CUI and SP800 Information Security Guidelines PDF

Summary

This document provides guidelines for protecting Controlled Unclassified Information (CUI). It details the importance of information security and the role of the National Institute of Standards and Technology (NIST).

Full Transcript

CUI stands for "Controlled
Unclassified Information," and
SP800 refers to a series of
publications by the National
Institute of Standards and
Technology (NIST) that provide
guidance on various aspects of
information security.
SP800-171 specifically provides
guidelines for protecting Controlled
Unclassified Information (CUI) in
non-federal systems and
organizations. CUI refers to
unclassified information that
requires safeguarding or
dissemination controls in
accordance with laws, regulations,
or government-wide policies.
The guidelines in SP800-171 are
intended for use by federal
agencies in their acquisition of nonfederal systems that process, store,
or transmit CUI, as well as by nonfederal organizations that process,
store, or transmit CUI on behalf of
federal agencies. The document
provides requirements for
protecting the confidentiality,
integrity, and availability of CUI, and
outlines security controls that
should be implemented to achieve
these objectives.
DFARS compliance mandates the
use of FIPS 140-2 certified
encryption modules for protecting
sensitive information, and it is an
essential requirement for
contractors and subcontractors

who want to do business with the
US Department of Defense.
. Federal Information Security
Modernization Act (FISMA):
This law requires federal
agencies to implement a riskbased cybersecurity program
that includes the use of FIPS
140-2 certified encryption to
protect sensitive information.
. Health Insurance Portability
and Accountability Act
(HIPAA): HIPAA requires
covered entities and business
associates to implement
technical safeguards to
protect electronic protected
health information (ePHI),
including the use of FIPS
140-2 certified encryption.
. Federal Risk and
Authorization Management
Program (FedRAMP):
FedRAMP is a governmentwide program that provides a
standardized approach to
security assessment,
authorization, and continuous
monitoring for cloud products
and services. FedRAMP
requires cloud service
providers to use FIPS 140-2
certified encryption for data
at rest and in transit.
. Payment Card Industry Data
Security Standard (PCI DSS):
PCI DSS is a set of security
standards that organizations

must follow to accept credit
and debit card payments. PCI
DSS requires the use of FIPS
140-2 certified encryption to
protect cardholder data.
The use of FIPS 140-2 validated
cryptographic modules provides
assurance that the cryptographic
algorithms and protocols used for
protecting sensitive information
have been tested and validated
against a set of security
requirements specified by NIST.
FIPS 140-certified modules are
used by a wide range of
organizations, including
government agencies, financial
institutions, healthcare providers,
and other organizations that handle
sensitive and valuable information.
Some of the largest purchasers of
FIPS 140-certified modules are
likely to be government agencies,
such as the Department of Defense,
the Department of Homeland
Security, and the National Security
Agency.
Financial institutions, such as banks
and credit card companies, also
commonly use FIPS 140-certified
modules to protect the security of
their systems and the
confidentiality of their customers'
financial information.
In addition, healthcare providers
and insurance companies use FIPS

140-certified modules to protect
the privacy and security of patient
data.
Overall, FIPS 140-certified modules
are used by a wide range of
organizations and industries that
require strong cryptographic
security for their systems and data.
The U.S. Department of Veterans
Affairs (VA) is a government agency
responsible for providing a wide
range of benefits and services to
veterans of the U.S. military. As part
of its mission to protect the privacy
and security of veterans' personal
and medical information, the VA
uses FIPS 140-certified
cryptographic modules to protect
sensitive data.
The VA has implemented a number
of security measures to protect the
confidentiality, integrity, and
availability of its information
systems and data, including the use
of FIPS 140-certified cryptographic
modules. These modules are used
to encrypt and decrypt sensitive
data, including patient medical
records, financial information, and
other sensitive data.
SP800-63 reference other NIST
standards, including FIPS 140-2, as
a source of cryptographic
algorithms and protocols that can
be used to meet the security
requirements of the guidelines.

FedRAMP recommend the use of
NIST-approved cryptographic
algorithms and protocols (FIPS
140-2). to ensure the security and
integrity of data in transit and at
rest.
NIST SP 800-171 is a NIST Special
Publication that provides
recommended requirements for
protecting the confidentiality of
controlled unclassified information
(CUI). Defense contractors must
implement the recommended
requirements contained in NIST SP
800-171 to demonstrate their
provision of adequate security to
protect the covered defense
information included in their
defense contracts, as required by
DFARS clause 252.204-7012. If a
manufacturer is part of a DoD,
General Services Administration
(GSA), NASA or other federal or
state agencies’ supply chain, the
implementation of the security
requirements included in NIST SP
800-171 is a must.

How Do You Implement NIST
SP 800-171?
It's understandable for
manufacturers to wonder what they
should do to implement NIST SP
800-171 and ultimately get in
compliance with DFARS, and
whether there are specialized
resources available to help them

achieve that milestone without
preventable pitfalls. The first thing
they should keep in mind is that
being DFARS compliant likely
involves working with a
cybersecurity consultant that knows
the NIST SP 800-171 requirements
inside and out.
It's advisable for small
manufacturers to look to their
state’s Manufacturing Extension
Partnership (MEP) Center. Part of
the MEP National Network™, a
larger organization that connects
them to NIST, the representatives at
your local MEP Center will have a
working knowledge of NIST SP
800-171 and can help companies
prepare for DFARS compliance. It
can be a short or long process,
depending upon the complexities of
a company’s operating environment
and information systems, but
implementing NIST SP 800-171 is a
necessary process for a company to
protect its information.

What Does a Successful Plan
Entail?
Manufacturers that want to retain
their DoD, GSA, NASA and other
federal and state agency contracts
need to have a plan that meets the
requirements of NIST SP 800-171.
DFARS cybersecurity clause
252,204-7012 went into effect on
Dec. 31, 2017, and deals with
processing, storing or transmitting
CUI that exists on non-federal

systems — such as those used by a
government contractor.
One of the first steps
manufacturers should take is to
identify where gaps exist that
prevent them from being compliant
with DFARS. From that point, they
can determine how to proceed.

How Should Manufacturers
Start Working Toward
Compliance?
The MEP National Network
offers dedicated resources for
manufacturers that need
information about a company’s
cybersecurity posture that can help
companies understand what getting
compliant with DFARS actually
means to them. Companies can see
whether DFARS compliance applies
to them and view infographics that
recommend steps to take to make
their factory floors more secure.
The MEP National Network also
provides a particular resource that
manufacturers will undoubtedly
refer to again and again: the NIST
Self-Assessment Handbook (NIST
Handbook 162). It spans more than
150 pages and helps readers assess
their facilities to conclude how
close they are to implementing NIST
SP 800-171 to help them
understand how close they are to
being DFARS compliant. It also
helps determine where to focus
efforts when making improvements
to maximize the impact of each

dollar spent on cybersecurity.
For example, the document features
content that advises how to go
about carrying out an assessment
and which applicable employees to
talk to regarding security
requirements. Manufacturers that
read through the handbook will note
that each assessment question has
an "alternative approach" option. It
refers to the fact that
manufacturers may find some
requirements in NIST SP 800-171
that don't apply to them.
In that case, it's acceptable to use a
different but equally effective
method of maintaining security —
as long as the respective
manufacturers notify the correct
government authorities about the
changes and get approval for them.
Manufacturing plant representatives
can also increase their
understanding of compliance
requirements by watching a
webinar(link is external) that goes
through some of the crucial
elements of the handbook.

Complexity Shouldn’t Be a
Barrier
Manufacturers may initially view the
cybersecurity requirements for
government contracts as too
complicated, especially if they have
small operations.
However, using the available
resources — including local MEP
Centers — allows manufacturers to

realize it's possible to get in
compliance with DFARS, as well as
stay in compliance, by
implementing the NIST SP 800-171
requirements and to open
possibilities for receiving financially
rewarding and reputation-boosting
government contracts.
SP800-131a is a requirement
originated by the National Institute
of Standards and Technology
(NIST) which requires longer key
lengths and stronger cryptography.
The specification also provides a
transition configuration to enable
US federal agencies to move to a
strict enforcement of SP800-131a.
The transition configuration also
enables US federal agencies to run
with a mixture of settings from both
FIPS140-3 and SP800-131a.
SP800-131a can be run in two
modes: transition and strict.

Strict mode
Overview of configuration tasks:
. Enable FIPS 140-2 mode
during appliance
configuration.
. Set a tuning parameter to
enable strict mode.
. (Optional) If your deployment
uses client certificate
authentication, configure TLS
v1.2.
To achieve a FedRAMP Ready
designation, a CSO’s MFA solution

must comply with NIST Special
Publication (SP) 800-63B, which
requires the use of FIPS 140
validated encryption for MFA tools.
Data encryption is a fundamental
security control, popular for
mitigating the impact that a data
breach has on an organization. By
making data unusable to anyone
without the decryption key,
encryption provides an additional
layer of depth to an organization’s
defensive posture. If threat actors
manage to evade detection and
exfiltrate data, they need the
appropriate decryption key to use it,
rendering their efforts moot and
discouraging further activity.
While the first iteration of the
Cybersecurity Maturity Model
Certification (CMMC) program was
released in 2020, the Department of
Defense announced CMMC 2.0 on
November 4, 2021. CMMC 2.0
maintains the same goals as the
original program, but it also adds
enhancements, including:
• Accountability while minimizing
compliance barriers
• Collaboration
• Ease of execution while enhancing
public trust1
Additionally, CMMC 2.0 simplifies
the control requirements by
reducing from five certification
levels to only three:
• Level 1 (remains equivalent to

CMMC 1.0 Level 1): Foundational •
Level 2 (formerly Levels 2 and 3) :
Advanced
• Level 3 (formerly Levels 4 and 5):
Expert
As members of the Defense
Industrial Base (DIB) seek to meet
CMMC compliance requirements,
they need to employ best
cryptographic practices for
securing information.
Under the original CMMC program,
the National Institute of Standards
and Technology (NIST) Special
Publication (SP) 800-171, acted as
a guiding set of best practices for
CMMC with additional CMMCspecific controls attached.
NIST SP 800-171 is the primary set
of compliance requirements for
setting minimum security baselines.
Data encryption is featured
prominently among those
requirements, and 800-171
references another NIST
publication, the FIPS 140 standard,
for specific governance.
Organizations that need to comply
with CMMC Level 2 or higher should
understand:
• The intersection between NIST SP
800-171, the FIPS 140 standard for
cryptography, and CMMC controls;
• CMMC Practices that directly
reference encryption requirements;
• CMMC Level 2 and 3 compliance
requirements for FIPS 140

validation;
• The distinction between FIPS
Validated and FIPS Compliant
encryption;
• And the process to achieve FIPS
140 validation with recommended
strategies.
using FIPS 140-2 validated
cryptographic modules in
applications can provide several
benefits, including enhanced
security, compliance with
regulations, risk management,
interoperability, and industry
recognition.
Many government and industry
regulations require the use of FIPS
140 validated cryptographic
modules. By implementing these
modules, organizations can ensure
compliance with regulations such as
FISMA, HIPAA, and PCI DSS,
minimizing the risk of regulatory
penalties and legal liability.
while implementing FIPS 140
validated cryptographic modules
can require significant upfront and
ongoing costs, the potential
benefits, including competitive
advantage, regulatory compliance,
improved security, and
interoperability, can outweigh these
costs and lead to increased
profitability over time.
As organizations within the DIB look

to meet CMMC compliance as part
of maintaining their current
contracts and apply for future
contracts, validated encryption is
fundamental to meeting
certification requirements.
After reading this paper, certain
action items should be on your
radar:
• Confirm the relevant CMMC level
for your business;
• Inventory the FCI and CUI held by
your organization;
• Identify where encryption is
deployed in your systems and
whether it has been certified to
meet the FIPS 140 standard;