC 3.13.13
Voice over Internet Protocol Control and monitor the use of Voice
over Internet Protocol (VoIP)
technologies.
SC 3.13.14
Session Authenticity Protect the authenticity of
communications sessions. SC 3.13.15
Protection of Information at
Rest
Protect the confidentiality of CUI at
rest. SC 3.13.16
3.14 SYSTEM AND INFORMATION INTEGRETY
Page | 27
Basic Requirements
Flaw Remediation Plan Identify, report, and correct
information and information system
flaws in a timely manner.
SI 3.14.1
Flaw Remediation Protection Provide protection from malicious code
at appropriate locations within
organizational information systems.
SI 3.14.2
Security Alerts, Advisories, and
Directives
Monitor information system security
alerts and advisories and take
appropriate actions in response.
SI 3.14.3
Derived Requirements
Malicious Code Protection Update malicious code protection
mechanisms when new releases are
available.
SI 3.14.4
Malicious Code Scanning Perform periodic scans of the
information system and real-time scans
of files from external sources as files
are downloaded, opened, or executed.
SI 3.14.5
Information System Monitoring Monitor the information
system, including inbound
And outbound communications traffic,
to detect attacks and indicators of
potential attacks.
SI 3.14.6
Information System Monitoring Identify unauthorized use of the
information system. SI 3.14.7
Global/SFC Valve Compliance Application:
All of the information above can be very confusing and NIST 800-171 can be vague as to what
the requirements are for each control. To aid in meeting these requirements Global/SFC Valve has
Page | 28
created a helpful NIS Compliance Application. This application provides the user with the control
description, a control recommendation with a possible suggested action link, and guidance from NIST
800-53.
The instruction for using the application are the following:
First when the application opens, the user sees the Dashboard window and the two sections
that are in the Dashboard window are the Total Control Status, which contains a table indicating the
user’s total number on Compliant, Partially Compliant, Non-Compliant, and Unknown controls. The
second section displays progress bars, which contain 14 control families and a total control progress bar
displaying the overall percentage that the user is compliant with.
After examining the Dashboard, the user should look at the index on the left displaying all of the
control families. Click on any of the families to reveal the list of controls in each family. Each control
window contains the following sections: Control Recommendation, Supplementary Guidance NIST 800-
53, NIST 800-53 Mapping, Status, Compliance, Remedial Action, and Supporting Documents.
The first 3 sections are meant to provide the user with information on how to meet the
compliance. The control Recommendation contains information on what the user should do in order to
meet the control. The Supplementary Guidance section contains information from NIST 800-53
document that the NIST 800-171 was developed from. The supplementary guidance provides additional
information that helps to explain what the control is or should be and it contains references to other
controls that are related. The NIST 800-53 Mapping gives the user links to the document, but instead of
having the user navigate the long document the links with take the user to the page that the
supplementary guidance was from.
The last four sections are meant for the user to track their compliance status, explain how they
meet the compliance, or explain if non-compliant what their will do to meet the compliance, and
identify and store any supporting documents to prove compliance. In the status section the user choose
1 of the following options: Compliant, Partially Compliant, Non-Compliant, or Does Not Apply. The Does
Not Apply options is for when the subcontractor doesn’t need to meet the control due to there being
some other protection in place that protects as the control requires. An example would be the control
for Voice over Internet Protocol, another method to protect this control would be to not use Voice over
Internet Protocol in the subcontractor’s network. The flags that can be seen next to the status section
and the flags next to each control name in the index are connected. This helps the user track their
compliance statue with each control without having to open every control window. The Compliance
sections is for identify and describing how the compliance has been meet. The remedial Action sections
is for describing the remedial plan to become compliant. The final Supporting Documents section is for
the user to store any document that prove the contractor has meet the control. The final Supporting
Documents sections is for uploading and storing any documents that can be used to prove the
subcontractor is compliance with that control.
Page | 29
Application Disclaimer:
This is a freeware application that was created using the open source tool Electron. We a Global
will do our best to improve any issues that occur as more people begin to use the application. With this
in mind understand that there could be bugs/issue that occur while using our application. You should
always keep backup files in case we either, update our application and send a revised version out, or if
you need to download the application again.
If you have any questions or feedback please send them to either [email protected] or
[email protected]. We will do our best to get back to you as soon as possible.
Troubleshooting and Frequently Ask Questions:
• Question: Is there a save button that I have to click to save my text in the 2 text box
sections?
o Answer: No your text is saved automatically every 3 seconds after you finish
typing.
• Question: I uploaded a file to the supporting document sections and I don’t see if it was
uploaded?
o Answer: This can happen from time to time, before you try again to upload the
file, click the view tab in the top left corner and click refresh or ctrl + r to refresh
the application. Navigate back to that control window and check the supporting
documents section, the file should be there.
• Question: How could be create a backup of our information that we entered in to the
application?
o Answer: To find your information, open the file explore and navigate to the app
folder where you saved it to.
1. Open up the Global SFC NIST Compliance Application folder then,
2. Open the resources folder, then the open the app folder then,
3. Open the assets folder then look for the data and documents folders.
4. When you find them highlight both and right click, click copy.
5. Then save those to files somewhere secure and now you will have a
backup
• Note: You will need to create a new backup file after you change
something in the app.
Applicable Laws and Regulations:
This is where you would put all the laws and regulations used to make your security plan. Here
are examples:
• Organization Security Policies
• Organization Governances
• Federal Information Security management Act (FISM) of 2002
Page | 30
• OEM Circular No. A-130, Appendix lll
• Federal Information Processing Standard Publication (FIPS) 199
• Federal Information Processing Standard Publication (FIPS) 200
• NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal
Information Systems and Organizations
• NIST Special Publication 800-18 Rev. 1 – Guide for Developing Security Plans for Federal
Information Security Systems
• NIST Special Publication 800-30 Rev. 1- Risk Management Guide for Information Systems
• NIST Special Publication 800-34 Rev. 1 – Contingency Planning Guide for Information Technology
Systems
• NIST Special Publication 800-37 Rev. 1 – Guide for Applying Framework for Federal Information
Systems
• NIST Special Publication 800-53 Rev. 3 – Recommended Security Controls for Federal
Information Systems
• NIST Special Publication 800-60 Rev. 1 Volume I and II – Guide for Mapping Types of Information
and Information Systems to Security Categories
Acronyms and Definitions:
Acronyms Definitions
ATO Authority to operate
C&A Certification and accreditation
CA Certification authority
CAST Certification and accreditation support tool
CD Compact disk
CNSI Chief of Naval Operations
CNO (NOON) Director, naval nuclear propulsion program
CO Commanding officer
Page | 31
CO/OIC Commanding officer/officer in charge
CRD Confidential restricted data
DAA Designed accrediting authority
DCS Director of cybersecurity
DIACAP DoD information assurance certification and
accreditation process
DoD Department of Defense
DOE Department of Energy
DOE-UNCI Department of Energy Unclassified controlled
Nuclear information
DON Department of Navy
DVD Digital video disk
EO Executive order
FIPS Federal information protection standard
IA Information assurance
IAM Information assurance manager
Page | 32
IATS Information Assurance tracking system
IT Information technology
ITAR International traffic in arms regulations
NAVICP Naval inventory control point
NAVSEASYSCOM Naval sea systems command
NIST National institute of standards and
technology
NNPI Navy nuclear propulsion information
NNPICO Navy nuclear propulsion information control
officer
NNPP Naval nuclear propulsion program
NAVNETWARCOM Naval network warfare command
NOFORN Not releasable to foreign nationals
NOTAL Not to all
NSA National security agency
NSI National security information
Page | 33
NTK Need-to-know
ODAA Operational designated accrediting authority
OSH Occupational safety and health
PIT Platform information technology
PM Project manager
PROM Programmable read-only memory
RD Restricted data
RDT&E Research, design, test, and evaluation
SECNAV Secretary of the navy
SM System manager
SMIC Special material identification code
SNSI SECRET national security information
SPAWARSYSCOM Space and naval warfare systems command
SRD SECRET restricted data
SUPSHIP Supervisor of shipbuilding
Page | 34
UCNI UNCLASSIFIED controlled nuclear information
U-NNPI UNCLASSIFIED naval nuclear propulsion
information
USB University serial bus
VTC Video telephone conference
Terms Defined:
Terms Defined
Accreditation The formal declaration by the DAA that an information system is approved to
operate in a particular security mode using a prescribed set of safeguards as an
acceptable level of risk.
Authorizing Official A senior official or executive with the authority to formally assume responsibility
for operating an information system at an acceptable level of risk to organizational
operations.
Certification The comprehensive evaluation of the technical and non-technical security features
of an information system and determining the degree to which the information
system. meets its specified security requirements
DOE unclassified
controlled nuclear
information (DOE-
UCNI)
DOE-UCNI involves information protected under section 148 of the Atomic Energy
Act. One part of DOE-UCNI includes information pertaining to the reactor plants of
naval nuclear propulsion plants. Documents containing unclassified DOE reactor
plant information may be marked with a DOE-UCNI warning statement when they
are sent to Navy activities. The protection requirements are the same as those for
U-NNPI. Therefore, documents marked as DOE- UCNI will be protected as U-NNPI.
Dual citizens Individuals who are dual citizens (hold both a U.S. citizenship and the citizenship of
some other country). Such individuals are subject to special restrictions.
Page | 35
Foreign interest Any foreign government, agency of a foreign government, or representative of a
foreign government; any form of business enterprise or entity organized under the
laws of any country other than the United States or its possessions; and any foreign
national. Firms organized under U.S. laws, regardless of potential foreign
ownership, can receive contracts requiring access to U-NNPI if the firm formally
agrees to protect the information.
Foreign national For the purposes of this instruction, a foreign national is any person not a U.S.
citizen. Non-U.S. citizens permanently residing in the United States are considered
foreign nationals.
General Support
Systems
An interconnected set of information resources under the same direct
management control that shares common functionality.
Information system A discrete set of information resources organized for the collection, storage,
processing, maintenance, use, sharing, dissemination, disposition, display, or
transmission of information.
Information System
Owner
The senior official responsible for the overall procurement, development,
integration, modification, or operation and maintenance of the information system.
Information
technology (IT)
Any equipment or interconnected system or subsystem of equipment used in the
automatic acquisition, storage, manipulation, management, movement, control,
display, switching, interchange, transmission, or reception of data or information.
This includes computers, ancillary equipment, software, firmware and similar
procedures, services (including support services), and related resources.
Information Owner The agency official with statutory or operational authority for specified information
and responsibility form establishing the controls for its generation, collection,
processing, dissemination, and disposal.
Mission-based Information systems that are employed directly to provide services to citizens and
clients.
Naval nuclear
propulsion information
(NNPI)
All classified or unclassified information concerning the design, arrangement,
development, manufacture, testing, operation, administration, training,
maintenance, and repair of the propulsion plants of naval nuclear-powered ships
and prototypes, including the associated shipboard and shore-based nuclear
support facilities.
Page | 36
Need-to-know (NTK) An official determination that a proposed recipient's access to information is
necessary in the performance of official or contractual duties of employment.
NNPI control officer
(NNPICO)
The individual who is both familiar with NNPI and its protection requirement and
designated by an activity that routinely deals with NNPI. Each activity shall ensure
that the NNPICO is technically qualified, or that a technically qualified person shall
be available for consultation. The NNPICO’s primary responsibility shall be to
ensure that only site personnel with an NTK are granted and allowed to retain
access to NNPI.
NNPI workspace An area designated by the Government where NNPI may be processed.
NNPP activity Organizations that have an officially assigned or contracted function that involves
the research, design, construction, testing, operation, maintenance, or disposal of
naval nuclear propulsion plants.
Representative of
foreign interest
For the purposes of this instruction, a representative of a foreign interest is any
person, regardless of citizenship, functioning (in an individual capacity or on behalf
of any corporation, person, or government entity) as an official, representative,
agent, or employee of a foreign interest. One exception is that U.S. citizens
appointed by their U.S. employer to act as a representative in the management of a
foreign subsidiary of a U.S. corporation will not be considered representatives of a
foreign interest.
Restricted data (RD) A special type of classified information as defined in section 11(w) of Public Law 83-
703 (The Atomic Energy Act of 1954, as amended), as “. . . all data concerning (1)
design, manufacture, or utilization of atomic weapons; (2) the production of special
nuclear material; or (3) the use of special nuclear material in the production of
energy, but shall not include data declassified or removed from the Restricted Data
category pursuant to Section 142.”