Summary

This document discusses Controlled Unclassified Information (CUI) and the guidelines in SP800-171 for protecting CUI. It also highlights the role of the National Institute of Standards and Technology (NIST) in providing guidance on information security. The document also mentions the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS).

Full Transcript

CUI stands for "Controlled Unclassified Information," and SP800 refers to a series of publications by the National Institute of Standards and Technology (NIST) that provide guidance on various aspects of information security. SP800-171 specifically provides guidelines for protecting Controlled Uncla...

CUI stands for "Controlled Unclassified Information," and SP800 refers to a series of publications by the National Institute of Standards and Technology (NIST) that provide guidance on various aspects of information security. SP800-171 specifically provides guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. CUI refers to unclassified information that requires safeguarding or dissemination controls in accordance with laws, regulations, or government-wide policies. The guidelines in SP800-171 are intended for use by federal agencies in their acquisition of nonfederal systems that process, store, or transmit CUI, as well as by nonfederal organizations that process, store, or transmit CUI on behalf of federal agencies. The document provides requirements for protecting the confidentiality, integrity, and availability of CUI, and outlines security controls that should be implemented to achieve these objectives. Manufacturers involved in supply chains tied to government contracts can anticipate those awards bringing in additional revenue at levels that might not be possible otherwise. However, being successful in getting and keeping such work means complying with the Federal Acquisition Regulation (FAR) and Defense Federal Acquisition Regulation Supplement (DFARS). FAR is a set of regulations that governs all acquisitions and contracting procedures associated with the U.S. government. DFARS accompanies FAR as an addition. The Department of Defense (DoD) is the administrative body behind DFARS, but the reach of DFARS requirements extends to more than that organization. NIST SP 800-171 is a NIST Special Publication that provides recommended requirements for protecting the confidentiality of controlled unclassified information (CUI). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts, as required by DFARS clause 252.204-7012. If a manufacturer is part of a DoD, General Services Administration (GSA), NASA or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must. How Do You Implement NIST SP 800-171? It's understandable for manufacturers to wonder what they should do to implement NIST SP 800-171 and ultimately get in compliance with DFARS, and whether there are specialized resources available to help them achieve that milestone without preventable pitfalls. The first thing they should keep in mind is that being DFARS compliant likely involves working with a cybersecurity consultant that knows the NIST SP 800-171 requirements inside and out. It's advisable for small manufacturers to look to their state’s Manufacturing Extension Partnership (MEP) Center. Part of the MEP National Network™, a larger organization that connects them to NIST, the representatives at your local MEP Center will have a working knowledge of NIST SP 800-171 and can help companies prepare for DFARS compliance. It can be a short or long process, depending upon the complexities of a company’s operating environment and information systems, but implementing NIST SP 800-171 is a necessary process for a company to protect its information. What Does a Successful Plan Entail? Manufacturers that want to retain their DoD, GSA, NASA and other federal and state agency contracts need to have a plan that meets the requirements of NIST SP 800-171. DFARS cybersecurity clause 252,204-7012 went into effect on Dec. 31, 2017, and deals with processing, storing or transmitting CUI that exists on non-federal systems — such as those used by a government contractor. One of the first steps manufacturers should take is to identify where gaps exist that prevent them from being compliant with DFARS. From that point, they can determine how to proceed. How Should Manufacturers Start Working Toward Compliance? The MEP National Network offers dedicated resources for manufacturers that need information about a company’s cybersecurity posture that can help companies understand what getting compliant with DFARS actually means to them. Companies can see whether DFARS compliance applies to them and view infographics that recommend steps to take to make their factory floors more secure. The MEP National Network also provides a particular resource that manufacturers will undoubtedly refer to again and again: the NIST Self-Assessment Handbook (NIST Handbook 162). It spans more than 150 pages and helps readers assess their facilities to conclude how close they are to implementing NIST SP 800-171 to help them understand how close they are to being DFARS compliant. It also helps determine where to focus efforts when making improvements to maximize the impact of each dollar spent on cybersecurity. For example, the document features content that advises how to go about carrying out an assessment and which applicable employees to talk to regarding security requirements. Manufacturers that read through the handbook will note that each assessment question has an "alternative approach" option. It refers to the fact that manufacturers may find some requirements in NIST SP 800-171 that don't apply to them. In that case, it's acceptable to use a different but equally effective method of maintaining security — as long as the respective manufacturers notify the correct government authorities about the changes and get approval for them. Manufacturing plant representatives can also increase their understanding of compliance requirements by watching a webinar(link is external) that goes through some of the crucial elements of the handbook. Complexity Shouldn’t Be a Barrier Manufacturers may initially view the cybersecurity requirements for government contracts as too complicated, especially if they have small operations. However, using the available resources — including local MEP Centers — allows manufacturers to realize it's possible to get in compliance with DFARS, as well as stay in compliance, by implementing the NIST SP 800-171 requirements and to open possibilities for receiving financially rewarding and reputation-boosting government contracts. SP800-131a is a requirement originated by the National Institute of Standards and Technology (NIST) which requires longer key lengths and stronger cryptography. The specification also provides a transition configuration to enable US federal agencies to move to a strict enforcement of SP800-131a. The transition configuration also enables US federal agencies to run with a mixture of settings from both FIPS140-3 and SP800-131a. SP800-131a can be run in two modes: transition and strict. Strict mode Overview of configuration tasks: . Enable FIPS 140-2 mode during appliance configuration. . Set a tuning parameter to enable strict mode. . (Optional) If your deployment uses client certificate authentication, configure TLS v1.2. To achieve a FedRAMP Ready designation, a CSO’s MFA solution must comply with NIST Special Publication (SP) 800-63B, which requires the use of FIPS 140 validated encryption for MFA tools. Data encryption is a fundamental security control, popular for mitigating the impact that a data breach has on an organization. By making data unusable to anyone without the decryption key, encryption provides an additional layer of depth to an organization’s defensive posture. If threat actors manage to evade detection and exfiltrate data, they need the appropriate decryption key to use it, rendering their efforts moot and discouraging further activity. While the first iteration of the Cybersecurity Maturity Model Certification (CMMC) program was released in 2020, the Department of Defense announced CMMC 2.0 on November 4, 2021. CMMC 2.0 maintains the same goals as the original program, but it also adds enhancements, including: • Accountability while minimizing compliance barriers • Collaboration • Ease of execution while enhancing public trust1 Additionally, CMMC 2.0 simplifies the control requirements by reducing from five certification levels to only three: • Level 1 (remains equivalent to CMMC 1.0 Level 1): Foundational • Level 2 (formerly Levels 2 and 3) : Advanced • Level 3 (formerly Levels 4 and 5): Expert As members of the Defense Industrial Base (DIB) seek to meet CMMC compliance requirements, they need to employ best cryptographic practices for securing information. Under the original CMMC program, the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171, acted as a guiding set of best practices for CMMC with additional CMMCspecific controls attached. However, under CMMC 2.0, NIST SP 800-171 is now the primary set of compliance requirements for setting minimum security baselines. Data encryption is featured prominently among those requirements, and 800-171 references another NIST publication, the FIPS 140 standard, for specific governance. Organizations that need to comply with CMMC Level 2 or higher should understand: • The intersection between NIST SP 800-171, the FIPS 140 standard for cryptography, and CMMC controls; • CMMC Practices that directly reference encryption requirements; • CMMC Level 2 and 3 compliance requirements for FIPS 140 validation; • The distinction between FIPS Validated and FIPS Compliant encryption; • And the process to achieve FIPS 140 validation with recommended strategies. As organizations within the DIB look to meet CMMC compliance as part of maintaining their current contracts and apply for future contracts, validated encryption is fundamental to meeting certification requirements. After reading this paper, certain action items should be on your radar: • Confirm the relevant CMMC level for your business; • Inventory the FCI and CUI held by your organization; • Identify where encryption is deployed in your systems and whether it has been certified to meet the FIPS 140 standard;

Use Quizgecko on...
Browser
Browser