special publication 800 171
play

Special Publication 800-171 Protecting Controlled Unclassified - PowerPoint PPT Presentation

Nov 21, 2023 •293 likes •587 views

Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP MEP Overview What is Information Security? Cyber- Personnel security Security

  1. Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Patricia Toth NIST MEP MEP Overview

  2. What is Information Security? Cyber- Personnel security Security Operational Privacy Security Contingency Planning & Physical Disaster Security Recovery 2 MEP Overview

  3. Our appe)te for advanced technology is rapidly exceeding our ability to protect it. MEP Overview

  4. We are vulnerable because our information technology is fragile and susceptible to a wide range of threats including: § natural disasters. § structural failures. § cyber attacks. § human errors. MEP Overview

  5. NIST Cybersecurity Guidance FIPS Special Publications NISTIR MEP Overview

  6. NIST Special Publica)on 800-171 Rev 1 Protec)ng Controlled Unclassified Informa)on in Nonfederal Informa)on Systems and Organiza)ons December 2016 h-p://nvlpubs.nist.gov/nistpubs/SpecialPublica>ons/NIST.SP.800-171r1.pdf MEP Overview

  7. Controlled Unclassified Information Supports federal missions and business functions… … that affect the economic and national security interests of the United States. MEP Overview

  8. Nonfederal Organiza)ons Some Examples § Federal contractors, and subcontractors. § State, local, and tribal governments. § Colleges and universities. MEP Overview

  9. Why is this all necessary? • Over 100 different ways of characterizing SBU information. • No common definition or protocols. • Information inconsistently marked. • Common definition and standardize processes and procedures. 9 MEP Overview

  10. The CUI Registry www.archives.gov/cui/registry/category-list.html § Online repository for information, guidance, policy, and requirements on handling CUI, including issuances by the CUI Executive Agent. § Identifies approved CUI categories and subcategories (with descriptions of each) and the basis for controls. § Sets out procedures for the use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information. MEP Overview

  11. CUI Registry • Manufacturing Category-Subcategory: Proprietary Business Information-Manufacturer Category Description: Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications. Subcategory Description: Relating to the production of a consumer product to include that of a private labeler. Marking: MFC 11 MEP Overview

  12. The Big Picture Plan for the protec=on of CUI § Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide. § NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations. § Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors. § DFAR clause 252.204.7008 requires compliance to NIST Special Publication 800-171 MEP Overview

  13. Assump)ons Nonfederal Organizations — § Have information technology infrastructures in place. § Not developing or acquiring systems specifically for the purpose of processing, storing, or transmitting CUI. § Have safeguarding measures in place to protect their information. § May also be sufficient to satisfy the CUI requirements. § May not have the necessary organizational structure or resources to satisfy every CUI security requirement. § Can implement alternative, but equally effective, security measures. § Can implement a variety of potential security solutions. § Directly or through the use of managed services. MEP Overview

  14. § Access Control. § Audit and Accountability. § Awareness and Training. § Configuration Management. § Identification and Authentication. § Incident Response. Security Requirements § Maintenance. 14 Families § Media Protection. § Physical Protection. Obtained from FIPS 200 and § Personnel Security. NIST Special Publication 800-53. § Risk Assessment. § Security Assessment. § System and Communications Protection § System and Information Integrity. MEP Overview

  15. Structure of Security Requirements Security requirements have a well-defined structure that consists of the following components: § Basic security requirements section. § Derived security requirements section. MEP Overview

  16. Security Requirement Awareness and Training Example Basic Security Requirements: 3.2.1 Ensure that managers, systems administrators, and users of organiza)onal informa)on systems are made aware of the security risks associated with their ac)vi)es and of the applicable policies, standards, and procedures related to the security of those organiza)onal informa)on systems. 3.2.2 Ensure that organiza)onal personnel are adequately trained to carry out their assigned informa)on security-related du)es and responsibili)es. Derived Security Requirements: 3.2.3 Provide security awareness training on recognizing and repor)ng poten)al indicators of insider threat. MEP Overview

  17. Security Requirement Awareness and Training Example 3.2.2 Basic Security Requirements: 3.2.2 Ensure that organiza)onal personnel are adequately trained to carry out their assigned informa)on security-related du)es and responsibili)es. Mee:ng the Requirement: • Basic security awareness training to new employees. • Security awareness training to users when informa)on system changes. • Annual security awareness refresher training. MEP Overview

  18. Security Requirement Awareness and Training Example 3.2.2 Basic Security Requirements: 3.2.2 Ensure that organiza)onal personnel are adequately trained to carry out their assigned informa)on security-related du)es and responsibili)es. Mee:ng the Requirement: • Security awareness and training policy. • Security awareness training materials. • Security plan; training records; other relevant documents or records. • Personnel with responsibili)es for security awareness training. MEP Overview

  19. Security Requirement Configura>on Management Example Basic Security Requirements: 3.4.1 Establish and maintain baseline configura)ons and inventories of organiza)onal informa)on systems (including hardware, soSware, firmware, and documenta)on) throughout the respec)ve system development life cycles. 3.4.2 Establish and enforce security configura)on seUngs for informa)on technology products employed in organiza)onal informa)on systems. Derived Security Requirements: 3.4.3 Track, review, approve/disapprove, and audit changes to informa)on systems. 3.4.4 Analyze the security impact of changes prior to implementa)on. 3.4.5 Define, document, approve, and enforce physical and logical access restric)ons associated with changes to the informa)on system. 3.4.5 …………… MEP Overview

  20. Security Requirement Configura>on Management Example 3.4.1 Basic Security Requirements: 3.4.1 Establish and maintain baseline configura)ons and inventories of organiza)onal informa)on systems (including hardware, soSware, firmware, and documenta)on) throughout the respec)ve system development life cycles. Mee:ng the Requirements: • Develops, documents and maintains a current baseline configura)on of the informa)on system • Configura)on control in place. MEP Overview

  21. Security Requirement Configura>on Management Example 3.4.1 Basic Security Requirements: 3.4.1 Establish and maintain baseline configura)ons and inventories of organiza)onal informa)on systems (including hardware, soSware, firmware, and documenta)on) throughout the respec)ve system development life cycles. Mee:ng the Requirements: • Configura)on management policy; procedures and plan. • Documenta)on for Enterprise architecture or informa)on system design. • Informa)on system configura)on seUngs and associated documenta)on. • Change control records. • Personnel with configura)on management responsibili)es. • System/network administrator. MEP Overview

  22. Security Requirement Access Control Example Basic Security Requirements: 3.1.1 Limit system access to authorized users, processes ac)ng on behalf of authorized users, or devices (including other systems). 3.1.2 Limit system access to the types of transac)ons and func)ons that authorized users are permi]ed to execute. Derived Security Requirements: 3.1.3 Control the flow of CUI in accordance with approved authoriza)ons. 3.1.4 Separate the du)es of individuals to reduce the risk of malevolent ac)vity without collusion. 3.1.5 Employ the principle of least privilege, including for specific security func)ons and privileged accounts. 3.1.6 Use non-privileged accounts or roles when accessing non-security func)ons. 3.1.7 Prevent non-privileged users from execu)ng privileged func)ons and audit the execu)on of such func)ons. 3.1.8 Limit unsuccessful logon a]empts. MEP Overview

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity

Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity

Special Publication 800- -73: 73: Special Publication 800 Interfaces for Personal Identity Interfaces for Personal Identity Verification Verification Jim Dray PIV Implementers Workshop June 27, 2005 SP800- -73 Structure 73 Structure

541 views • 18 slides
Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation)

Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation)

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/266951909 Green PLA nanocomposites designed with special end-use properties (PowerPoint Presentation) Conference Paper May 2012

916 views • 37 slides
NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal

NIST Special Publication 800-137 Information Security Continuous Monitoring for Federal Information Systems and Organizations FISSEA 27 th Annual Conference Partners in Performance: Shaping the Future of Cybersecurity Awareness, Education, and

353 views • 31 slides
Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special

See discussions, stats, and author profiles for this publication at: https://www.researchgate.net/publication/249833577 Instructive Feedback: Effects of a Presentation Variable Article in The Journal of Special Education August 2003 DOI:

471 views • 12 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

585 views • 43 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

605 views • 60 slides
SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication

SPECIAL MOBILITY STRAND The European Commission support for the production of this publication does not constitute an endorsement of the contents which reflects the views only of the authors, and the Commission cannot be held responsible for any

642 views • 47 slides
government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12,

government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12,

government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM March 12, 2009 AUTHORS President Obama Issues Memorandum to the Heads of Executive Departments and Paul Debolt

246 views • 3 slides
Will It Take Before We Act? Post-publication presentation of The Jakarta Post article Dr.

Will It Take Before We Act? Post-publication presentation of The Jakarta Post article Dr.

How Many AMR Deaths Will It Take Before We Act? Post-publication presentation of The Jakarta Post article Dr. Widjaja Lukito, Sp.GK, Ph.D Special Advisor to Minister of Health (2006-2009) Secretary to a Member of the Advisory Council of

535 views • 16 slides
EMA/EU-FDA Activity Update Vada A. Perkins HL7 SPL(R7) Publication HL7 SPL(R7) Publication:

EMA/EU-FDA Activity Update Vada A. Perkins HL7 SPL(R7) Publication HL7 SPL(R7) Publication:

EMA/EU-FDA Activity Update Vada A. Perkins HL7 SPL(R7) Publication HL7 SPL(R7) Publication: To be submitted by this Friday (ballot approved) SPL Release 7 as the data exchange format to support ISO IDMP Technical Specifications. The

472 views • 23 slides
special government contracts update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS GROUP

special government contracts update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS GROUP

special government contracts update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS GROUP Department of Justice Updated Guidance on Department of Justice Updated Guidance on AUTHORS Seeking Waivers of Attorney-Client Privilege Seeking Waivers

333 views • 4 slides
Clinical data Publication W ebinar Presented by Documents Access & Publication Service 23

Clinical data Publication W ebinar Presented by Documents Access & Publication Service 23

Clinical data Publication W ebinar Presented by Documents Access & Publication Service 23 March 2017 An agency of the European Union Clinical Data Publication (CDP) Guidance Introduction, scope, definitions External guidance on the

487 views • 19 slides
Authorship & Publication August 4, 2009 Authorship Publication Authorship Each author

Authorship & Publication August 4, 2009 Authorship Publication Authorship Each author

Authorship Publication Authorship & Publication August 4, 2009 Authorship Publication Authorship Each author should have made substantial contribution to research Each author should have participated sufficiently in the

306 views • 3 slides
Clinical data Publication W ebinar Presented by Documents Access & Publication Service 29

Clinical data Publication W ebinar Presented by Documents Access & Publication Service 29

Clinical data Publication W ebinar Presented by Documents Access & Publication Service 29 June 2017 An agency of the European Union EMA update on the guidance and related initiatives Currents status and upcom ing subm issions Follow

178 views • 16 slides
SPECIAL MOBILITY STRAND THE IMPORTANCE OF CONCRETE DURABILITY IN RC STRUCTURES ERION LUGA, PhD

SPECIAL MOBILITY STRAND THE IMPORTANCE OF CONCRETE DURABILITY IN RC STRUCTURES ERION LUGA, PhD

SPECIAL MOBILITY STRAND THE IMPORTANCE OF CONCRETE DURABILITY IN RC STRUCTURES ERION LUGA, PhD NOVI SAD 05.03.2019 Epoka University Department of Civil Engineering The European Commission support for the production of this publication does not

828 views • 60 slides
update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM February 2009 AUTHORS

update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM February 2009 AUTHORS

government contracts special update A PUBLICATION OF VENABLE'S GOVERNMENT CONTRACTS TEAM February 2009 AUTHORS GSA PROPOSES SEVERAL SIGNIFICANT CHANGES TO ITS FEDERAL SUPPLY Terry L. Elling

447 views • 5 slides
QSAC: The Results March 21, 2019 What Is QSAC?

QSAC: The Results March 21, 2019 What Is QSAC?

QSAC: The Results March 21, 2019 What Is QSAC? Quality Single Accountability Con7nuum Combina7on of on-site monitoring (DOE) and self-evalua7on

105 views • 10 slides
VoRMD VOLUME RENDERING ON MOBILE DEVICES Goal Volume

VoRMD VOLUME RENDERING ON MOBILE DEVICES Goal Volume

VoRMD VOLUME RENDERING ON MOBILE DEVICES Goal Volume renderer on an Android device OpenGL ES 2.0 VS. WebGL

544 views • 22 slides
ISO Cer(fica(on Helping Inspire to do things be8er What is

ISO Cer(fica(on Helping Inspire to do things be8er What is

ISO Cer(fica(on Helping Inspire to do things be8er What is ISO Cer(fica(on? An interna)onal Quality standard Globally over 1 million cer)fied companies

448 views • 15 slides
A4: Reference standards and reagents Team members: In scope Recommendations for

A4: Reference standards and reagents Team members: In scope Recommendations for

A4: Reference standards and reagents Team members: In scope Recommendations for content in Certificate of Team lead Analysis (COA) or equivalent documentation to be Joseph Bower NA - Joseph.Bower@covance.com included with

132 views • 11 slides
TRAVEL GUIDELINES FY 2017 Texas A&M University-Texarkana

TRAVEL GUIDELINES FY 2017 Texas A&M University-Texarkana

TRAVEL GUIDELINES FY 2017 Texas A&M University-Texarkana 10-27-16 TRAVEL REQUEST Travel Request must be completed and approved no later

579 views • 25 slides
CALLS, CLICKS AND CHATS WHERE MARKETING ENDS AND SELLING

CALLS, CLICKS AND CHATS WHERE MARKETING ENDS AND SELLING

Modern Solu8ons for Modern Dealers CALLS, CLICKS AND CHATS WHERE MARKETING ENDS AND SELLING BEGINS Greg Wells President AllCall Automotive Contact Center Cell/text 859.983.0370

376 views • 33 slides
Hamstreet & Associates Cover Oregon Final Report September 29, 2014 Descrip(on of

Hamstreet & Associates Cover Oregon Final Report September 29, 2014 Descrip(on of

Hamstreet & Associates Cover Oregon Final Report September 29, 2014 Descrip(on of ini(al situa(on April 2014 Hamstreet & Associates interven(on Overview Recommenda(ons

248 views • 22 slides
The DCED Standard for Measuring Results Switzerland, May 2011 By Jim Tanburn,

The DCED Standard for Measuring Results Switzerland, May 2011 By Jim Tanburn,

The DCED Standard for Measuring Results Switzerland, May 2011 By Jim Tanburn, Coordinator Tanburn@Enterprise-Development.org www.Enterprise-Development.org Outline of this presentation About the DCED

161 views • 12 slides

More recommend