01/31/2017 at 12:28 pm #8667
Attention DoD contractors: NIST’s SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations was revised in December 2016. The revision has produced new requirements, added clarifications, and created many discussion points. This webinar will explain in detail the changes contained in SP 800-171 revision 1 and various FAR/DFAR hooks into the document, impacts is has on your organization, and how you can continue to implement its IA guidelines.
If you have questions or comments about the upcoming webinar or the latest revision of NIST SP 800-171, please leave a reply.
NOTE: you must be logged in and a member of this group to leave a reply.
02/03/2017 at 9:19 am #8684
As a contractor, how do I best identify what type of systems fall under CUI? Or, more importantly, how do I identify the types of systems that do NOT fall under CUI?
02/10/2017 at 2:28 pm #8803
The general answer is: If your information system has CUI at rest or in motion or a user has access to CUI maintained elsewhere, that system should be protected as directed in your government contract/s. We will address your question during the webinar.
02/10/2017 at 2:40 pm #8799
Thank you for your question it will be discussed during the upcoming webinar. The National Archives, CUI Registry provides a listing of categories and subcategories that is very useful. https://www.archives.gov/cui/registry/category-list
02/06/2017 at 9:19 am #8735
Do the rules change if my company is acting as a subcontractor?
02/06/2017 at 10:02 am #8736
Do I need to worry about the rules changing between now and the end of the year?
02/10/2017 at 2:21 pm #8801
It would not be surprising if there are changes to the ‘171 or other publications later in the year. We will address your question during the webinar.
02/07/2017 at 10:42 am #8756
Can the webinar speak to Controlled Defense Information, a component of CUI? Our agency is exploring how to best protect FOUO, FGI, export control information, personal information, and industry proprietary information. Thank you!
02/10/2017 at 2:10 pm #8798
02/23/2017 at 12:34 pm #8897
Where can we find information pertaining to Machine-Readable Labeling Schema with respect to CUI?
03/07/2017 at 12:38 pm #9040
Thank you for your question. My team and I need further information from you concerning Machine-Readable Labeling Schema and how you anticipate the impacts based upon the FARS/DFARS and NIST 800-171 requirements. Can you please contact us directly to provide us additional insight.
- This reply was modified 3 weeks, 2 days ago by wkastorff.
02/23/2017 at 12:42 pm #8899
This question was asked by Vishal Jadhav on Facebook:
Are there any special considerations for securing services in the cloud?
02/23/2017 at 12:47 pm #8902
This question was asked by Vishal Jadhav on Facebook:
How would you balance demands from different stakeholders who have conflicting requirements?
03/07/2017 at 2:10 pm #9042
It is our impression the National Archives in coordination with other U.S. Government organizations are working hard to standardize the methods for protecting Controlled Unclassified Information. The challenge we as contractors face are historical/traditional protection methodologies from a risk adverse perspective. We have to be prepared to carefully communicate to our government colleagues the changes that are taking place from a CUI perspective and compliance isn’t the only answer.
We have guided both our internal and external customers through demands based upon variable requirements. We have noticed many of the conflicting requirements are not focused on protecting CUI but providing additional data integrity or availability protection methods. Examples of these protections have focused on fiscal, laboratory testing and aviation safety requirements.
It is our recommendation that you work closely with your companies contracting and leadership organizations when conflicting requirements are discovered. Your security engineers will need to clearly identify the ‘171 requirements in addition to specific security controls that have been identified to protect your specialized system based upon contractual requirements. You will need to bring this information forward to your management teams in order to create a clear understanding what is CUI and what isn’t. Your efforts may enable your company’s leadership team to negotiate the specialized protection requirements costs with the government versus absorbing the costs.
As you are aware, each of these situations will need to be handled on a case by case basis. In the long run your enterprise architecture may end up evolving to protect CUI and specialized data and information from internal and external threats.
02/23/2017 at 12:48 pm #8904
This question was asked by Wesam Sayed on Facebook:
How can I integrate between cloud computing and security?
02/23/2017 at 12:55 pm #8906
There are controls in NIST 800-53a referring to cloud computing security.
03/20/2017 at 9:03 am #9113
When a firm begins thinking about transitioning from a premise based architecture to the cloud they should recognize two significant factors. Their DoD contractual requirements and the creating a well-architected and long term solution to protect CUI. On the surface the challenges seem trivial from an IT perspective, just the basics. This is far from the truth. If you are making this significant of an architectural change; you are in it for the long run.
The first question you should address is if your specific contract with the DoD has identified the anticipated use of cloud computing services by the contractor or subcontract during their performance period. This simple question ensures awareness and compliance with DFARS provision 252.239-7009. It also allows your security and technical engineers to focus on the task at hand, securely integrating cloud services as a part of your enterprise.
With all of the solutions being created by cloud service providers and your firm will need to decide on which of the well architected and secure solution fulfill your needs. Please continue to recognize there are DFARS representations, provisions, and clauses describing cloud computing services, data storage locations, and processing locations for CUI. The bottom line is storing, creating, or processing CUI data or information using cloud services requires government approval. Subpart 204.73 of the DFARS provides high level information and links on how to protect CUI for DoD. If your firm decides to use cloud computing services, there may be specific compliance based safeguards and controls documented in DISA’s Cloud Computing Security Requirements Guide (SRG) as described by DFARS clause 252.239-7010 Cloud Computing Services. As a security engineer you will need to keep these and many other requirements in mind during the design process.
From a non-technical and technical conformity perspective your firm may be following a process to ensure transparency with internal and DoD contractual management teams.
Your non-technical response may include information such as:
• Have you evaluated or assessed your current enterprise architecture to create a System Security Plan? (NIST 800-171 r1, 3.12.4)
• Developed a Plan of Actions and Milestones (POA&M) to communicate NIST 800-171 security requirement priorities to your company’s leadership and DoD contracting officers? (NIST 800-171r1, 3.12.2)
• Developed and exercised an incident response plan
From a technical perspective your internal planning process could include:
• How your organization could isolate CUI into its own security domains by applying architectural design concepts to both premise and cloud based solutions?
• Your functional and security requirements for transitioning into the cloud?
• The use of encryption and modern key management techniques to maintain confidentiality?
• Establish identification and access control methods which controls access to CUI, based upon two factor authentication?
• Automated monitoring and reaction to events on your enterprise, to include outsourced, premise, and cloud based architectures?
With the appropriate approvals, the ability to identify CUI your firm is responsible for, a well-planned architecture, properly implemented automation, appropriate monitoring, and incident response your firm should be successful in protecting CUI in your hybrid architecture.
You must be logged in to reply to this topic.