Information System Security AssociationWashington D C NIST Special

  • Slides: 29
Download presentation
Information System Security Association-Washington D. C. NIST Special Publication 800 -171 Protecting Controlled Unclassified

Information System Security Association-Washington D. C. NIST Special Publication 800 -171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1

First, some definitions. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

First, some definitions. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 2

Controlled Unclassified Information that requires safeguarding or dissemination controls pursuant to and consistent with

Controlled Unclassified Information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended. -- E. O. 13556 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 3

Controlled Unclassified Information Supports federal missions and business functions… …that affect the economic and

Controlled Unclassified Information Supports federal missions and business functions… …that affect the economic and national security interests of the United States. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 4

Federal Information System An information system used or operated by an executive agency, by

Federal Information System An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. -- Federal Information Security Management Act 40 U. S. C. , Sec. 11331 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 5

Nonfederal Information System An information system that does not meet the criteria for a

Nonfederal Information System An information system that does not meet the criteria for a federal information system. -- NIST SP 800 -171 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 6

Nonfederal Organization An entity that owns, operates, or maintains a nonfederal information system. --

Nonfederal Organization An entity that owns, operates, or maintains a nonfederal information system. -- NIST SP 800 -171 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 7

Nonfederal Organizations Some Examples § Federal contractors. § State, local, and tribal governments. §

Nonfederal Organizations Some Examples § Federal contractors. § State, local, and tribal governments. § Colleges and universities. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 8

An urgent need… A national imperative. The protection of sensitive, unclassified federal information while

An urgent need… A national imperative. The protection of sensitive, unclassified federal information while residing in nonfederal information systems and environments of operation is of paramount importance to federal agencies—and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. -- NIST SP 800 -171 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 9

Executive Order 13556 Controlled Unclassified Information November 10, 2010 The Order — § Designated

Executive Order 13556 Controlled Unclassified Information November 10, 2010 The Order — § Designated the National Archives and Records Administration (NARA) as the Executive Agent for Controlled Unclassified Information (CUI). § Directed NARA to implement a governmentwide CUI Program to standardize the way the Executive branch handles unclassified information that requires protection. § Established an open and uniform program to manage unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide 10 policy. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

CUI Registry www. archives. gov/cui/registry/category-list. html § Identifies the exclusive categories and subcategories of

CUI Registry www. archives. gov/cui/registry/category-list. html § Identifies the exclusive categories and subcategories of unclassified information that require safeguarding and dissemination controls consistent with law, federal regulation, and Government-wide policies. § Serves as the central repository for the posting of and access to the categories and subcategories, associated markings, and applicable safeguarding, dissemination, and decontrol procedures. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 11

The Big Picture A three-part plan for the protection of CUI § Development of

The Big Picture A three-part plan for the protection of CUI § Development of 32 CFR Part 2002. § Development of NIST SP 800 -171. § Development of single Federal Acquisition Regulation (FAR) Clause. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 12

NIST Special Publication 800 -171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and

NIST Special Publication 800 -171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Initial Public Draft November 2014 NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 13

Purpose and Applicability § To provide federal agencies with recommended requirements for protecting the

Purpose and Applicability § To provide federal agencies with recommended requirements for protecting the confidentiality of CUI when such information resides in nonfederal information systems and organizations. § The security requirements apply only to components of nonfederal information systems that process, store, or transmit CUI. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 14

Security Requirements Basic and derived security requirements are obtained from FIPS 200 and NIST

Security Requirements Basic and derived security requirements are obtained from FIPS 200 and NIST SP 800 -53 initially — and then tailored appropriately to eliminate requirements that are: § Primarily the responsibility of the federal government (i. e. , uniquely federal requirements). § Related primarily to availability. § Assumed to be routinely satisfied by nonfederal organizations without any further specification. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 15

Target Audience § Individuals with system development life cycle responsibilities. § Program managers, information

Target Audience § Individuals with system development life cycle responsibilities. § Program managers, information owners, mission/business owners, system owners, acquisition officials. § Individuals with information system, security, or risk management and oversight responsibilities. § Authorizing officials, chief information officers, chief information security officers, information system/security managers. § Individuals with security assessment and monitoring responsibilities. § Auditors, system evaluators, assessors, independent verifiers and validators, analysts. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 16

Assumption #1 § Statutory and regulatory requirements for the protection of CUI are consistent,

Assumption #1 § Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal or nonfederal information systems. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 17

Assumption #2 § Safeguards or countermeasures implemented to protect CUI are consistent in both

Assumption #2 § Safeguards or countermeasures implemented to protect CUI are consistent in both federal and nonfederal environments. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 18

Assumption #3 § The confidentiality impact value for CUI is no lower than moderate

Assumption #3 § The confidentiality impact value for CUI is no lower than moderate in accordance with Federal Information Processing Standards (FIPS) Publication 199. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 19

§ Access Control. § Audit and Accountability. § Awareness and Training. § Configuration Management.

§ Access Control. § Audit and Accountability. § Awareness and Training. § Configuration Management. § Identification and Authentication. § Incident Response. § Maintenance. 14 Families § Media Obtained from FIPS 200 Protection. and NIST Special § Physical Protection. Publication 800 -53. § Personnel Security. § Risk Assessment. § Security Assessment. § System and Communications Protection 20 § System and Information Integrity. Security Requirements NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

Structure of Security Requirements § Security requirements have a well-defined structure that consists of

Structure of Security Requirements § Security requirements have a well-defined structure that consists of the following components: § Basic security requirement section. § Derived security requirements section. § References section. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 21

Security Requirement Configuration Management Example Basic Security Requirement: Establish and maintain baseline configurations and

Security Requirement Configuration Management Example Basic Security Requirement: Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and establish and enforce security configuration settings for information technology products employed in organizational information systems. Derived Security Requirements: a. Analyze the security impact of changes prior to implementation; b. Employ the principle of least functionality by configuring the information system to provide only essential capabilities; c. Restrict, disable, and prevent the use of nonessential functions, ports, protocols, and services; and d. Apply deny by exception (blacklist) policy to prevent the use of unauthorized software. References: NIST Special Publication 800 -53. Configuration Management | CM-2; CM-4; CM-5; CM-6; CM-7(1); CM-7(2); CM-7(4); CM-8. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 22

The road ahead. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

The road ahead. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 23

On the Horizon… Proposed 32 CFR Part 2002, Controlled Unclassified Information § NARA is

On the Horizon… Proposed 32 CFR Part 2002, Controlled Unclassified Information § NARA is issuing a Federal regulation, or directive (currently in coordination with OMB), to establish the required CUI security controls and markings governmentwide. § Requirements for the protection of CUI at the moderate confidentiality impact value in the proposed rule are based on applicable governmentwide standards and guidelines issued by NIST, and applicable policies established by OMB. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 24

On the Horizon… Standard Federal Acquisition Regulation (FAR) Clause § The CUI Executive Agent

On the Horizon… Standard Federal Acquisition Regulation (FAR) Clause § The CUI Executive Agent also anticipates establishing a single Federal Acquisition Regulation (FAR) clause that will apply the requirements of the proposed CUI rule and NIST SP 800 -171 to contractor environments. § This will further promote standardization to help nonfederal organizations meet the current range and types of contract clauses, where differing requirements and conflicting guidance from federal agencies gives rise to confusion and inefficiencies. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 25

In the Interim… Using NIST Special Publication 800 -171 on a voluntary basis §

In the Interim… Using NIST Special Publication 800 -171 on a voluntary basis § Until the formal process of establishing a single FAR clause takes place, and where necessitated by exigent circumstances, NIST SP 800 -171 may be referenced in contract specific requirements on a limited basis— consistent with acquisition and regulatory requirements. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 26

NIST Special Publication 800 -171 Public Comment Period November 18, 2014 – January 16,

NIST Special Publication 800 -171 Public Comment Period November 18, 2014 – January 16, 2015 National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899 -8930 Copies available at: csrc. nist. gov Send comments to: sec-cert@nist. gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 27

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 28

Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899 -8930 NIST NARA/ISOO

Contact Information 100 Bureau Drive Mailstop 8930 Gaithersburg, MD USA 20899 -8930 NIST NARA/ISOO Dr. Ron Ross (301) 975 -5390 ron. ross@nist. gov Dr. Pat Viscuso (202) 357 -5313 patrick. viscuso@nara. gov NIST NARA/ISOO Kelley Dempsey (301) 975 -2827 kelley. dempsey@nist. gov Mark Riddle (202) 357 -6864 mark. riddle@nara. gov Comments: sec-cert@nist. gov Web: csrc. nist. gov NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 29

NIST Web Book Chemie NIST Chemistry Webbook NISTNIST Web Book Chemie NIST Chemistry Webbook NIST
Regulatory Update Oregon Hospice AssociationWashington State Hospice andRegulatory Update Oregon Hospice AssociationWashington State Hospice and
FISMA NIST Style An overview of the NISTFISMA NIST Style An overview of the NIST
KMIP and NIST 800 57 KMIP and NISTKMIP and NIST 800 57 KMIP and NIST
NIST Agency Report 2019 NIST Sensor Science DivisionNIST Agency Report 2019 NIST Sensor Science Division
Current NIST Definition NIST Big data consists ofCurrent NIST Definition NIST Big data consists of
NIST Agency Report 2018 NIST Sensor Science DivisionNIST Agency Report 2018 NIST Sensor Science Division
The NIST Internet Time Service Michael Lombardi NISTThe NIST Internet Time Service Michael Lombardi NIST
Current NIST Definition NIST Big data consists ofCurrent NIST Definition NIST Big data consists of
NIST Cloud Computing Program Highlights Next Steps NISTNIST Cloud Computing Program Highlights Next Steps NIST
NIST National Institute of Standards and Technology NISTNIST National Institute of Standards and Technology NIST
Information Security Information security Information Security describes allInformation Security Information security Information Security describes all
Information Security Information security Information Security describes allInformation Security Information security Information Security describes all
NIST Special Publication 800 26 Security SelfAssessment GuideNIST Special Publication 800 26 Security SelfAssessment Guide
The NIST Special Publications for Security Management ByThe NIST Special Publications for Security Management By
Reference NIST Security SelfAssessment guide for Information TechnologyReference NIST Security SelfAssessment guide for Information Technology
Privileges Database security System security Data security SystemPrivileges Database security System security Data security System
Privileges Database security System security Data security SystemPrivileges Database security System security Data security System
Information Security Awareness Training Information security Protecting informationInformation Security Awareness Training Information security Protecting information
Information Warfare Summary Information Security Information Assurance InformationInformation Warfare Summary Information Security Information Assurance Information
NIST Special Publication 800 76 Biometric Data SpecificationNIST Special Publication 800 76 Biometric Data Specification
Special Construction Methods and Materials Special Construction SpecialSpecial Construction Methods and Materials Special Construction Special
Special Relativity Einsteins Postulates Special Relativity Postulates SpecialSpecial Relativity Einsteins Postulates Special Relativity Postulates Special
Chapter 28 Special Relativity Whats special about specialChapter 28 Special Relativity Whats special about special