The recent NIST SP 800-171, issued in June 2015, provides guidance for the protection of controlled unclassified...
information (CUI) in nonfederal information systems and organizations; classified information is under different -- and more stringent guidance. CUI is any information that law, regulation or government-wide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended. Let's take a closer look at NIST SP 800-171.
How does the federal government determine controlled unclassified information?
Since NIST SP 800-171 provides guidance in the protection of controlled unclassified information in nonfederal information systems and organizations, it's important to better understand what constitutes CUI.
Controlled unclassified information refers to unclassified information that is to be protected from public disclosure. The CUI designation replaces the "sensitive but unclassified" (SBU) designation and other similar control markings. For example, CUI may be the records that contain privacy information or details about an ongoing investigation.
In May 2008, President George W. Bush issued a memorandum that established CUI primarily to replace the many SBU categories into one. Within the CUI designation, the memo established a three-tiered system for safeguarding procedures and dissemination. These included Controlled with Standard Dissemination, Controlled with Specified Dissemination, and Controlled Enhanced with Specified Dissemination.
On May 27, 2009, President Obama issued a memorandum calling for a new CUI framework. What constitutes CUI still remains a bit vague, but the framework became especially important in defining how CUI would be handled by nonfederal government contractors. Then on November 4, 2010, the president designated the National Archives and Records Administration as the Executive Agent to implement his executive order and oversee the implementation and compliance of CUI.
Any information that is not designated as "classified" and "top-secret" is considered CUI, or information marked "For Official Use Only." For example, any recorded information related to experimental, developmental or engineering works that can be used to define or manufacture processes is CUI. Technical data considered CUI would include research and engineering data, engineering drawings, specifications, standards and computer software documentation.
Most important NIST SP 800-171 guidelines for CUI protection
NIST SP 800-171 defines 14 categories of security requirements for CUI: access control, awareness and training, audit and accountability, configuration management (baselines for security of hardware and software), identification and authentication (of users and devices), incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
Details of each of these 14 categories is beyond the scope of this article, but the security requirements defined -- especially for those well-versed in cybersecurity concepts -- would be considered basic prudent security measures.
Terms used within this special publication include the principle of least privilege; restrictions of nonessential programs, functions, ports, protocols and services; audit of privileged user activity; security risks; separation of duties; multifactor authentication; incident handling; limit access to authorized users; screening of individuals in new hires; terminations and transfers; escorting of visitors; vulnerability scans; and periodic assessment of security controls.
What effect will NIST SP 800-171 have on organizations?
A nonfederal organization is any entity that owns, operates or maintains a nonfederal information system. Examples of nonfederal organizations include: state, local and tribal governments; colleges and universities; and contractors.
Any of these organizations are subject to the Federal Information Security Management Act (FISMA) requirements and assessments, including the minimum security requirements in FIPS Publication 200 and the security controls in NIST Special Publication 800-53. Compliance requires organizations to execute due diligence with regard to information security and risk management.
The effect NIST SP 800-171 has on these organizations can be significant, especially if they currently do not practice basic fundamental security and controls. It is incumbent on these organizations to familiarize themselves with NIST SP 800-171, FIPS 200 and NIST SP 800-53 before they agree to handle CUI on behalf of the U.S. government.
NSIT SP 800-171 compliance
FIPS 200 defines the Minimum Security Requirements for Federal Information and Information Systems. These requirements are very similar to the 14 categories of security defined in NIST SP 800-171, which also requires organizations to define CUI into initial baseline categories of low, medium and high, as defined in NIST SP 800-53.
Nonfederal organizations are subject to FISMA assessments -- managed by the Office of Management and Budget -- in handling CUI. There is an obvious irony in light of the recent OPM data breach, resulting in $132 million to cover the cost of 23 million current and former federal employees to pay for identity protection and background investigations. But regardless of this data breach, nonfederal organizations stand on notice.
About the author:
Miguel (Mike) O. Villegas is vice president for K3DES LLC, a payment and technology-consulting firm. Villegas has been a chief information security officer for a large online retailer, partner for a "Big Four" consulting firm, VP of IT Risk Management, IT Audit Director for large commercial banks and owner of an information security professionals firm over a span of 30 years.