NIST.SP.800-171r2.pdf

NIST Special Publication 800-171 Revision 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations RON ROSS VICTORIA PILLITTERI KELLEY DEMPSEY MARK RIDDLE GARY GUISSANIE This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 NIST Special Publication 800-171 Revision 2 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations RON ROSS VICTORIA PILLITTERI KELLEY DEMPSEY Computer Security Division National Institute of Standards and Technology MARK RIDDLE Information Security Oversight Office National Archives and Records Administration GARY GUISSANIE Institute for Defense Analyses This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 February 2020 INCLUDES UPDATES AS OF 01-28-2021; SEE PAGE X U.S. Department of Commerce Wilbur L. Ross, Jr., Secretary National Institute of Standards and Technology Walter Copan, NIST Director and Under Secretary of Commerce for Standards and Technology SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act (FISMA), 44 U.S.C. § 3551 et seq., Public Law (P.L.) 113-283. NIST is responsible for developing information security standards and guidelines, including minimum requirements for federal information systems. Such information security standards and guidelines shall not apply to national security systems without the express approval of the appropriate federal officials exercising policy authority over such systems. This guideline is consistent with the requirements of the Office of Management and Budget (OMB) Circular A-130. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority. Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce, OMB Director, or any other federal official. This publication may be used by nongovernmental organizations on a voluntary basis, and is not subject to copyright in the United States. Attribution would, however, be appreciated by NIST. National Institute of Standards and Technology Special Publication 800-171, Revision 2 Natl. Inst. Stand. Technol. Spec. Publ. 800-171, Revision 2, 113 pages (February 2020) CODEN: NSPUE2 This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 Certain commercial entities, equipment, or materials may be identified in this document to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by NIST, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities. The information in this publication, including concepts, practices, and methodologies may be used by federal agencies even before the completion of such companion publications. Thus, until each publication is completed, current requirements, guidelines, and procedures, where they exist, remain operative. For planning and transition purposes, federal agencies may wish to closely follow the development of these new publications by NIST. Organizations are encouraged to review draft publications during the designated public comment periods and provide feedback to NIST. Many NIST publications, other than the ones noted above, are available at https://csrc.nist.gov/publications. Comments on this publication may be submitted to: National Institute of Standards and Technology Attn: Computer Security Division, Information Technology Laboratory 100 Bureau Drive (Mail Stop 8930) Gaithersburg, MD 20899-8930 Email: [email protected] All comments are subject to release under the Freedom of Information Act (FOIA) [FOIA96] PAGE i SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ Reports on Computer Systems Technology This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 The National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analyses to advance the development and productive use of information technology (IT). ITL’s responsibilities include the development of management, administrative, technical, and physical standards and guidelines for the costeffective security of other than national security-related information in federal information systems. The Special Publication 800-series reports on ITL’s research, guidelines, and outreach efforts in information systems security and privacy and its collaborative activities with industry, government, and academic organizations. PAGE ii SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ Abstract This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions. This publication provides agencies with recommended security requirements for protecting the confidentiality of CUI when the information is resident in nonfederal systems and organizations; when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components. The security requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. Keywords Basic Security Requirement; Contractor Systems; Controlled Unclassified Information; CUI Registry; Derived Security Requirement; Executive Order 13556; FIPS Publication 199; FIPS Publication 200; FISMA; NIST Special Publication 800-53; Nonfederal Organizations; Nonfederal Systems; Security Assessment; Security Control; Security Requirement. Trademark Information All names are trademarks or registered trademarks of their respective owners. PAGE iii SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ Acknowledgements The authors wish to recognize the scientists, engineers, and research staff from the Computer Security Division and Applied Cybersecurity Division for their exceptional contributions in helping to improve the content of the publication. A special note of thanks to Pat O’Reilly, Jim Foti, Jeff Brewer and the NIST web team for their outstanding administrative support. Finally, the authors also gratefully acknowledge the contributions from individuals and organizations in the public and private sectors, nationally and internationally, whose thoughtful and constructive comments improved the overall quality, thoroughness, and usefulness of this publication. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 HISTORICAL CONTRIBUTIONS TO NIST SPECIAL PUBLICATION 800-171 The authors acknowledge the many individuals who contributed to previous versions of Special Publication 800-171 since its inception in June 2015. They include Carol Bales, Matthew Barrett, Jon Boyens, Devin Casey, Christian Enloe, Peggy Himes, Robert Glenn, Elizabeth Lennon, Vicki Michetti, Dorian Pappas, Karen Quigg, Mary Thomas, Matthew Scholl, Murugiah Souppaya, Patricia Toth, and Patrick Viscuso. PAGE iv SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ Patent Disclosure Notice NOTICE: The Information Technology Laboratory (ITL) has requested that holders of patent claims whose use may be required for compliance with the guidance or requirements of this publication disclose such patent claims to ITL. However, holders of patents are not obligated to respond to ITL calls for patents and ITL has not undertaken a patent search in order to identify which, if any, patents may apply to this publication. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 As of the date of publication and following call(s) for the identification of patent claims whose use may be required for compliance with the guidance or requirements of this publication, no such patent claims have been identified to ITL. No representation is made or implied by ITL that licenses are not required to avoid patent infringement in the use of this publication. PAGE v SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ CAUTIONARY NOTE This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 The Federal Information Security Modernization Act [FISMA] of 2014 requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the unauthorized access, use, disclosure, disruption, modification, or destruction of information collected or maintained by or on behalf of an agency; or information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. This publication focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations, and recommends specific security requirements to achieve that objective. It does not change the requirements set forth in [FISMA], nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute, the policies established by OMB, and the supporting security standards and guidelines developed by NIST. The requirements recommended for use in this publication are derived from [FIPS 200] and the moderate security control baseline in [SP 800-53] and are based on the CUI regulation [32 CFR 2002]. The requirements and controls have been determined over time to provide the necessary protection for federal information and systems that are covered under [FISMA]. The tailoring criteria applied to the [FIPS 200] requirements and [SP 800-53] controls are not an endorsement for the elimination of those requirements and controls; rather, the tailoring criteria focuses on the protection of CUI from unauthorized disclosure in nonfederal systems and organizations. Moreover, since the security requirements are derivative from the NIST publications listed above, organizations should not assume that satisfying those particular requirements will automatically satisfy the security requirements and controls in [FIPS 200] and [SP 800-53]. In addition to the security objective of confidentiality, the objectives of integrity and availability remain a high priority for organizations that are concerned with establishing and maintaining a comprehensive information security program. While the primary purpose of this publication is to define requirements to protect the confidentiality of CUI, there is a close relationship between confidentiality and integrity since many of the underlying security mechanisms at the system level support both security objectives. Therefore, the basic and derived security requirements in this publication provide protection from unauthorized disclosure and unauthorized modification of CUI. Organizations that are interested in or are required to comply with the recommendations in this publication are strongly advised to review the complete listing of controls in the moderate baseline in Appendix E to ensure that their individual security plans and control deployments provide the necessary and sufficient protection to address the cyber and kinetic threats to organizational missions and business operations. PAGE vi SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS The recommended security requirements contained in this publication are only applicable to a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement. The security requirements apply to the components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 PAGE vii SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ FRAMEWORK FOR IMPROVING CRITICAL INFRASTRUCTURE CYBERSECURITY Organizations that have implemented or plan to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity [NIST CSF] can find in Appendix D, a direct mapping of the Controlled Unclassified Information (CUI) security requirements to the security controls in [SP 800-53] and [ISO 27001]. These controls are also mapped to the Categories and Subcategories associated with Cybersecurity Framework Core Functions: Identify, Protect, Detect, Respond, and Recover. The security control mappings can be useful to organizations that wish to demonstrate compliance to the security requirements in the context of their established information security programs, when such programs have been built around the NIST or ISO/IEC security controls. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 ADDITIONAL RESOURCES Mapping security controls to the Cybersecurity Framework: https://csrc.nist.gov/publications/detail/nistir/8170/draft. Mapping CUI security requirements to the Cybersecurity Framework: https://csrc.nist.gov/projects/cybersecurity-framework/informative-referencecatalog/details/1. PAGE viii SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ Table of Contents This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 CHAPTER ONE INTRODUCTION ...................................................................................................... 1 1.1 PURPOSE AND APPLICABILITY .............................................................................................. 2 1.2 TARGET AUDIENCE ............................................................................................................... 4 1.3 ORGANIZATION OF THIS SPECIAL PUBLICATION .................................................................. 4 CHAPTER TWO THE FUNDAMENTALS ............................................................................................ 5 2.1 BASIC ASSUMPTIONS ........................................................................................................... 5 2.2 DEVELOPMENT OF SECURITY REQUIREMENTS .................................................................... 6 CHAPTER THREE THE REQUIREMENTS ........................................................................................... 9 3.1 ACCESS CONTROL ............................................................................................................... 10 3.2 AWARENESS AND TRAINING .............................................................................................. 16 3.3 AUDIT AND ACCOUNTABILITY ............................................................................................ 17 3.4 CONFIGURATION MANAGEMENT ...................................................................................... 20 3.5 IDENTIFICATION AND AUTHENTICATION ........................................................................... 23 3.6 INCIDENT RESPONSE .......................................................................................................... 26 3.7 MAINTENANCE................................................................................................................... 27 3.8 MEDIA PROTECTION .......................................................................................................... 29 3.9 PERSONNEL SECURITY ........................................................................................................ 31 3.10 PHYSICAL PROTECTION .................................................................................................... 32 3.11 RISK ASSESSMENT ............................................................................................................ 33 3.12 SECURITY ASSESSMENT.................................................................................................... 34 3.13 SYSTEM AND COMMUNICATIONS PROTECTION .............................................................. 36 3.14 SYSTEM AND INFORMATION INTEGRITY .......................................................................... 40 APPENDIX A REFERENCES ............................................................................................................ 44 APPENDIX B GLOSSARY ................................................................................................................ 51 APPENDIX C ACRONYMS .............................................................................................................. 60 APPENDIX D MAPPING TABLES .................................................................................................... 61 APPENDIX E TAILORING CRITERIA................................................................................................ 84 PAGE ix SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ Errata This table contains changes that have been incorporated into Special Publication 800-171. Errata updates can include corrections, clarifications, or other minor changes in the publication that are either editorial or substantive in nature. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 DATE TYPE 01-28-2021 Editorial Front Matter Blue Box: Change “The requirements apply only” to “The security requirements apply" vii 01-28-2021 Editorial Chapter One, Section 1.1, Paragraph 1: Delete: “The requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.” 2 01-28-2021 Editorial Chapter One, Section 1.1, Paragraph 2: Add “The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. If nonfederal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets.” 2 01-28-2021 Editorial Chapter One, Section 1.1, Paragraph 3: Change: “The requirements are“ to “The recommended security requirements in this publication are” 3 Editorial Chapter One, Section 1.1, Paragraph 6: Delete: “If nonfederal organizations entrusted with protecting CUI designate systems or components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements to only those systems or components. Isolating CUI into its own security domain by applying architectural design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices) may be the most cost-effective and efficient approach for nonfederal organizations to satisfy the security requirements and protect the confidentiality of CUI. Security domains may employ physical separation, logical separation, or a combination of both. This approach can reasonably provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond which it typically requires for protecting its missions, operations, and assets.” 4 01-28-2021 CHANGE PAGE x PAGE SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ CHAPTER ONE INTRODUCTION THE NEED TO PROTECT CONTROLLED UNCLASSIFIED INFORMATION T This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 oday, more than at any time in history, the federal government is relying on external service providers to help carry out a wide range of federal missions and business functions using information systems. 1 Many federal contractors process, store, and transmit sensitive federal information to support the delivery of essential products and services to federal agencies (e.g., providing financial services; providing web and electronic mail services; processing security clearances or healthcare data; providing cloud services; and developing communications, satellite, and weapons systems). Federal information is frequently provided to or shared with entities such as state and local governments, colleges and universities, and independent research organizations. The protection of sensitive federal information while residing in nonfederal systems 2 and organizations is of paramount importance to federal agencies, and can directly impact the ability of the federal government to carry out its designated missions and business operations. The protection of unclassified federal information in nonfederal systems and organizations is dependent on the federal government providing a process for identifying the different types of information that are used by federal agencies. [EO 13556] established a governmentwide Controlled Unclassified Information (CUI) 3 Program to standardize the way the executive branch handles unclassified information that requires protection. 4 Only information that requires safeguarding or dissemination controls pursuant to federal law, regulation, or governmentwide policy may be designated as CUI. The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI Registry [NARA CUI]. The CUI Registry is the online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. The CUI Registry identifies approved CUI categories, provides general descriptions for each, identifies the basis for controls, and sets out procedures for the use of CUI including, but not limited to, marking, safeguarding, transporting, disseminating, reusing, and disposing of the information. An information system is a discrete set of information resources organized expressly for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Information systems also include specialized systems, for example: industrial/process control systems, cyber-physical systems, embedded systems, and devices. The term system is used throughout this publication to represent all types of computing platforms that can process, store, or transmit CUI. 2 A federal information system is a system that is used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. A system that does not meet such criteria is a nonfederal system. 3 Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under [EO 13526] or any predecessor or successor order, or [ATOM54], as amended. 4 [EO 13556] designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI Program. 1 CHAPTER ONE PAGE 1 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ [EO 13556] also required that the CUI Program emphasize openness, transparency, and uniformity of governmentwide practices, and that the implementation of the program take place in a manner consistent with applicable policies established by the Office of Management and Budget (OMB) and federal standards and guidelines issued by the National Institute of Standards and Technology (NIST). The federal CUI regulation, 5 developed by the CUI Executive Agent, provides guidance to federal agencies on the designation, safeguarding, dissemination, marking, decontrolling, and disposition of CUI, establishes self-inspection and oversight requirements, and delineates other facets of the program. 1.1 PURPOSE AND APPLICABILITY This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 The purpose of this publication is to provide federal agencies with recommended security requirements 6 for protecting the confidentiality of CUI: (1) when the CUI is resident in a nonfederal system and organization; (2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; 7 and (3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry. 8 The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. 9 If nonfederal organizations designate specific system components for the processing, storage, or transmission of CUI, those organizations may limit the scope of the security requirements by isolating the designated system components in a separate CUI security domain. Isolation can be achieved by applying architectural and design concepts (e.g., implementing subnetworks with firewalls or other boundary protection devices and using information flow control mechanisms). Security domains may employ physical separation, logical separation, or a combination of both. This approach can provide adequate security for the CUI and avoid increasing the organization’s security posture to a level beyond that which it requires for protecting its missions, operations, and assets. [32 CFR 2002] was issued on September 14, 2016 and became effective on November 14, 2016. The term requirements can be used in different contexts. In the context of federal information security and privacy policies, the term is generally used to refer to information security and privacy obligations imposed on organizations. For example, OMB Circular A-130 imposes a series of information security and privacy requirements with which federal agencies must comply when managing information resources. In addition to the use of the term requirements in the context of federal policy, the term requirements is used in this guideline in a broader sense to refer to an expression of the set of stakeholder protection needs for a particular system or organization. Stakeholder protection needs and corresponding security requirements may be derived from many sources (e.g., laws, executive orders, directives, regulations, policies, standards, mission and business needs, or risk assessments). The term requirements, as used in this guideline, includes both legal and policy requirements, as well as an expression of the broader set of stakeholder protection needs that may be derived from other sources. All of these requirements, when applied to a system, help determine the required characteristics of the system. 7 Nonfederal organizations that collect or maintain information on behalf of a federal agency or that use or operate a system on behalf of an agency, must comply with the requirements in [FISMA], including the requirements in [FIPS 200] and the security controls in [SP 800-53] (See [44 USC 3554] (a)(1)(A)). 8 The requirements in this publication can be used to comply with the [FISMA] requirement for senior agency officials to provide information security for the information that supports the operations and assets under their control, including CUI that is resident in nonfederal systems and organizations (See [44 USC 3554] (a)(1)(A) and (a)(2)). 9 System components include, for example: mainframes, workstations, servers; input and output devices; network components; operating systems; virtual machines; and applications. 5 6 CHAPTER ONE PAGE 2 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ The recommended security requirements in this publication are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations. In CUI guidance and the CUI Federal Acquisition Regulation (FAR), 10 the CUI Executive Agent will address determining compliance with security requirements. 11 In accordance with the federal CUI regulation, federal agencies using federal systems to process, store, or transmit CUI, at a minimum, must comply with: This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 • Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality); 12 • Federal Information Processing Standards (FIPS) Publication 200, Minimum Security Requirements for Federal Information and Information Systems; • NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations; and • NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The responsibility of federal agencies to protect CUI does not change when such information is shared with nonfederal partners. Therefore, a similar level of protection is needed when CUI is processed, stored, or transmitted by nonfederal organizations using nonfederal systems. 13 The recommended requirements for safeguarding CUI in nonfederal systems and organizations are derived from the above authoritative federal standards and guidelines to maintain a consistent level of protection. However, recognizing that the scope of the safeguarding requirements in the federal CUI regulation is limited to the security objective of confidentiality (i.e., not directly addressing integrity and availability) and that some of the security requirements expressed in the NIST standards and guidelines are uniquely federal, the requirements in this publication have been tailored for nonfederal entities. The tailoring criteria described in Chapter Two are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation. Rather, the intent is to express the requirements in a manner that allows for and facilitates the equivalent safeguarding measures within nonfederal systems and organizations and does not diminish the level of protection of CUI required for moderate confidentiality. Additional or differing requirements, other than the requirements described in this publication, may be applied only when such requirements are based on law, regulation, or governmentwide policy and when indicated in the CUI Registry as CUI-specified or when an agreement establishes NARA, as the CUI Executive Agent, plans to sponsor a single FAR clause that will apply the requirements of the federal CUI regulation and NIST Special Publication 800-171 to contractors. Until the FAR clause is in place, the requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements. 11 [SP 800-171A] provides assessment procedures to determine compliance to the CUI security requirements. 10 [FIPS 199] defines three values of potential impact (i.e., low, moderate, high) on organizations, assets, or individuals in the event of a breach of security (e.g., a loss of confidentiality). 13 A nonfederal organization is any entity that owns, operates, or maintains a nonfederal system. Examples include: state, local, and tribal governments; colleges and universities; and contractors. 12 CHAPTER ONE PAGE 3 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ requirements to protect CUI Basic 14 at higher than moderate confidentiality. The provision of safeguarding requirements for CUI in a specified category will be addressed by the National Archives and Records Administration (NARA) in its CUI guidance and in the CUI FAR; and reflected as specific requirements in contracts or other agreements. Nonfederal organizations may use the same CUI infrastructure for multiple government contracts or agreements, if the CUI infrastructure meets the safeguarding requirements for the organization’s CUI-related contracts and/or agreements including any specific safeguarding required or permitted by the authorizing law, regulation, or governmentwide policy. 1.2 TARGET AUDIENCE This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 This publication serves a diverse group of individuals and organizations in both the public and private sectors including, but not limited to, individuals with: • System development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, system/security engineers, systems integrators); • Acquisition or procurement responsibilities (e.g., contracting officers); • System, security, or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, system owners, information security managers); and • Security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts). The above roles and responsibilities can be viewed from two distinct perspectives: the federal perspective as the entity establishing and conveying the security requirements in contractual vehicles or other types of inter-organizational agreements; and the nonfederal perspective as the entity responding to and complying with the security requirements set forth in contracts or agreements. 1.3 ORGANIZATION OF THIS SPECIAL PUBLICATION The remainder of this special publication is organized as follows: • Chapter Two describes the fundamental assumptions and methodology used to develop the security requirements for protecting the confidentiality of CUI; the format and structure of the requirements; and the tailoring criteria applied to the NIST standards and guidelines to obtain the requirements. • Chapter Three describes the fourteen families of security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. • Supporting appendices provide additional information related to the protection of CUI in nonfederal systems and organizations including: general references; definitions and terms; acronyms; mapping tables relating security requirements to the security controls in [SP 80053] and [ISO 27001]; and tailoring actions applied to the moderate security control baseline. 14 CUI Basic is defined in the CUI Registry [NARA CUI]. CHAPTER ONE PAGE 4 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ CHAPTER TWO THE FUNDAMENTALS ASSUMPTIONS AND METHODOLOGY FOR DEVELOPING SECURITY REQUIREMENTS T his chapter describes the assumptions and the methodology used to develop the recommended security requirements to protect CUI in nonfederal systems and organizations; the structure of the basic and derived security requirements; and the tailoring criteria applied to the federal information security requirements and controls. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 2.1 BASIC ASSUMPTIONS The recommended security requirements described in this publication have been developed based on three fundamental assumptions: • Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal systems or nonfederal systems including the environments in which those systems operate; • Safeguards implemented to protect CUI are consistent in both federal and nonfederal systems and organizations; and • The confidentiality impact value for CUI is no less than [FIPS 199] moderate. 15 16 The assumptions reinforce the concept that federal information designated as CUI has the same intrinsic value and potential adverse impact if compromised—whether such information resides in a federal or a nonfederal organization. Thus, protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation. Additional assumptions also impacting the development of the security requirements and the expectation of federal agencies in working with nonfederal entities include: • Nonfederal organizations have information technology infrastructures in place, and are not necessarily developing or acquiring systems specifically for processing, storing, or transmitting CUI; • Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the security requirements; • Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement; and • Nonfederal organizations can implement a variety of potential security solutions directly or using external service providers (e.g., managed services) to satisfy security requirements. The moderate impact value defined in [FIPS 199] may become part of a moderate impact system in [FIPS 200], which requires the use of the moderate baseline in [SP 800-53] as the starting point for tailoring actions. 16 In accordance with [32 CFR 2002], CUI is categorized at no less than the moderate confidentiality impact value. However, when federal law, regulation, or governmentwide policy establishing the control of the CUI specifies controls that differ from those of the moderate confidentiality baseline, then these will be followed. 15 CHAPTER TWO PAGE 5 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ IMPLEMENTING A SINGLE STATE SECURITY SOLUTION FOR CUI Controlled Unclassified Information has the same value, whether such information is resident in a federal system that is part of a federal agency or a nonfederal system that is part of a nonfederal organization. Accordingly, the recommended security requirements contained in this publication are consistent with and are complementary to the standards and guidelines used by federal agencies to protect CUI. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 2.2 DEVELOPMENT OF SECURITY REQUIREMENTS The security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations have a well-defined structure that consists of a basic security requirements section and a derived security requirements section. The basic security requirements are obtained from [FIPS 200], which provides the high-level and fundamental security requirements for federal information and systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in [SP 800-53]. Starting with the security requirements and the security controls in the moderate baseline (i.e., the minimum level of protection required for CUI in federal systems and organizations), the requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are: • Uniquely federal (i.e., primarily the responsibility of the federal government); • Not directly related to protecting the confidentiality of CUI; or • Expected to be routinely satisfied by nonfederal organizations without specification. 17 Appendix E provides a complete listing of security controls that support the CUI derived security requirements and those controls that have been eliminated from the moderate baseline based on the CUI tailoring criteria described above. The combination of the basic and derived security requirements captures the intent of [FIPS 200] and [SP 800-53] with respect to the protection of the confidentiality of CUI in nonfederal systems and organizations. Appendix D provides informal mappings of the security requirements to the relevant security controls in [SP 800-53] and [ISO 27001]. The mappings promote a better understanding of the CUI security requirements, and are not intended to impose additional requirements on nonfederal organizations. The security requirements developed from the tailored [FIPS 200] security requirements and the [SP 800-53] moderate security control baseline represent a subset of the safeguarding measures that are necessary for a comprehensive information security program. The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government. This includes implementing security policies, procedures, and practices that support an effective risk-based information security program. Nonfederal organizations are encouraged to refer to Appendix E and [SP 800-53] for a complete listing of security controls in the moderate baseline deemed out of scope for the security requirements in Chapter Three. 17 CHAPTER TWO PAGE 6 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ The following Media Protection family example illustrates the structure of a CUI requirement: Basic Security Requirements 3.8.1 Protect (i.e., physically control and securely store) system media containing CUI, both paper and digital. 3.8.2 Limit access to CUI on system media to authorized users. 3.8.3 Sanitize or destroy system media containing CUI before disposal or release for reuse. Derived Security Requirements This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 3.8.4 Mark media with necessary CUI markings and distribution limitations. 3.8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas. 3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards. 3.8.7 Control the use of removable media on system components. 3.8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner. 3.8.9 Protect the confidentiality of backup CUI at storage locations. For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. The families are closely aligned with the minimum-security requirements for federal information and systems described in [FIPS 200]. The contingency planning, system and services acquisition, and planning requirements are not included within the scope of this publication due to the tailoring criteria. 18 Table 1 lists the security requirement families addressed in this publication. TABLE 1: SECURITY REQUIREMENT FAMILIES FAMILY FAMILY Access Control Media Protection Awareness and Training Personnel Security Audit and Accountability Physical Protection Configuration Management Risk Assessment Identification and Authentication Security Assessment Incident Response System and Communications Protection Maintenance System and Information Integrity Three exceptions include: a requirement to protect the confidentiality of system backups (derived from CP-9) from the contingency planning family; a requirement to develop and implement a system security plan (derived from PL-2) from the planning family; and a requirement to implement system security engineering principles (derived from SA-8) from the system and services acquisition family. The requirements are included in the CUI media protection, security assessment, and system and communications protection requirements families, respectively. 18 CHAPTER TWO PAGE 7 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ A discussion section follows each CUI security requirement providing additional information to facilitate the implementation and assessment of the requirements. This information is derived primarily from the security controls discussion sections in [SP 800-53] and is provided to give organizations a better understanding of the mechanisms and procedures used to implement the controls used to protect CUI. The discussion section is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. The use of examples is notional, not exhaustive, and not reflective of potential options available to organizations. Figure 1 illustrates basic security requirement 3.8.3 with its supporting discussion section and informative references. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 3.8.3 Sanitize or destroy system media containing CUI before disposal or release for reuse. DISCUSSION This requirement applies to all system media, digital and non-digital, subject to disposal or reuse. Examples include: digital media found in workstations, network components, scanners, copiers, printers, notebook computers, and mobile devices; and non-digital media such as paper and microfilm. The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed. Sanitization techniques, including clearing, purging, cryptographic erase, and destruction, prevent the disclosure of information to unauthorized individuals when such media is released for reuse or disposal. Organizations determine the appropriate sanitization methods, recognizing that destruction may be necessary when other methods cannot be applied to the media requiring sanitization. Organizations use discretion on the employment of sanitization techniques and procedures for media containing information that is in the public domain or publicly releasable or deemed to have no adverse impact on organizations or individuals if released for reuse or disposal. Sanitization of non-digital media includes destruction, removing CUI from documents, or redacting selected sections or words from a document by obscuring the redacted sections or words in a manner equivalent in effectiveness to removing the words or sections from the document. NARA policy and guidance control sanitization processes for controlled unclassified information. [SP 800-88] provides guidance on media sanitization. FIGURE 1: FORMAT AND STRUCTURE OF CUI SECURITY REQUIREMENT CHAPTER TWO PAGE 8 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ CHAPTER THREE THE REQUIREMENTS SECURITY REQUIREMENTS FOR PROTECTING THE CONFIDENTIALITY OF CUI T This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 his chapter describes fourteen families of recommended security requirements for protecting the confidentiality of CUI in nonfederal systems and organizations. 19 The security controls from [SP 800-53] associated with the basic and derived requirements are listed in Appendix D. 20 Organizations can use the NIST publication to obtain additional, nonprescriptive information related to the recommended security requirements (e.g., explanatory information in the discussion section for each of the referenced security controls, mapping tables to [ISO 27001] security controls, and a catalog of optional controls that can be used to specify additional security requirements, if needed). This information can help clarify or interpret the requirements in the context of mission and business requirements, operational environments, or assessments of risk. Nonfederal organizations can implement a variety of potential security solutions either directly or using managed services, to satisfy the security requirements and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a requirement. 21 DISCUSSION SECTION The discussion section associated with each CUI requirement is informative, not normative. It is not intended to extend the scope of a requirement or to influence the solutions organizations may use to satisfy a requirement. In addition, the use of examples is notional, not exhaustive, and not reflective of potential options available to organizations. Nonfederal organizations describe, in a system security plan, how the security requirements are met or how organizations plan to meet the requirements and address known and anticipated threats. The system security plan describes: the system boundary; operational environment; how security requirements are implemented; and the relationships with or connections to other systems. Nonfederal organizations develop plans of action that describe how unimplemented security requirements will be met and how any planned mitigations will be implemented. Organizations can document the system security plan and the plan of action as separate or combined documents and in any chosen format. 22 19 The security objectives of confidentiality and integrity are closely related since many of the underlying security mechanisms at the system level support both objectives. Therefore, the basic and derived security requirements in this publication provide protection from unauthorized disclosure and unauthorized modification of CUI. 20 The security control references in Appendix D are included to promote a better understanding of the recommended security requirements and do not expand the scope of the requirements. 21 To promote consistency, transparency, and comparability, the compensatory security measures selected by organizations are based on or derived from existing and recognized security standards and control sets, including, for example, [ISO 27001] or [SP 800-53]. 22 [NIST CUI] provides supplemental material for Special Publication 800-171 including templates for system security plans and plans of action. CHAPTER THREE PAGE 9 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ When requested, the system security plan (or extracts thereof) and the associated plans of action for any planned implementations or mitigations are submitted to the responsible federal agency/contracting office to demonstrate the nonfederal organization’s implementation or planned implementation of the security requirements. Federal agencies may consider the submitted system security plans and plans of action as critical inputs to a risk management decision to process, store, or transmit CUI on a system hosted by a nonfederal organization and whether it is advisable to pursue an agreement or contract with the nonfederal organization. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 The recommended security requirements in this publication apply only to the components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components. Some systems, including specialized systems (e.g., industrial/process control systems, medical devices, Computer Numerical Control machines), may have limitations on the application of certain security requirements. To accommodate such issues, the system security plan, as reflected in requirement 3.12.4, is used to describe any enduring exceptions to the security requirements. Individual, isolated, or temporary deficiencies are managed though plans of action, as reflected in requirement 3.12.2. THE MEANING OF ORGANIZATIONAL SYSTEMS The term organizational system is used in many of the recommended CUI security requirements in this publication. This term has a specific meaning regarding the scope of applicability for the security requirements. The requirements apply only to the components of nonfederal systems that process, store, or transmit CUI, or that provide protection for the system components. The appropriate scoping for the CUI security requirements is an important factor in determining protection-related investment decisions and managing security risk for nonfederal organizations that have the responsibility of safeguarding CUI. 3.1 ACCESS CONTROL Basic Security Requirements 3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems). DISCUSSION Access control policies (e.g., identity- or role-based policies, control matrices, and cryptography) control access between active entities or subjects (i.e., users or processes acting on behalf of users) and passive entities or objects (e.g., devices, files, records, and domains) in systems. Access enforcement mechanisms can be employed at the application and service level to provide increased information security. Other systems include systems internal and external to the organization. This requirement focuses on account management for systems and applications. The definition of and enforcement of access authorizations, other than those determined by account type (e.g., privileged verses non-privileged) are addressed in requirement 3.1.2. 3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute. CHAPTER THREE PAGE 10 SP 800-171, REVISION 2 PROTECTING CONTROLLED UNCLASSIFIED INFORMATION _________________________________________________________________________________________________ DISCUSSION Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. System account types include individual, shared, group, system, anonymous, guest, emergency, developer, manufacturer, vendor, and temporary. Other attributes required for authorizing access include restrictions on time-of-day, day-of-week, and point-oforigin. In defining other account attributes, organizations consider system-related requirements (e.g., system upgrades scheduled maintenance,) and mission or business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements). Derived Security Requirements 3.1.3 Control the flow of CUI in accordance with approved authorizations. This publication is available free of charge from: https://doi.org/10.6028/NIST.SP.800-171r2 DISCUSSION Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping exportcontrolled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packetfiltering capability based on header information, or message-filtering capability based on message content (e.g., implementing key word searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one

NIST.SP.800-171r2.pdf

Document Details

Tags

Related

Full Transcript

Upgrade to continue