“Defense contractors routinely process, store and transmit sensitive federal information to assist federal agencies in carrying out their core missions and business operations. Federal information is also shared with state and local governments, universities and independent research organizations.
To keep this information secure, Executive Order 13556 established the Controlled Unclassified Information (CUI) Program to standardize the way the executive branch handles unclassified information that requires protection, such as personally identifiable information.” [1]
“NIST Special Publication 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations” (DFARS 252.204-7008) [2]
Compliance deadline: December 31, 2017. “The DoD has clarified its expectation for full compliance to protect Controlled Unclassified Information (CUI) residing on Contractor Systems from cyber incidents. A defense contractor’s updated and current System Security Plan and Plan of Action for cybersecurity measures may be sufficient to meet standards for compliance with NIST 800-171, rev. 1. Full implementation of the System Security Plan to meet the 110 NIST 800-171 cybersecurity measures is not required as of December 31, 2017.” [3]
The requirements focus in on these 14 key areas of focus (with a total of 110 individual controls):
1. Access Control
a. Limit system access to authorized users. Separate the access of standard users vs. administrators, and document your processes.
b. Limit the number of logon attempts.
c. Provide privacy and security notices to users entering the system.
d. Encrypt communications via internet, Wi-Fi, or on any mobile devices.
2. Awareness and Training
a. Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
b. Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
3. Audit and Accountability
a. Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
b. Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
4. Configuration Management
a. Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
b. Establish and enforce security configuration settings for information technology products employed in organizational information systems.
5. Identification and Authentication
a. Identify information system users, processes acting on behalf of users, or devices.
b. Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
6. Incident Response
a. Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
b. Track, document, and report incidents to appropriate organizational officials and/or authorities.
7. Maintenance
a. Perform maintenance on organizational information systems.
b. Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct system maintenance.
8. Media Protection
a. Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
b. Limit access to CUI on information system media to authorized users.
c. Sanitize or destroy information system media containing CUI before disposal or release for reuse.
9. Personnel Security
a. Screen individuals prior to authorizing access to information systems containing CUI.
b. Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
10. Physical Protection
a. Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
b. Protect and monitor the physical facility and support infrastructure for those information systems.
11. Risk Assessment
a. Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
12. Security Assessment
a. Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.
b. Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
c. Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
13. System and Communications Protection
a. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
b. Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
c. Protect the confidentiality of CUI at rest (“data at rest”).
14. System and Information Integrity
a. Identify, report, and correct information and information system flaws in a timely manner.
b. Provide protection from malicious code at appropriate locations within organizational information systems.
c. Monitor information system security alerts and advisories and take appropriate actions in response.
JAMIS Software Corporation provides cloud-based enterprise software designed specifically for government contractors, and continuously stays up to date with the compliance needs of our customers and the industry as a whole. To find out more about how JAMIS Cloud Services can help your organization prepare for these challenging requirements, contact us today at info@jamis.com. Or sign up for our next webinar HERE.
[1] NIST Tech Beat – June 19, 2015: NIST Publishes Final Guidelines for Protecting Sensitive Government Information Held by Contractors
[2] NIST Special Publication 800-171: Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations
[3] Pillsbury – December 20, 2017: December 31, 2017 Deadline for Cybersecurity under DFARS 252.204-7012 Re-Interpreted
