2017-01-31 at 12:28 #8667
Attention DoD contractors: NIST’s SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations was revised in December 2016. The revision has produced new requirements, added clarifications, and created many discussion points. This webinar will explain in detail the changes contained in SP 800-171 revision 1 and various FAR/DFAR hooks into the document, impacts is has on your organization, and how you can continue to implement its IA guidelines.
If you have questions or comments about the upcoming webinar or the latest revision of NIST SP 800-171, please leave a reply.
NOTE: you must be logged in and a member of this group to leave a reply.
2017-02-03 at 09:19 #8684
As a contractor, how do I best identify what type of systems fall under CUI? Or, more importantly, how do I identify the types of systems that do NOT fall under CUI?
2017-02-10 at 14:28 #8803
The general answer is: If your information system has CUI at rest or in motion or a user has access to CUI maintained elsewhere, that system should be protected as directed in your government contract/s. We will address your question during the webinar.
2017-02-10 at 14:40 #8799
Thank you for your question it will be discussed during the upcoming webinar. The National Archives, CUI Registry provides a listing of categories and subcategories that is very useful. https://www.archives.gov/cui/registry/category-list
2017-02-06 at 09:19 #8735
Do the rules change if my company is acting as a subcontractor?
2017-02-06 at 10:02 #8736
Do I need to worry about the rules changing between now and the end of the year?
2017-02-10 at 14:21 #8801
It would not be surprising if there are changes to the ‘171 or other publications later in the year. We will address your question during the webinar.
2017-02-07 at 10:42 #8756
Can the webinar speak to Controlled Defense Information, a component of CUI? Our agency is exploring how to best protect FOUO, FGI, export control information, personal information, and industry proprietary information. Thank you!
2017-02-10 at 14:10 #8798
2017-02-23 at 12:34 #8897
Where can we find information pertaining to Machine-Readable Labeling Schema with respect to CUI?
2017-03-07 at 12:38 #9040
Thank you for your question. My team and I need further information from you concerning Machine-Readable Labeling Schema and how you anticipate the impacts based upon the FARS/DFARS and NIST 800-171 requirements. Can you please contact us directly to provide us additional insight.
- This reply was modified 2 years, 6 months ago by wkastorff.
2017-02-23 at 12:42 #8899
This question was asked by Vishal Jadhav on Facebook:
Are there any special considerations for securing services in the cloud?
2017-02-23 at 12:47 #8902
This question was asked by Vishal Jadhav on Facebook:
How would you balance demands from different stakeholders who have conflicting requirements?
2017-03-07 at 14:10 #9042
It is our impression the National Archives in coordination with other U.S. Government organizations are working hard to standardize the methods for protecting Controlled Unclassified Information. The challenge we as contractors face are historical/traditional protection methodologies from a risk adverse perspective. We have to be prepared to carefully communicate to our government colleagues the changes that are taking place from a CUI perspective and compliance isn’t the only answer.
We have guided both our internal and external customers through demands based upon variable requirements. We have noticed many of the conflicting requirements are not focused on protecting CUI but providing additional data integrity or availability protection methods. Examples of these protections have focused on fiscal, laboratory testing and aviation safety requirements.
It is our recommendation that you work closely with your companies contracting and leadership organizations when conflicting requirements are discovered. Your security engineers will need to clearly identify the ‘171 requirements in addition to specific security controls that have been identified to protect your specialized system based upon contractual requirements. You will need to bring this information forward to your management teams in order to create a clear understanding what is CUI and what isn’t. Your efforts may enable your company’s leadership team to negotiate the specialized protection requirements costs with the government versus absorbing the costs.
As you are aware, each of these situations will need to be handled on a case by case basis. In the long run your enterprise architecture may end up evolving to protect CUI and specialized data and information from internal and external threats.
2017-02-23 at 12:48 #8904
This question was asked by Wesam Sayed on Facebook:
How can I integrate between cloud computing and security?
2017-02-23 at 12:55 #8906
There are controls in NIST 800-53a referring to cloud computing security.
2017-03-20 at 09:03 #9113
When a firm begins thinking about transitioning from a premise based architecture to the cloud they should recognize two significant factors. Their DoD contractual requirements and the creating a well-architected and long term solution to protect CUI. On the surface the challenges seem trivial from an IT perspective, just the basics. This is far from the truth. If you are making this significant of an architectural change; you are in it for the long run.
The first question you should address is if your specific contract with the DoD has identified the anticipated use of cloud computing services by the contractor or subcontract during their performance period. This simple question ensures awareness and compliance with DFARS provision 252.239-7009. It also allows your security and technical engineers to focus on the task at hand, securely integrating cloud services as a part of your enterprise.
With all of the solutions being created by cloud service providers and your firm will need to decide on which of the well architected and secure solution fulfill your needs. Please continue to recognize there are DFARS representations, provisions, and clauses describing cloud computing services, data storage locations, and processing locations for CUI. The bottom line is storing, creating, or processing CUI data or information using cloud services requires government approval. Subpart 204.73 of the DFARS provides high level information and links on how to protect CUI for DoD. If your firm decides to use cloud computing services, there may be specific compliance based safeguards and controls documented in DISA’s Cloud Computing Security Requirements Guide (SRG) as described by DFARS clause 252.239-7010 Cloud Computing Services. As a security engineer you will need to keep these and many other requirements in mind during the design process.
From a non-technical and technical conformity perspective your firm may be following a process to ensure transparency with internal and DoD contractual management teams.
Your non-technical response may include information such as:
• Have you evaluated or assessed your current enterprise architecture to create a System Security Plan? (NIST 800-171 r1, 3.12.4)
• Developed a Plan of Actions and Milestones (POA&M) to communicate NIST 800-171 security requirement priorities to your company’s leadership and DoD contracting officers? (NIST 800-171r1, 3.12.2)
• Developed and exercised an incident response plan
From a technical perspective your internal planning process could include:
• How your organization could isolate CUI into its own security domains by applying architectural design concepts to both premise and cloud based solutions?
• Your functional and security requirements for transitioning into the cloud?
• The use of encryption and modern key management techniques to maintain confidentiality?
• Establish identification and access control methods which controls access to CUI, based upon two factor authentication?
• Automated monitoring and reaction to events on your enterprise, to include outsourced, premise, and cloud based architectures?
With the appropriate approvals, the ability to identify CUI your firm is responsible for, a well-planned architecture, properly implemented automation, appropriate monitoring, and incident response your firm should be successful in protecting CUI in your hybrid architecture.
2017-04-07 at 09:50 #9255
I am helping our company with the SSP and making sure we meet all the NIST 800-171 requirements – however I am having a hard time figuring out what requirements are relevant to us.
We do NOT have a private network or servers or anything – we only use Google Drive and Gmail. We have found Google Drive encryption software (Boxcryptor) and Gmail encryption software (Virtru) that we believe should handle the encryption requirements.
My question to you guys – what requirements are not relevant if we don’t have a network that we are dealing with?
Your help or guidance on where to find these answers would be greatly appreciated. I’m kind of stumped at this point!
Another question – would TeamViewer or any other remote software count as safe to host remote sessions while viewing CUI?
- This reply was modified 2 years, 5 months ago by kriesett.
2017-04-28 at 10:50 #9334
From a Software As A Service (SAAS) solution perspective there are contractual (DFARS) requirements that go hand-in-hand with 800-171. We recommend you review your contractual requirements with your firms contracting officer and the government program office to discover if you are authorized to use SAAS as your solution to protect CUI. From there you will move onto the DFARS requirements.
The first is Subpart 204.73 http://www.acq.osd.mil/dpap/dars/dfars/html/current/204_73.htm This provision guides you to many of the other contractual requirements, whether you’re a sub-contractor or prime, that your firm is responsible for. In addition, we would like to point out the cloud services DFARS; The use of cloud services is described in DFARS 252.239.7010 http://www.acq.osd.mil/dpap/dars/dfars/html/current/252239.htm#252.239-7010 and other locations. Unfortunately, simply using NIST 800-171 Revision 1 is not the only set of requirements when it comes to protecting CUI and other sensitive government information. Another example if your organization is protecting ITAR information, that opens another painful set of State Department regulations.
We appreciate your question concerning Teamviewer and software of that nature. We are not in a position to recommend the use of specific forms of software to protect CUI. However, I would recommend that you ask your government program office about their opinion on the use of Foreign Controlled and Influenced (FOCI) companies that are producing security applications.
We are basing our answers on how you have described your information technologies. It is your responsibility to go through each requirement and decide if that requirement applies or not. The purpose of this exercise is to complete your POA&M and SSP. A set of documents which get turned into the DoD CIO and your DoD contracting officer with the descriptions of how your firm is satisfying the requirements, showing your work off plan, or giving the explanation of why your firm is not fulfilling the requirement.
You must be logged in to reply to this topic.