nist sp800-171: protecting controlled unclassified ... · what is nist sp 800-171 4. in place to...
TRANSCRIPT
Moderator:
Steve Warzala
NIST SP800-171: Protecting Controlled Unclassified Information in Nonfederal Information Systems
and Organizations
Today’s Presenter: Wade Kastorff
SRC, Commercial Cyber Security Services
January 27, 2016
https://www.csiac.org/
© 2015 SRC, Inc.
NIST Special Publication 800-171Protecting Controlled Unclassified Information in
Nonfederal Information Systems and Organizations
What are the initial impacts to contractors?
What is NIST SP 800-171?
What is Controlled Unclassified Information?
Implementing NIST SP 800-171?
References and Links
Answers to
3
What is NIST SP 800-171
4
In place to protect
“Controlled
Unclassified
Information” (CUI)
Tailored NIST SP 800-
53 security controls
Standardizes “derived”
requirements
14 Security
requirement families
“Makes it easier”
What is NIST SP 800-171?
5
Implementation of NIST SP 800-171
6
NIST SP 800-171: • Provides nonfederal
organizations with the top level requirements
• References NIST SP 800-53
NIST SP 800-53: • Security and Privacy
Controls for FederalInformation Systems and Organizations
Does NIST SP 800-171 replace SP 800-53
7
A DOD contractor operates two types of information
systems• Federal Information System
− An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency.
• Non-federal Information System
− An information system that does not meet the criteria for a federal information system.
Contractor information system:• An information system belonging to, or operated by or for, the
Contractor.
As a DOD contractor there is a difference
8
This roadmap provides direction on the implementation of a NIST information
assurance framework for a Non-federal information system
Controlled Unclassified Information
9
Controlled Unclassified Information (CUI) is unclassified information that requires additional protections.
There are 107 unique markings of Unclassified information that require additional protection –• For Official Use Only
• Personally Identifying Information
• Export-Controlled Information
• Proprietary Information and Trade Secrets
• Source Selection Data
• Sensitive Security Information
• Protected Critical Infrastructure Information
• Operations Security (OPSEC)
• Law Enforcement Sensitive
• Sensitive But Unclassified
• Unclassified NOFORN
What is Controlled Unclassified Information
10
Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI.
There are a few – new – DOD designators for
Unclassified Information that requires protection.
They are under the umbrella of Covered Defense
Information and known as• Controlled Technical Information (CTI)
• Critical information (Operations Security)
• Export Control
• Any other information, marked or otherwise identified in the contract, that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government wide policies (e.g., privacy, proprietary business information).
CUI Impacts to Contractors
11
Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI.
Technical information with military or space application • Subject to controls on the access, use, reproduction, modification,
performance, display, release, disclosure, or dissemination.
• Information, if disseminated, for distribution statements B through F, using the criteria set forth in DoD Instruction 5230.24, Distribution Statements on Technical Documents.
• Does not include information that is lawfully publicly available without restrictions.
What is Controlled Technical Information?
12
Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI.
Critical Information (operations security) is specific facts
identified through the Operations Security process about:• Friendly intentions
• Capabilities
• Activities vitally needed by adversaries for them to plan and act effectively so as to guarantee failure or unacceptable consequences for friendly mission accomplishment
What is Critical Information (OPSEC)?
13
Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI.
Export control Information is unclassified information
concerning certain:• Items
• Commodities
• Technology Software
• Other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives
• Includes dual use items; items identified in export administration regulations, international traffic in arms (ITAR) regulations, and munitions list; license applications; and sensitive nuclear technology information
What is Export Control Information?
14
Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI.
Contractor attributional/proprietary information: • Information that identifies the contractor(s), whether
directly or indirectly, by the grouping of information that can be traced back to the contractor(s) (e.g., program description, facility locations), personally identifiable information, as well as trade secrets, commercial or financial information, or other commercially sensitive information that is not customarily shared outside of the company.
Contractor information system:• An information system belonging to, or operated by or
for, the Contractor.
Additional Definitions
15
Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI.
It is the Executive Agencies responsibility to furnish
information on the control of CUI within the guidelines
published by NARA. • Department of Defense has been fairly proactive.
• The others, not so much.
Be prepared for change
Consult with your security officer, classification specialist
and contracting officer for specific contractual guidance.
A Challenge with CUI
16
Contact your security officer, classification specialist, and contracting officer for contract specific guidance on CUI.
Implementing NIST SP 800-171
Where to begin?
17
Implement NIST 800-171 requirements prior to
December 31, 2017
Notify the DOD CIO of any non-implemented ‘171
security requirements within 30 days of contract award
Be aware of sub-contractor flow downs requirements
Need to Know!
18
Work closely with your Contracting Officer!
Establish your cyber security baseline
Develop a formal project plan for an enterprise IA
program
Obtain buy-in from the Executive Leadership Teams
and/or Board of Directors
Implement the multi-phase IA program plan.
Conduct various self-assessment activities during and at
the end of identified milestones
Validate your cyber security posture at each significant
milestone
Roadmap to Implementing a NIST IA Program
19
NIST SP 800-171: http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171.pdf
Federal Register - DOD implementation: http://www.gpo.gov/fdsys/pkg/FR-2015-08-26/pdf/2015-20870.pdf
Federal Register – DOD implementation (Amended): https://www.gpo.gov/fdsys/pkg/FR-2015-12-30/pdf/2015-32869.pdf
Controlled Unclassified Information: https://www.archives.gov/cui/
DOD – Safeguarding Covered Defense Information and Cyber Incident Reporting: http://www.acq.osd.mil/dpap/policy/policyvault/USA005505-15-DPAP.pdf
References and Links
20
Questions?
21
14685 Avion Parkway
Chantilly, VA 20151
Phone: 703-961-5500
Wade Kastorff
571.299.8372