protecting controlled unclassified information in nonfederal information … › ... ›...
TRANSCRIPT
MEP Overview
Special Publication 800-171 Protecting Controlled Unclassified Information
in Nonfederal Information Systems and Organizations
Patricia Toth NIST MEP
MEP Overview
What is Information Security?
2
Cyber-security
Privacy
Physical Security
Contingency Planning &
Disaster Recovery
Operational Security
Personnel Security
MEP Overview
Ourappe)teforadvancedtechnologyisrapidlyexceedingourabilitytoprotectit.
MEP Overview
We are vulnerable because our information technology is fragile and susceptible to a wide range of threats including:
§ natural disasters. § structural failures. § cyber attacks. § human errors.
MEP Overview
NIST Cybersecurity Guidance
FIPS Special Publications
NISTIR
MEP Overview
NISTSpecialPublica)on800-171Rev1
Protec)ngControlledUnclassifiedInforma)oninNonfederalInforma)onSystemsandOrganiza)ons
December2016
h-p://nvlpubs.nist.gov/nistpubs/SpecialPublica>ons/NIST.SP.800-171r1.pdf
MEP Overview
Controlled Unclassified Information
Supports federal missions and business functions…
…that affect the economic and national security interests of the United States.
MEP Overview
NonfederalOrganiza)onsSomeExamples
§ Federal contractors, and subcontractors. § State, local, and tribal governments. § Colleges and universities.
MEP Overview 9
Why is this all necessary? • Over 100 different ways of characterizing SBU
information. • No common definition or protocols. • Information inconsistently marked. • Common definition and standardize processes and
procedures.
MEP Overview
TheCUIRegistrywww.archives.gov/cui/registry/category-list.html
§ Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent.
§ Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls.
§ Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.
MEP Overview
CUI Registry • Manufacturing
11
Category-Subcategory: Proprietary Business Information-Manufacturer Category Description: Material and information relating to, or associated with, a company's
products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications.
Subcategory Description: Relating to the production of a consumer product to include that of a private labeler.
Marking: MFC
MEP Overview
TheBigPicturePlanfortheprotec=onofCUI
§ Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide.
§ NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations.
§ Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors.
§ DFAR clause 252.204.7008 requires compliance to NIST Special Publication 800-171
MEP Overview
Nonfederal Organizations — § Have information technology infrastructures in place.
§ Not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI.
§ Have safeguarding measures in place to protect their information. § May also be sufficient to satisfy the CUI requirements.
§ May not have the necessary organizational structure or resources to satisfy every CUI security requirement. § Can implement alternative, but equally effective, security measures.
§ Can implement a variety of potential security solutions. § Directly or through the use of managed services.
Assump)ons
MEP Overview
§ Access Control. § Audit and Accountability.
§ Awareness and Training. § Configuration Management.
§ Identification and Authentication. § Incident Response.
§ Maintenance. § Media Protection.
§ Physical Protection. § Personnel Security.
§ Risk Assessment. § Security Assessment.
§ System and Communications Protection § System and Information Integrity.
Obtained from FIPS 200 and NIST Special Publication 800-53.
SecurityRequirements14Families
MEP Overview
StructureofSecurityRequirements
Security requirements have a well-defined structure that consists of the following components:
§ Basic security requirements section. § Derived security requirements section.
MEP Overview
SecurityRequirementAwarenessandTrainingExample
BasicSecurityRequirements: 3.2.1 Ensurethatmanagers,systemsadministrators,andusersof
organiza)onalinforma)onsystemsaremadeawareofthesecurityrisksassociatedwith theirac)vi)esandoftheapplicablepolicies,standards,andprocedures relatedtothesecurityofthoseorganiza)onalinforma)onsystems.
3.2.2 Ensurethatorganiza)onalpersonnelareadequatelytrainedtocarryouttheirassignedinforma)onsecurity-relateddu)esandresponsibili)es.
DerivedSecurityRequirements:3.2.3 Providesecurityawarenesstrainingonrecognizingandrepor)ng
poten)alindicatorsofinsiderthreat.
MEP Overview
SecurityRequirementAwarenessandTrainingExample3.2.2
BasicSecurityRequirements:3.2.2 Ensurethatorganiza)onalpersonnelareadequatelytrainedtocarryout
theirassignedinforma)onsecurity-relateddu)esandresponsibili)es.Mee:ngtheRequirement:• Basicsecurityawarenesstrainingtonewemployees.• Securityawarenesstrainingtouserswheninforma)onsystemchanges.• Annualsecurityawarenessrefreshertraining.
MEP Overview
SecurityRequirementAwarenessandTrainingExample3.2.2
BasicSecurityRequirements:3.2.2 Ensurethatorganiza)onalpersonnelareadequatelytrainedtocarryout
theirassignedinforma)onsecurity-relateddu)esandresponsibili)es.Mee:ngtheRequirement:• Securityawarenessandtrainingpolicy.• Securityawarenesstrainingmaterials.• Securityplan;trainingrecords;otherrelevantdocumentsorrecords.• Personnelwithresponsibili)esforsecurityawarenesstraining.
MEP Overview
SecurityRequirementConfigura>onManagementExample
BasicSecurityRequirements: 3.4.1 Establishandmaintainbaselineconfigura)onsandinventoriesof
organiza)onalinforma)onsystems(includinghardware,soSware,firmware,anddocumenta)on)throughouttherespec)vesystemdevelopmentlifecycles.
3.4.2 Establishandenforcesecurityconfigura)onseUngsforinforma)ontechnologyproductsemployedinorganiza)onalinforma)onsystems.
DerivedSecurityRequirements:3.4.3 Track,review,approve/disapprove,andauditchangestoinforma)on
systems.3.4.4 Analyzethesecurityimpactofchangespriortoimplementa)on.3.4.5 Define,document,approve,andenforcephysicalandlogicalaccess
restric)onsassociatedwithchangestotheinforma)onsystem.3.4.5 ……………
MEP Overview
SecurityRequirementConfigura>onManagementExample3.4.1
BasicSecurityRequirements: 3.4.1 Establishandmaintainbaselineconfigura)onsandinventoriesof
organiza)onalinforma)onsystems(includinghardware,soSware,firmware,anddocumenta)on)throughouttherespec)vesystemdevelopmentlifecycles.
Mee:ngtheRequirements: • Develops,documentsandmaintainsacurrentbaselineconfigura)onofthe
informa)onsystem• Configura)oncontrolinplace.
MEP Overview
SecurityRequirementConfigura>onManagementExample3.4.1
BasicSecurityRequirements: 3.4.1 Establishandmaintainbaselineconfigura)onsandinventoriesof
organiza)onalinforma)onsystems(includinghardware,soSware,firmware,anddocumenta)on)throughouttherespec)vesystemdevelopmentlifecycles.
Mee:ngtheRequirements: • Configura)onmanagementpolicy;proceduresandplan.• Documenta)onforEnterprisearchitectureorinforma)onsystemdesign.• Informa)onsystemconfigura)onseUngsandassociateddocumenta)on.• Changecontrolrecords.• Personnelwithconfigura)onmanagementresponsibili)es.• System/networkadministrator.
MEP Overview
SecurityRequirementAccessControlExample
BasicSecurityRequirements:3.1.1 Limitsystemaccesstoauthorizedusers,processesac)ngonbehalfof
authorizedusers,ordevices(includingothersystems).3.1.2 Limitsystemaccesstothetypesoftransac)onsandfunc)onsthat
authorizedusersarepermi]edtoexecute.DerivedSecurityRequirements:3.1.3ControltheflowofCUIinaccordancewithapprovedauthoriza)ons.
3.1.4Separatethedu)esofindividualstoreducetheriskofmalevolentac)vitywithoutcollusion.
3.1.5Employtheprincipleofleastprivilege,includingforspecificsecurityfunc)onsandprivilegedaccounts.
3.1.6 Usenon-privilegedaccountsorroleswhenaccessingnon-securityfunc)ons.
3.1.7Preventnon-privilegedusersfromexecu)ngprivilegedfunc)onsandaudittheexecu)onofsuchfunc)ons.
3.1.8Limitunsuccessfullogona]empts.
MEP Overview
SecurityRequirementAccessControlExample3.1.8
DerivedSecurityRequirements: 3.1.8 Limitunsuccessfullogona]empts.Mee:ngtheRequirements:• Limitnumberofconsecu)veinvalidlogona]emptsallowedduringa)me
period.• Accountlockout)meperiodautoma)callyenforcedbytheinforma)onsystem
whenmaxnumberofunsuccessfullogona]emptsisexceeded.• Lockstheaccount/nodeun)lreleasedbyanadministrator.• Delaysnextlogonpromptaccordingtotheorganiza)on-defineddelay
algorithm.• Accesscontrolpolicyandproceduresaddressingunsuccessfullogona]empts.• Personnelwithinforma)onsecurityresponsibili)es;systemdevelopers;system/
networkadministrators
MEP Overview
SecurityRequirementAccessControlExample3.1.8
DerivedSecurityRequirements: 3.1.8 Limitunsuccessfullogona]empts.Mee:ngtheRequirements:• Accesscontrolpolicyandproceduresaddressingunsuccessfullogona]empts.• Personnelwithinforma)onsecurityresponsibili)es;systemdevelopers;system/
networkadministrators
MEP Overview
DFARS 252.204.7008
25
“IftheOfferorproposestovaryfromanyofthesecurityrequirementsspecifiedbyNISTSP800-171thatareineffectatthe>methesolicita>onisissuedorasauthorizedbytheContrac>ngOfficer,theOfferorshallsubmittotheContrac>ngOfficer,forconsidera>onbytheDoDChiefInforma>onOfficer(CIO),awri-enexplana>onof—(A) Whyapar>cularsecurityrequirementisnotapplicable;or(B) Howanalterna>vebutequallyeffec>ve,securitymeasureisusedtocompensateforthe
inabilitytosa>sfyapar>cularrequirementandachieveequivalentprotec>on.”
MEP Overview
Meeting SP 800-171
• Some security controls may not be applicable to your environment. • Build off you are currently doing. • Other ways to meet the requirements.
26
MEP Overview
Meeting SP 800-171
• More cost effective approach – Isolate CUI into its own security domain by applying architectural design
concepts – Security domains may employ physical separation, logical separation, or a
combination of both. – Use the same CUI infrastructure for multiple government contracts or
agreements.
27
MEP Overview
NIST MEP Activities • Help MEP Centers assist small manufacturers meet 800-171
– Training – FAQs – Guidance – Tools
• Work with NIST to develop 800-171A • Develop criteria for selecting cybersecurity assessors • Closely monitor DFAR developments
28