MEP Overview

Special Publication 800-171 Protecting Controlled Unclassified Information

in Nonfederal Information Systems and Organizations

Patricia Toth NIST MEP

MEP Overview

What is Information Security?

2

Cyber-security

Privacy

Physical Security

Contingency Planning &

Disaster Recovery

Operational Security

Personnel Security

MEP Overview

Ourappe)teforadvancedtechnologyisrapidlyexceedingourabilitytoprotectit.

MEP Overview

We are vulnerable because our information technology is fragile and susceptible to a wide range of threats including:

§  natural disasters. §  structural failures. §  cyber attacks. §  human errors.

MEP Overview

NIST Cybersecurity Guidance

FIPS Special Publications

NISTIR

MEP Overview

NISTSpecialPublica)on800-171Rev1

Protec)ngControlledUnclassifiedInforma)oninNonfederalInforma)onSystemsandOrganiza)ons

December2016

h-p://nvlpubs.nist.gov/nistpubs/SpecialPublica>ons/NIST.SP.800-171r1.pdf

MEP Overview

Controlled Unclassified Information

Supports federal missions and business functions…

…that affect the economic and national security interests of the United States.

MEP Overview

NonfederalOrganiza)onsSomeExamples

§  Federal contractors, and subcontractors. §  State, local, and tribal governments. §  Colleges and universities.

MEP Overview 9

Why is this all necessary? •  Over 100 different ways of characterizing SBU

information. •  No common definition or protocols. •  Information inconsistently marked. •  Common definition and standardize processes and

procedures.

MEP Overview

TheCUIRegistrywww.archives.gov/cui/registry/category-list.html

§  Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent.

§  Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls.

§  Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

MEP Overview

CUI Registry •  Manufacturing

11

Category-Subcategory: Proprietary Business Information-Manufacturer Category Description: Material and information relating to, or associated with, a company's

products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications.

Subcategory Description: Relating to the production of a consumer product to include that of a private labeler.

Marking: MFC

MEP Overview

TheBigPicturePlanfortheprotec=onofCUI

§  Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide.

§  NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations.

§  Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors.

§  DFAR clause 252.204.7008 requires compliance to NIST Special Publication 800-171

MEP Overview

Nonfederal Organizations — §  Have information technology infrastructures in place.

§  Not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI.

§  Have safeguarding measures in place to protect their information. §  May also be sufficient to satisfy the CUI requirements.

§  May not have the necessary organizational structure or resources to satisfy every CUI security requirement. §  Can implement alternative, but equally effective, security measures.

§  Can implement a variety of potential security solutions. §  Directly or through the use of managed services.

Assump)ons

MEP Overview

§  Access Control. §  Audit and Accountability.

§  Awareness and Training. §  Configuration Management.

§  Identification and Authentication. §  Incident Response.

§  Maintenance. §  Media Protection.

§  Physical Protection. §  Personnel Security.

§  Risk Assessment. §  Security Assessment.

§  System and Communications Protection §  System and Information Integrity.

Obtained from FIPS 200 and NIST Special Publication 800-53.

SecurityRequirements14Families

MEP Overview

StructureofSecurityRequirements

Security requirements have a well-defined structure that consists of the following components:

§  Basic security requirements section. §  Derived security requirements section.

MEP Overview

SecurityRequirementAwarenessandTrainingExample

BasicSecurityRequirements: 3.2.1 Ensurethatmanagers,systemsadministrators,andusersof

organiza)onalinforma)onsystemsaremadeawareofthesecurityrisksassociatedwith theirac)vi)esandoftheapplicablepolicies,standards,andprocedures relatedtothesecurityofthoseorganiza)onalinforma)onsystems.

3.2.2 Ensurethatorganiza)onalpersonnelareadequatelytrainedtocarryouttheirassignedinforma)onsecurity-relateddu)esandresponsibili)es.

DerivedSecurityRequirements:3.2.3 Providesecurityawarenesstrainingonrecognizingandrepor)ng

poten)alindicatorsofinsiderthreat.

MEP Overview

SecurityRequirementAwarenessandTrainingExample3.2.2

BasicSecurityRequirements:3.2.2 Ensurethatorganiza)onalpersonnelareadequatelytrainedtocarryout

theirassignedinforma)onsecurity-relateddu)esandresponsibili)es.Mee:ngtheRequirement:•  Basicsecurityawarenesstrainingtonewemployees.•  Securityawarenesstrainingtouserswheninforma)onsystemchanges.•  Annualsecurityawarenessrefreshertraining.

MEP Overview

SecurityRequirementAwarenessandTrainingExample3.2.2

BasicSecurityRequirements:3.2.2 Ensurethatorganiza)onalpersonnelareadequatelytrainedtocarryout

theirassignedinforma)onsecurity-relateddu)esandresponsibili)es.Mee:ngtheRequirement:•  Securityawarenessandtrainingpolicy.•  Securityawarenesstrainingmaterials.•  Securityplan;trainingrecords;otherrelevantdocumentsorrecords.•  Personnelwithresponsibili)esforsecurityawarenesstraining.

MEP Overview

SecurityRequirementConfigura>onManagementExample

BasicSecurityRequirements: 3.4.1 Establishandmaintainbaselineconfigura)onsandinventoriesof

organiza)onalinforma)onsystems(includinghardware,soSware,firmware,anddocumenta)on)throughouttherespec)vesystemdevelopmentlifecycles.

3.4.2 Establishandenforcesecurityconfigura)onseUngsforinforma)ontechnologyproductsemployedinorganiza)onalinforma)onsystems.

DerivedSecurityRequirements:3.4.3 Track,review,approve/disapprove,andauditchangestoinforma)on

systems.3.4.4 Analyzethesecurityimpactofchangespriortoimplementa)on.3.4.5 Define,document,approve,andenforcephysicalandlogicalaccess

restric)onsassociatedwithchangestotheinforma)onsystem.3.4.5 ……………

MEP Overview

SecurityRequirementConfigura>onManagementExample3.4.1

BasicSecurityRequirements: 3.4.1 Establishandmaintainbaselineconfigura)onsandinventoriesof

organiza)onalinforma)onsystems(includinghardware,soSware,firmware,anddocumenta)on)throughouttherespec)vesystemdevelopmentlifecycles.

Mee:ngtheRequirements: •  Develops,documentsandmaintainsacurrentbaselineconfigura)onofthe

informa)onsystem•  Configura)oncontrolinplace.

MEP Overview

SecurityRequirementConfigura>onManagementExample3.4.1

BasicSecurityRequirements: 3.4.1 Establishandmaintainbaselineconfigura)onsandinventoriesof

organiza)onalinforma)onsystems(includinghardware,soSware,firmware,anddocumenta)on)throughouttherespec)vesystemdevelopmentlifecycles.

Mee:ngtheRequirements: •  Configura)onmanagementpolicy;proceduresandplan.•  Documenta)onforEnterprisearchitectureorinforma)onsystemdesign.•  Informa)onsystemconfigura)onseUngsandassociateddocumenta)on.•  Changecontrolrecords.•  Personnelwithconfigura)onmanagementresponsibili)es.•  System/networkadministrator.

MEP Overview

SecurityRequirementAccessControlExample

BasicSecurityRequirements:3.1.1 Limitsystemaccesstoauthorizedusers,processesac)ngonbehalfof

authorizedusers,ordevices(includingothersystems).3.1.2 Limitsystemaccesstothetypesoftransac)onsandfunc)onsthat

authorizedusersarepermi]edtoexecute.DerivedSecurityRequirements:3.1.3ControltheflowofCUIinaccordancewithapprovedauthoriza)ons.

3.1.4Separatethedu)esofindividualstoreducetheriskofmalevolentac)vitywithoutcollusion.

3.1.5Employtheprincipleofleastprivilege,includingforspecificsecurityfunc)onsandprivilegedaccounts.

3.1.6 Usenon-privilegedaccountsorroleswhenaccessingnon-securityfunc)ons.

3.1.7Preventnon-privilegedusersfromexecu)ngprivilegedfunc)onsandaudittheexecu)onofsuchfunc)ons.

3.1.8Limitunsuccessfullogona]empts.

MEP Overview

SecurityRequirementAccessControlExample3.1.8

DerivedSecurityRequirements: 3.1.8 Limitunsuccessfullogona]empts.Mee:ngtheRequirements:•  Limitnumberofconsecu)veinvalidlogona]emptsallowedduringa)me

period.•  Accountlockout)meperiodautoma)callyenforcedbytheinforma)onsystem

whenmaxnumberofunsuccessfullogona]emptsisexceeded.•  Lockstheaccount/nodeun)lreleasedbyanadministrator.•  Delaysnextlogonpromptaccordingtotheorganiza)on-defineddelay

algorithm.•  Accesscontrolpolicyandproceduresaddressingunsuccessfullogona]empts.•  Personnelwithinforma)onsecurityresponsibili)es;systemdevelopers;system/

networkadministrators

MEP Overview

SecurityRequirementAccessControlExample3.1.8

DerivedSecurityRequirements: 3.1.8 Limitunsuccessfullogona]empts.Mee:ngtheRequirements:•  Accesscontrolpolicyandproceduresaddressingunsuccessfullogona]empts.•  Personnelwithinforma)onsecurityresponsibili)es;systemdevelopers;system/

networkadministrators

MEP Overview

DFARS 252.204.7008

25

“IftheOfferorproposestovaryfromanyofthesecurityrequirementsspecifiedbyNISTSP800-171thatareineffectatthe>methesolicita>onisissuedorasauthorizedbytheContrac>ngOfficer,theOfferorshallsubmittotheContrac>ngOfficer,forconsidera>onbytheDoDChiefInforma>onOfficer(CIO),awri-enexplana>onof—(A) Whyapar>cularsecurityrequirementisnotapplicable;or(B) Howanalterna>vebutequallyeffec>ve,securitymeasureisusedtocompensateforthe

inabilitytosa>sfyapar>cularrequirementandachieveequivalentprotec>on.”

MEP Overview

Meeting SP 800-171

•  Some security controls may not be applicable to your environment. •  Build off you are currently doing. •  Other ways to meet the requirements.

26

MEP Overview

Meeting SP 800-171

•  More cost effective approach –  Isolate CUI into its own security domain by applying architectural design

concepts – Security domains may employ physical separation, logical separation, or a

combination of both. – Use the same CUI infrastructure for multiple government contracts or

agreements.

27

MEP Overview

NIST MEP Activities •  Help MEP Centers assist small manufacturers meet 800-171

– Training – FAQs – Guidance – Tools

•  Work with NIST to develop 800-171A •  Develop criteria for selecting cybersecurity assessors •  Closely monitor DFAR developments

28

MEP Overview

ContactInfo:PatTothNISTMEP

ptoth@nist.gov301975-5140