The Federal Information Security Modernization Act (FISMA) requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the
unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency or a designated third party such as a contractor or research organization. Under Executive Order 13556, Controlled Unclassified Information dated, November 4, 2010 federal agencies and their designated third parties to adhere to regulations, policies and guidelines established by NIST and OMB in order to protect Controlled Unclassified Information (CUI) at the moderate confidentiality impact level.
The US National Archives and Records Administration (NARA) together with the US National Institute of Standards and Technology (NIST) have established a guideline, Special Publication SP 800-171, titled "Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations". NIST SP 800-171 provides federal agencies and designated third parties with recommended requirements for protecting the confidentiality of CUI when such information resides on non-federal information systems and organizations.
Beginning in the end of 2017, non-federal organizations which receive, process or store CUI (AKA "Authorized Holders") must comply with the requirements of NIST SP 800-171 per Code of Federal Regulations (CFR) at 32 CFR Part 2002. Such requirements pertain to Safeguarding, Accessing and disseminating, Decontrolling and Marking of CUI. Compliance involves establishing security controls (NIST 800-171 has 109 controls grouped into 14 control families) that impose requirements at the environmental, system, access, user, and logging/auditing levels among other areas. Examples of these requirements are:
The hosting environment (physical space) in which the system is housed must:
- Be secured (locks, cameras, card readers, guards) to ensure access only by authorized personnel.
- House project components (hardware, software) in separate racks from other systems. Racks must be secured with locking mechanisms
The system (hardware, software, data) must be logically or physically separated from other information systems and:
- Include only required applications and keep unnecessary processes and ports disabled.
- Be isolated from other information flows by firewalls and network segmentation.
- Encrypt all data in transit and at rest using FIPS 140-1 and FIPS 140-2 encryption standards.
- Include a test environment for analyzing impacts of changes; maintain regular patching timeframes.
- Incorporate processes for documentation, inventory, change management, personnel authorization.
- Collect log information documenting all user actions and user installed applications.
- Integrate with log analysis and security information and event management tools to provide alerts and reports, report security incidents. It must store log data outside of the specific CUI system. A designated individual must review and audit logs.
- Include processes for incident reporting and remediation of vulnerabilities
- Provide processes for maintenance, including authorization, escort and tool validation of third party personnel, and prioritize local maintenance processes over remote.
Access to the network or system storing or processing CUI requires:
- Connection via virtualized sessions OR other authorized devices configured to block after a certain number of unsuccessful login attempts and time out after a certain time of inactivity.
- Encryption of devices/storage media in accordance with FIPS140-2 and FIPS140-2 encryption standards.
- Remote and wireless connections to be provided through a VPN.
Users of a CUI carrying system:
- Must be authorized by the system owner or his designee and must have a need to access the system
- Account for users who no longer need access to the system must be promptly disabled
- Must be provided accounts with the least privileges necessary to conduct their work
- Must use authorized computers/devices to access the system.
- Should not download CUI to portable storage devices or their own computers
- Must complete annual security training regarding the specific restrictions applicable to the CUI system(s)
SeNet International Corporation has been assisting Federal and non-federal organizations for close to 20 years achieve and maintain their IT Security objectives. Our staff of IT security analysts and engineers possess a wealth of information regarding NIST, FISMA and other regulatory compliance requirements. We can assist your organization figure out your exposure to the mandates imposed by the CUI regulations, assist in developing an appropriate compliance plan, test your CUI systems security controls' implementation against the requirements, recommend and help you implement any remediation measures necessary to achieve full compliance.