Image

What is CUI?
If you’re not familiar, “Controlled Unclassified Information” (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors) often process, store, or transmit CUI. Executive Order 13556 (11/10/2010) designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations. The final draft was made public in April 2015. There are 14 families of security requirements associated with the standard:- Access Control
- Audit and Accountability
- Awareness and Training
- Configuration Management
- Identification and Authentication
- Incident Response
- Maintenance
- Media Protection
- Physical Protection
- Personnel Security
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Basic Security Requirements (from FIPS Publication 200):
3.4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles. 3.4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.Derived Security Requirements (from NIST Special Publication 800-53):
3.4.3 Track, review, approve/disapprove, and audit changes to information systems. 3.4.4 Analyze the security impact of changes prior to implementation. 3.4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system. 3.4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities. 3.4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services. 3.4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software. 3.4.9 Control and monitor user-installed software. With that background, consider that many of the organizations faced with this requirement are in a bit of a quandary, considering the reality of never having had to protect CUI at this level before. They don’t want to lose these important customers but at the same time, they don’t have the people or experience or technology to solve it. They have to step up their game or lose the business to a competitor… not necessarily one with a better product or price but one that can demonstrate compliance with the standard. I did some research and found a few helpful documents to assist with the creation of a security plan and ensuring data is protected at the right level:- NIST SP 800-171 – This is the standard from NIST
- FIPS 199 – Security categorization standards for information (part of the required deliverables in the security plan)
- IT Security Plan Template from NIH – A template for building out your system security plan. Just read the blue portion and replace it with your plan (now offline)
- FIPS Publication 200 – For the “basic” security requirements
- NIST SP 800-53 – For the “derived” security requirements