Home › Forums › Groups Forums › Knowledge Management & Information Sharing › Protecting Controlled Unclassified Information › Revision of NIST SP 800-171 – Ask Your Questions Now › Reply To: Revision of NIST SP 800-171 – Ask Your Questions Now
When a firm begins thinking about transitioning from a premise based architecture to the cloud they should recognize two significant factors. Their DoD contractual requirements and the creating a well-architected and long term solution to protect CUI. On the surface the challenges seem trivial from an IT perspective, just the basics. This is far from the truth. If you are making this significant of an architectural change; you are in it for the long run.
The first question you should address is if your specific contract with the DoD has identified the anticipated use of cloud computing services by the contractor or subcontract during their performance period. This simple question ensures awareness and compliance with DFARS provision 252.239-7009. It also allows your security and technical engineers to focus on the task at hand, securely integrating cloud services as a part of your enterprise.
With all of the solutions being created by cloud service providers and your firm will need to decide on which of the well architected and secure solution fulfill your needs. Please continue to recognize there are DFARS representations, provisions, and clauses describing cloud computing services, data storage locations, and processing locations for CUI. The bottom line is storing, creating, or processing CUI data or information using cloud services requires government approval. Subpart 204.73 of the DFARS provides high level information and links on how to protect CUI for DoD. If your firm decides to use cloud computing services, there may be specific compliance based safeguards and controls documented in DISA’s Cloud Computing Security Requirements Guide (SRG) as described by DFARS clause 252.239-7010 Cloud Computing Services. As a security engineer you will need to keep these and many other requirements in mind during the design process.
From a non-technical and technical conformity perspective your firm may be following a process to ensure transparency with internal and DoD contractual management teams.
Your non-technical response may include information such as:
• Have you evaluated or assessed your current enterprise architecture to create a System Security Plan? (NIST 800-171 r1, 3.12.4)
• Developed a Plan of Actions and Milestones (POA&M) to communicate NIST 800-171 security requirement priorities to your company’s leadership and DoD contracting officers? (NIST 800-171r1, 3.12.2)
• Developed and exercised an incident response plan
From a technical perspective your internal planning process could include:
• How your organization could isolate CUI into its own security domains by applying architectural design concepts to both premise and cloud based solutions?
• Your functional and security requirements for transitioning into the cloud?
• The use of encryption and modern key management techniques to maintain confidentiality?
• Establish identification and access control methods which controls access to CUI, based upon two factor authentication?
• Automated monitoring and reaction to events on your enterprise, to include outsourced, premise, and cloud based architectures?
With the appropriate approvals, the ability to identify CUI your firm is responsible for, a well-planned architecture, properly implemented automation, appropriate monitoring, and incident response your firm should be successful in protecting CUI in your hybrid architecture.