SP800-171 Guidelines Quiz

Questions and Answers

SP800-171 provides guidance on information security for federal systems and organizations.

False

CUI refers to unclassified information that doesn't require safeguarding or dissemination controls.

False

SP800-171 outlines security controls that should be implemented to protect the confidentiality, integrity, and availability of CUI.

True

Who should use the security requirements in NIST Special Publication 800-171 Revision 2?

Both federal agencies and nonfederal organizations.

What is the purpose of the CUI Program?

To standardize the way the executive branch handles unclassified information that requires protection.

What is the purpose of the CUI Registry?

To provide an online repository for information, guidance, policy, and requirements on handling classified information.

What is the purpose of a system security plan?

To describe how security requirements are implemented, the system boundary, operational environment, and relationships with other systems.

What is the potential impact of a breach of security on organizations, assets, or individuals based on the loss of confidentiality?

Low, moderate, or high.

What is the purpose of a plan of action?

To describe how unimplemented security requirements will be met and how planned mitigations will be implemented.

What is the purpose of compensatory security measures selected by organizations?

To satisfy unimplemented security requirements or planned mitigations.

What is the scope of the recommended security requirements in NIST SP 800-171?

To all components of nonfederal systems and organizations that process, store, and/or transmit CUI.

What is the purpose of access control policies?

To control access between active entities or subjects and passive entities or objects in systems.

What is the purpose of information flow control policies and enforcement mechanisms?

To regulate where information can travel within a system and between systems.

Which organization established the Controlled Unclassified Information (CUI) Program?

National Archives and Records Administration (NARA)

What is the purpose of NIST Special Publication 800-171 Revision 2?

To provide recommended security requirements for protecting CUI in nonfederal systems and organizations

What is the potential impact of a breach of security on organizations, assets, or individuals, according to the text?

Low, moderate, or high, based on the loss of confidentiality

What is the CUI Registry?

The online repository for information on federal unclassified information

What is the purpose of the tailoring criteria described in Chapter Two of NIST Special Publication 800-171 Revision 2?

To provide guidance for implementing the security requirements in nonfederal systems and organizations

What is the purpose of plans of action in NIST SP 800-171?

To describe how unimplemented security requirements will be met and how planned mitigations will be implemented

What is the purpose of the discussion section associated with each CUI requirement in NIST SP 800-171?

To provide additional information to facilitate implementation and assessment of the requirement

What is the recommended approach for defining access privileges or other attributes in NIST SP 800-171?

By a combination of account and type of account

What is the purpose of compensatory security measures in NIST SP 800-171?

To replace security requirements that cannot be met

What is the scope of the recommended security requirements in NIST SP 800-171?

All components of nonfederal systems and organizations

What is the purpose of the fourteen security control families in NIST SP 800-171?

To provide a minimum-security baseline for federal information and systems

What is the purpose of information flow control policies and enforcement mechanisms in NIST SP 800-171?

To control access between active entities or subjects and passive entities or objects in systems

What is the purpose of NIST SP800-171 guidelines?

To protect Controlled Unclassified Information (CUI) in non-federal systems and organizations

Who should use NIST SP800-171 guidelines?

Both federal agencies and nonfederal organizations that process, store, or transmit CUI on behalf of federal agencies

Why is implementing NIST SP800-171 necessary for a company?

To retain its government contracts

What is the requirement of SP800-131a?

To implement longer key lengths and stronger cryptography

What is the role of a cybersecurity consultant in DFARS compliance?

To implement the recommended requirements contained in NIST SP800-171

What is the purpose of the NIST Self-Assessment Handbook (NIST Handbook 162)?

To assess facilities' compliance with NIST SP800-171

What is the purpose of DFARS cybersecurity clause 252,204-7012?

To demonstrate a company's provision of adequate security

What is the purpose of NIST SP800-171 guidelines?

To protect Controlled Unclassified Information in non-federal systems and organizations

What is the purpose of data encryption in an organization's defensive posture?

To provide an additional layer of depth to an organization’s defensive posture

What should organizations comply with to meet CMMC Level 2 or higher?

NIST SP800-171, the FIPS 140 standard for cryptography, and CMMC controls

What is the requirement for achieving FedRAMP Ready designation?

Compliance with NIST SP800-63B

Who is expected to use NIST SP800-171 guidelines?

Both federal agencies and nonfederal organizations

What is the purpose of the NIST Self-Assessment Handbook (NIST Handbook 162)?

To assess a company's facilities and determine how close they are to implementing NIST SP800-171

What is SP800-131a?

A requirement for longer key lengths and stronger cryptography

What is the role of a Manufacturing Extension Partnership (MEP) Center in DFARS compliance?

To help companies prepare for DFARS compliance

Why is implementing NIST SP800-171 necessary for a company?

To retain its government contracts

What is the DFARS cybersecurity clause 252,204-7012?

A requirement for defense contractors to implement the recommended requirements contained in NIST SP800-171

What is the role of a cybersecurity consultant in DFARS compliance?

To provide guidance and expertise related to NIST SP800-171 requirements

What is required for a CSO's MFA solution to achieve a FedRAMP Ready designation?

Compliance with both NIST SP800-63B and FIPS 140 validated encryption

What is the purpose of data encryption in an organization's defensive posture?

To provide an additional layer of depth to the organization's defensive posture

What is CMMC 2.0?

A new set of guidelines for protecting Controlled Unclassified Information (CUI)

What should organizations that need to comply with CMMC Level 2 or higher understand?

The intersection between NIST SP800-171 and the FIPS 140 standard for cryptography

Study Notes

NIST Special Publication 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• This publication provides recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when the information is resident in nonfederal systems and organizations.

• The security requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components.

• The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.

• The publication is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130.

• The publication is available free of charge from the National Institute of Standards and Technology (NIST) website.

• The publication is not subject to copyright in the United States, but attribution to NIST is appreciated.

• This publication is derived from Federal Information Processing Standards Publication (FIPS) 200 and NIST Special Publication (SP) 800-53, and is based on the CUI regulation 32 CFR 2002.

• Organizations should not assume that satisfying the requirements in this publication will automatically satisfy the security requirements and controls in FIPS 200 and SP 800-53.

• Organizations interested in or required to comply with the recommendations in this publication are strongly advised to review the complete listing of controls in the moderate baseline in Appendix E to ensure that their individual security plans and control deployments provide sufficient protection.

• The publication provides a direct mapping of CUI security requirements to the security controls in SP 800-53 and ISO 27001, which can be useful for organizations that have implemented the NIST Framework for Improving Critical Infrastructure Cybersecurity.

• The publication acknowledges contributions from individuals and organizations in the public and private sectors, nationally and internationally, whose comments improved the overall quality and usefulness of the publication.

• Comments on this publication may be submitted to NIST for review during designated public comment periods.Protecting Controlled Unclassified Information: Summary of Guidelines

• The federal government relies on external service providers to help carry out federal missions and business functions using information systems.

• Many federal contractors process, store, and transmit sensitive federal information to support the delivery of essential products and services to federal agencies.

• The protection of unclassified federal information in nonfederal systems and organizations is dependent on the federal government providing a process for identifying the different types of information that are used by federal agencies.

• The Controlled Unclassified Information (CUI) Program was established to standardize the way the executive branch handles unclassified information that requires protection.

• The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions.

• The CUI Registry is the online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent.

• The purpose of this publication is to provide federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization.

• The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.

• The recommended security requirements in this publication are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations.

• The tailoring criteria described in Chapter Two are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation.

• The requirements in this publication have been tailored for nonfederal entities but do not diminish the level of protection of CUI required for moderate confidentiality.

• Additional or differing requirements, other than the requirements described in this publication, may be applied only when such requirements are based on law, regulation, or governmentwide policy and when indicated in the CUI Registry as CUI-specified or when an agreement establishes.Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• The security requirements for protecting Controlled Unclassified Information (CUI) are defined by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-171 Revision 2.

• The requirements apply to nonfederal organizations that own, operate, or maintain nonfederal systems, such as state and local governments, colleges and universities, and contractors.

• The potential impact of a breach of security on organizations, assets, or individuals is defined as low, moderate, or high, based on the loss of confidentiality.

• The safeguarding requirements for CUI in a specified category are addressed by the National Archives and Records Administration (NARA) and reflected in contracts or agreements.

• Nonfederal organizations may use the same CUI infrastructure for multiple government contracts or agreements, if the infrastructure meets the safeguarding requirements for the organization's CUI-related contracts and/or agreements.

• The publication serves a diverse group of individuals and organizations in both the public and private sectors with system development, acquisition, management, and oversight responsibilities.

• The security requirements have a well-defined structure that consists of a basic security requirements section and a derived security requirements section.

• The basic security requirements are obtained from Federal Information Processing Standards Publication (FIPS) 200, while the derived security requirements are taken from the security controls in SP 800-53.

• The security requirements are organized into fourteen families that align with the minimum-security requirements for federal information and systems described in FIPS 200.

• A discussion section follows each CUI security requirement providing additional information to facilitate implementation and assessment of the requirements.

• The security requirements developed represent a subset of the safeguarding measures necessary for a comprehensive information security program.

• Nonfederal organizations are encouraged to refer to SP 800-53 for a complete listing of security controls in the moderate baseline deemed out of scope for the security requirements in Chapter Three.NIST SP 800-171: Protecting Controlled Unclassified Information

• NIST SP 800-171 is a publication that provides recommended security requirements for nonfederal organizations that process, store, or transmit controlled unclassified information (CUI).

• Nonfederal organizations must implement security requirements to protect CUI, which includes 14 security control families and 110 security requirements.

• The security requirements in NIST SP 800-171 are based on existing and recognized security standards and control sets, such as ISO 27001 or SP 800-53.

• Nonfederal organizations must develop a system security plan that describes how security requirements are implemented, the system boundary, operational environment, and relationships with other systems.

• Plans of action must also be developed to describe how unimplemented security requirements will be met and how planned mitigations will be implemented.

• The discussion section associated with each CUI requirement is informative, not normative, and does not intend to extend the scope of a requirement or influence the solutions organizations may use to satisfy a requirement.

• Compensatory security measures selected by organizations must be based on or derived from existing and recognized security standards and control sets.

• The recommended security requirements in NIST SP 800-171 apply only to the components of nonfederal systems that process, store, or transmit CUI or provide protection for such components.

• The term "organizational system" refers to the components of nonfederal systems that process, store, or transmit CUI or provide protection for such components.

• Access control policies control access between active entities or subjects and passive entities or objects in systems.

• Organizations may choose to define access privileges or other attributes by account, type of account, or a combination of both.

• Information flow control regulates where information can travel within a system and between systems, and organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information.

Understanding NIST SP800 Guidelines and Compliance Requirements for Government Contracts

• NIST SP800-171 provides guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations.
• The guidelines are intended for use by federal agencies and nonfederal organizations that process, store, or transmit CUI on behalf of federal agencies.
• DFARS cybersecurity clause 252,204-7012 requires defense contractors to implement the recommended requirements contained in NIST SP800-171 to demonstrate their provision of adequate security.
• Compliance with DFARS likely involves working with a cybersecurity consultant that knows the NIST SP800-171 requirements inside and out.
• Small manufacturers can look to their state’s Manufacturing Extension Partnership (MEP) Center, which has a working knowledge of NIST SP800-171 and can help companies prepare for DFARS compliance.
• Implementing NIST SP800-171 is necessary for a company to protect its information and retain its government contracts.
• The NIST Self-Assessment Handbook (NIST Handbook 162) helps readers assess their facilities to conclude how close they are to implementing NIST SP800-171 and to determine where to focus efforts when making improvements.
• SP800-131a is a requirement originated by NIST that requires longer key lengths and stronger cryptography.
• To achieve a FedRAMP Ready designation, a CSO’s MFA solution must comply with NIST SP800-63B, which requires the use of FIPS 140 validated encryption for MFA tools.
• Data encryption is a fundamental security control that provides an additional layer of depth to an organization’s defensive posture.
• CMMC 2.0 simplifies the control requirements by reducing from five certification levels to only three.
• Organizations that need to comply with CMMC Level 2 or higher should understand the intersection between NIST SP800-171, the FIPS 140 standard for cryptography, and CMMC controls.

Description

Test your knowledge on information security with this quiz on SP800-171 guidelines for protecting Controlled Unclassified Information in non-federal systems and organizations. Learn about CUI and its significance in safeguarding unclassified information. Challenge yourself to score high by answering questions related to NIST publications and information security best practices.