CUI stands for %22Controlled Unclassified Information,%22 and SP800 refers….pdf

Full Transcript

CUI stands for "Controlled
Unclassified Information," and
SP800 refers to a series of
publications by the National
Institute of Standards and
Technology (NIST) that provide
guidance on various aspects of
information security.
SP800-171 specifically provides
guidelines for protecting Controlled
Unclassified Information (CUI) in
non-federal systems and
organizations. CUI refers to
unclassified information that
requires safeguarding or
dissemination controls in
accordance with laws, regulations,
or government-wide policies.
The guidelines in SP800-171 are
intended for use by federal
agencies in their acquisition of nonfederal systems that process, store,
or transmit CUI, as well as by nonfederal organizations that process,
store, or transmit CUI on behalf of
federal agencies. The document
provides requirements for
protecting the confidentiality,
integrity, and availability of CUI, and
outlines security controls that
should be implemented to achieve
these objectives.
Manufacturers involved in supply
chains tied to government contracts
can anticipate those awards
bringing in additional revenue at
levels that might not be possible
otherwise. However, being

successful in getting and keeping
such work means complying with
the Federal Acquisition Regulation
(FAR) and Defense Federal
Acquisition Regulation Supplement
(DFARS).
FAR is a set of regulations that
governs all acquisitions and
contracting procedures associated
with the U.S. government. DFARS
accompanies FAR as an addition.
The Department of Defense (DoD)
is the administrative body behind
DFARS, but the reach of DFARS
requirements extends to more than
that organization.
NIST SP 800-171 is a NIST Special
Publication that provides
recommended requirements for
protecting the confidentiality of
controlled unclassified information
(CUI). Defense contractors must
implement the recommended
requirements contained in NIST SP
800-171 to demonstrate their
provision of adequate security to
protect the covered defense
information included in their
defense contracts, as required by
DFARS clause 252.204-7012. If a
manufacturer is part of a DoD,
General Services Administration
(GSA), NASA or other federal or
state agencies’ supply chain, the
implementation of the security
requirements included in NIST SP
800-171 is a must.

How Do You Implement NIST
SP 800-171?

It's understandable for
manufacturers to wonder what they
should do to implement NIST SP
800-171 and ultimately get in
compliance with DFARS, and
whether there are specialized
resources available to help them
achieve that milestone without
preventable pitfalls. The first thing
they should keep in mind is that
being DFARS compliant likely
involves working with a
cybersecurity consultant that knows
the NIST SP 800-171 requirements
inside and out.
It's advisable for small
manufacturers to look to their
state’s Manufacturing Extension
Partnership (MEP) Center. Part of
the MEP National Network™, a
larger organization that connects
them to NIST, the representatives at
your local MEP Center will have a
working knowledge of NIST SP
800-171 and can help companies
prepare for DFARS compliance. It
can be a short or long process,
depending upon the complexities of
a company’s operating environment
and information systems, but
implementing NIST SP 800-171 is a
necessary process for a company to
protect its information.

What Does a Successful Plan
Entail?
Manufacturers that want to retain
their DoD, GSA, NASA and other
federal and state agency contracts
need to have a plan that meets the

requirements of NIST SP 800-171.
DFARS cybersecurity clause
252,204-7012 went into effect on
Dec. 31, 2017, and deals with
processing, storing or transmitting
CUI that exists on non-federal
systems — such as those used by a
government contractor.
One of the first steps
manufacturers should take is to
identify where gaps exist that
prevent them from being compliant
with DFARS. From that point, they
can determine how to proceed.

How Should Manufacturers
Start Working Toward
Compliance?
The MEP National Network
offers dedicated resources for
manufacturers that need
information about a company’s
cybersecurity posture that can help
companies understand what getting
compliant with DFARS actually
means to them. Companies can see
whether DFARS compliance applies
to them and view infographics that
recommend steps to take to make
their factory floors more secure.
The MEP National Network also
provides a particular resource that
manufacturers will undoubtedly
refer to again and again: the NIST
Self-Assessment Handbook (NIST
Handbook 162). It spans more than
150 pages and helps readers assess
their facilities to conclude how
close they are to implementing NIST
SP 800-171 to help them

understand how close they are to
being DFARS compliant. It also
helps determine where to focus
efforts when making improvements
to maximize the impact of each
dollar spent on cybersecurity.
For example, the document features
content that advises how to go
about carrying out an assessment
and which applicable employees to
talk to regarding security
requirements. Manufacturers that
read through the handbook will note
that each assessment question has
an "alternative approach" option. It
refers to the fact that
manufacturers may find some
requirements in NIST SP 800-171
that don't apply to them.
In that case, it's acceptable to use a
different but equally effective
method of maintaining security —
as long as the respective
manufacturers notify the correct
government authorities about the
changes and get approval for them.
Manufacturing plant representatives
can also increase their
understanding of compliance
requirements by watching a
webinar(link is external) that goes
through some of the crucial
elements of the handbook.

Complexity Shouldn’t Be a
Barrier
Manufacturers may initially view the
cybersecurity requirements for
government contracts as too
complicated, especially if they have

small operations.
However, using the available
resources — including local MEP
Centers — allows manufacturers to
realize it's possible to get in
compliance with DFARS, as well as
stay in compliance, by
implementing the NIST SP 800-171
requirements and to open
possibilities for receiving financially
rewarding and reputation-boosting
government contracts.
SP800-131a is a requirement
originated by the National Institute
of Standards and Technology
(NIST) which requires longer key
lengths and stronger cryptography.
The specification also provides a
transition configuration to enable
US federal agencies to move to a
strict enforcement of SP800-131a.
The transition configuration also
enables US federal agencies to run
with a mixture of settings from both
FIPS140-3 and SP800-131a.
SP800-131a can be run in two
modes: transition and strict.

Strict mode
Overview of configuration tasks:
. Enable FIPS 140-2 mode
during appliance
configuration.
. Set a tuning parameter to
enable strict mode.
. (Optional) If your deployment
uses client certificate
authentication, configure TLS

v1.2.
To achieve a FedRAMP Ready
designation, a CSO’s MFA solution
must comply with NIST Special
Publication (SP) 800-63B, which
requires the use of FIPS 140
validated encryption for MFA tools.
Data encryption is a fundamental
security control, popular for
mitigating the impact that a data
breach has on an organization. By
making data unusable to anyone
without the decryption key,
encryption provides an additional
layer of depth to an organization’s
defensive posture. If threat actors
manage to evade detection and
exfiltrate data, they need the
appropriate decryption key to use it,
rendering their efforts moot and
discouraging further activity.
While the first iteration of the
Cybersecurity Maturity Model
Certification (CMMC) program was
released in 2020, the Department of
Defense announced CMMC 2.0 on
November 4, 2021. CMMC 2.0
maintains the same goals as the
original program, but it also adds
enhancements, including:
• Accountability while minimizing
compliance barriers
• Collaboration
• Ease of execution while enhancing
public trust1
Additionally, CMMC 2.0 simplifies
the control requirements by

reducing from five certification
levels to only three:
• Level 1 (remains equivalent to
CMMC 1.0 Level 1): Foundational •
Level 2 (formerly Levels 2 and 3) :
Advanced
• Level 3 (formerly Levels 4 and 5):
Expert
As members of the Defense
Industrial Base (DIB) seek to meet
CMMC compliance requirements,
they need to employ best
cryptographic practices for
securing information.
Under the original CMMC program,
the National Institute of Standards
and Technology (NIST) Special
Publication (SP) 800-171, acted as
a guiding set of best practices for
CMMC with additional CMMCspecific controls attached.
However, under CMMC 2.0, NIST SP
800-171 is now the primary set of
compliance requirements for setting
minimum security baselines. Data
encryption is featured prominently
among those requirements, and
800-171 references another NIST
publication, the FIPS 140 standard,
for specific governance.
Organizations that need to comply
with CMMC Level 2 or higher should
understand:
• The intersection between NIST SP
800-171, the FIPS 140 standard for
cryptography, and CMMC controls;
• CMMC Practices that directly
reference encryption requirements;
• CMMC Level 2 and 3 compliance

requirements for FIPS 140
validation;
• The distinction between FIPS
Validated and FIPS Compliant
encryption;
• And the process to achieve FIPS
140 validation with recommended
strategies.

As organizations within the DIB look
to meet CMMC compliance as part
of maintaining their current
contracts and apply for future
contracts, validated encryption is
fundamental to meeting
certification requirements.
After reading this paper, certain
action items should be on your
radar:
• Confirm the relevant CMMC level
for your business;
• Inventory the FCI and CUI held by
your organization;
• Identify where encryption is
deployed in your systems and
whether it has been certified to
meet the FIPS 140 standard;