14 ways to secure controlled info in nonfederal systems
The National Institute of Standards and Technology announced the public release of Draft Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations.
The guidance covers controlled unclassified information (CUI) that may reside in the systems of contractors, state, local and tribal governments as well as colleges and universities. The parties may be using the federal data for scientific research, background investigations, financial services or developing technology for agencies.
Because the federal data could include personally identifiable information, medical records or financial data, any compromises of this information could, “directly impact the ability of the federal government to successfully carry out its designated missions and business operations,” NIST said.
The requirements in SP 800-171 for protecting the confidentiality of CUI were obtained from the security requirements and controls in FIPS Publication 200 (Minimum Security Requirements for Federal Information and Information Systems) and NIST SP 800-53 (Security and Privacy Controls for Federal Information Systems and Organizations), according to NIST.
This guidance is part of a larger initiative by the National Archives and Records Administration to standardize naming conventions and protection requirements for sensitive data both within the federal government and when such information resides in nonfederal information systems and organizations.
The security requirements are divided into 14 families:
1. Access control: Limit information system access to authorized users or devices (including other information systems) and to functions authorized users are permitted to exercise.
2. Awareness and training: Ensure users know and are trained on the security risks associated with their activities and of the applicable policies, standards, or procedures related to the security of organizational information systems.
3. Audit and accountability: Create, protect and retain audit records for system activity and individual users to support monitoring, analysis, investigation and reporting of inappropriate information system activity.
4. Configuration management: Establish and maintain baseline configurations and inventories of hardware, software, firmware and documentation and enforce security configuration settings for IT products used in organizational information systems.
5. Identification and authentication: Identify and authenticate users, and processes acting on behalf of users or devices, before allowing access to organizational information systems.
6. Incident response: Establish an operational incident-handling capability that includes adequate preparation, detection, analysis, containment, recovery and user response activities.
7. Maintenance: Perform periodic and timely maintenance and control on the tools, techniques, mechanisms and personnel used to conduct system maintenance.
8. Media protection: Protect paper and digital media containing CUI, limit access to authorized users and sanitize or destroy media before disposal.
9. Physical protection: Limit physical access to organizational information systems, equipment and respective operating environments and protect physical plant and support infrastructure.
10. Personnel security: Screen individuals prior to authorizing access and ensure information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
11. Risk assessment: Periodically assess the risk to the organization, its assets and individuals, resulting from the processing, storage or transmission of CUI.
12. Security assessment: Periodically assess the security controls, correct deficiencies and reduce or eliminate vulnerabilities and monitor information system security controls on an ongoing basis.
13. System and communications protection: Monitor, control and protect communications at the boundaries of the information systems and use architectural designs, software development techniques, and systems engineering principles that promote effective information security.
14. System and information integrity: Identify, report and correct flaws in a timely manner, provide protection from malicious code and monitor information system security alerts and advisories.
NIST acknowledged that nonfederal organizations may not always have the resources to satisfy every security requirement, so alternatives may be designed that meet a particular requirement.
Please send comments to firstname.lastname@example.org with "Comments Draft SP 800-171” in the subject line. Comments will be accepted through January 16, 2015.
Connect with the GCN staff on Twitter @GCNtech.