Draft NIST Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations RON ROSS PATRICK VISCUSO GARY GUISSANIE KELLEY DEMPSEY MARK RIDDLE PUBLIC DRAFT Draft NIST Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations RON ROSS KELLEY DEMPSEY Computer Security Division Information Technology Laboratory National Institute of Standards and Technology PATRICK VISCUSO MARK RIDDLE Information Security Oversight Office National Archives and Records Administration GARY GUISSANIE Institute for Defense Analyses Supporting the Office of the CIO Department of Defense August 2016 U S Department of Commerce Penny Pritzker Secretary National Institute of Standards and Technology Willie May Under Secretary of Commerce for Standards and Technology and Director Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Authority This publication has been developed by NIST to further its statutory responsibilities under the Federal Information Security Modernization Act FISMA of 2014 44 U S C § 3551 et seq Public Law P L 113-283 NIST is responsible for developing information security standards and guidelines including minimum requirements for federal information systems but such standards and guidelines shall not apply to national security systems without the express approval of appropriate federal officials exercising policy authority over such systems This guideline is consistent with the requirements of the Office of Management and Budget OMB Circular A130 Nothing in this publication should be taken to contradict the standards and guidelines made mandatory and binding on federal agencies by the Secretary of Commerce under statutory authority Nor should these guidelines be interpreted as altering or superseding the existing authorities of the Secretary of Commerce Director of the OMB or any other federal official This publication may be used by nongovernmental organizations on a voluntary basis and is not subject to copyright in the United States Attribution would however be appreciated by NIST National Institute of Standards and Technology Special Publication 800-171 Natl Inst Stand Technol Spec Publ 800-171 Revision 1 79 pages August 2016 CODEN NSPUE2 Certain commercial entities equipment or materials may be identified in this document in order to describe an experimental procedure or concept adequately Such identification is not intended to imply recommendation or endorsement by NIST nor is it intended to imply that the entities materials or equipment are necessarily the best available for the purpose There may be references in this publication to other publications currently under development by NIST in accordance with its assigned statutory responsibilities The information in this publication including concepts practices and methodologies may be used by federal agencies even before the completion of such companion publications Thus until each publication is completed current requirements guidelines and procedures where they exist remain operative For planning and transition purposes federal agencies may wish to closely follow the development of these new publications by NIST Organizations are encouraged to review draft publications during the designated public comment periods and provide feedback to NIST Many NIST cybersecurity publications other than the ones noted above are available at http csrc nist gov publications Public comment period August 16 through September 16 2016 All comments are subject to release under the Freedom of Information Act FOIA National Institute of Standards and Technology Attn Computer Security Division Information Technology Laboratory 100 Bureau Drive Mail Stop 8930 Gaithersburg MD 20899-8930 Electronic Mail sec-cert@nist gov PAGE ii Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Reports on Computer Systems Technology The Information Technology Laboratory ITL at the National Institute of Standards and Technology NIST promotes the U S economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure ITL develops tests test methods reference data proof of concept implementations and technical analyses to advance the development and productive use of information technology IT ITL’s responsibilities include the development of management administrative technical and physical standards and guidelines for the cost-effective security and privacy of other than national security-related information in federal information systems The Special Publication 800-series reports on ITL’s research guidelines and outreach efforts in information systems security and its collaborative activities with industry government and academic organizations Abstract The protection of Controlled Unclassified Information CUI while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI i when the CUI is resident in nonfederal information systems and organizations ii when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies and iii where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law regulation or governmentwide policy for the CUI category or subcategory listed in the CUI Registry The requirements apply to all components of nonfederal information systems and organizations that process store or transmit CUI or provide security protection for such components The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations Keywords Contractor Information Systems Controlled Unclassified Information CUI Registry Executive Order 13556 FIPS Publication 199 FIPS Publication 200 FISMA NIST Special Publication 800-53 Nonfederal Information Systems Security Control Security Requirement Derived Security Requirement Security Assessment PAGE iii Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Acknowledgements The authors gratefully acknowledge and appreciate the contributions from Carol Bales Matt Barrett Jon Boyens Devin Casey Chris Enloe Jim Foti Rob Glenn Rich Graubart Vicki Michetti Michael Nieles Pat O’Reilly Karen Quigg Mary Thomas Matt Scholl Murugiah Souppaya and Pat Toth whose thoughtful and constructive comments improved the overall quality thoroughness and usefulness of this publication A special note of thanks goes to Peggy Himes and Elizabeth Lennon for their superb administrative and technical editing support PAGE iv Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Notes to Reviewers The public draft of NIST Special Publication 800-171 Revision 1 represents a limited update to the original publication released in June 2015 In particular this update includes • A clarification of the purpose and applicability statement • Minor clarifications additions and adjustments to selected CUI requirements • Guidance on the use of system security plans SSPs and plans of action and milestones POAMs to demonstrate the implementation or planned implementation of CUI requirements by nonfederal organizations • Guidance on federal agency use of submitted SSPs and POAMs as critical inputs to risk management decisions and decisions on whether or not to pursue agreements or contracts with nonfederal organizations • Additional definitions and terms for the glossary and • The implementation of hyperlinks to facilitate ease of use in navigating the document Both markup and clean copies of the draft publication are provided to facilitate a more efficient reviewing process Please confine your review to only those sections of the publication that have changed since the original version was published in June 2015 Your feedback is important to us We appreciate each and every contribution from our reviewers The insightful comments from both the public and private sectors nationally and internationally continue to help shape the final publication to ensure that it meets the needs and expectations of our customers The feedback obtained from this public review will be incorporated into a final publication targeted for release in the Fall 2016 -- RON ROSS JOINT TASK FORCE LEADER FISMA IMPLEMENTATION PROJECT LEADER PAGE v Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Cautionary Note The Federal Information Security Modernization Act FISMA requires federal agencies to identify and provide information security protections commensurate with the risk resulting from the unauthorized access use disclosure disruption modification or destruction of i information collected or maintained by or on behalf of an agency or ii information systems used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency This publication focuses on protecting the confidentiality of Controlled Unclassified Information CUI in nonfederal information systems and organizations and recommends security requirements to achieve that objective It does not change in any manner the information security requirements set forth in FISMA nor does it alter the responsibility of federal agencies to comply with the full provisions of the statute the policies established by OMB and the supporting security standards and guidelines developed by NIST The requirements recommended for use in this publication are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation 32 CFR Part 2002 Controlled Unclassified Information The requirements and security controls have been determined over time to provide the necessary protection for federal information and information systems that are covered under the FISMA The tailoring criteria applied to the FIPS Publication 200 security requirements and the NIST Special Publication 800-53 security controls should not be interpreted as an endorsement for the elimination of those requirements and controls—rather the tailoring criteria focuses on the protection of CUI from unauthorized disclosure in nonfederal information systems and organizations Moreover since the CUI requirements are derivative from the NIST publications listed above organizations should not assume that satisfying those requirements will automatically satisfy the security requirements and controls in FIPS Publication 200 and Special Publication 800-53 In addition to the security objective of confidentiality the objectives of integrity and availability remain a high priority for organizations that are concerned with establishing and maintaining a comprehensive information security program While the primary purpose of this publication is to define requirements to protect the confidentiality of CUI there is a close relationship between confidentiality and integrity since many of the underlying security mechanisms at the information system level support both security objectives Organizations that are interested in or required to comply with the recommendations in this publications are strongly advised to review the complete listing of security controls in the moderate baseline in Appendix E to ensure that their individual security plans and security control deployments provide the necessary and sufficient protection to address the range of cyber and kinetic threats to organizational missions and business operations Addressing such threats is important because of the dependence many organizations have on their information technology infrastructures for mission and business success PAGE vi Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Expectations for this Publication Executive Order 13556 Controlled Unclassified Information November 4 2010 establishes that the Controlled Unclassified Information CUI Executive Agent designated as the National Archives and Records Administration NARA shall develop and issue such directives as are necessary to implement the CUI Program Consistent with this tasking and with the CUI Program’s mission to establish uniform policies and practices across the federal government NARA is issuing a final federal regulation in 2016 to establish the required controls and markings for CUI governmentwide This federal regulation once enacted will bind agencies throughout the executive branch to uniformly apply the standard safeguards markings dissemination and decontrol requirements established by the CUI Program With regard to federal information systems requirements in the federal regulation for protecting CUI at the moderate confidentiality impact level will be based on applicable policies established by OMB and applicable governmentwide standards and guidelines issued by NIST The regulation will not create these policies standards and guidelines which are already established by OMB and NIST The regulation will however require adherence to the policies and use of the standards and guidelines in a consistent manner throughout the executive branch thereby reducing current complexity for federal agencies and their nonfederal partners including contractors In addition to defining safeguarding requirements for CUI within the federal government NARA has taken steps to alleviate the potential impact of such requirements on nonfederal organizations by jointly developing with NIST Special Publication 800-171 — defining security requirements for protecting CUI in nonfederal information systems and organizations This will help nonfederal entities including contractors to comply with the security requirements using the systems and practices they already have in place rather than trying to use government-specific approaches It will also provide a standardized and uniform set of requirements for all CUI security needs tailored to nonfederal systems allowing nonfederal organizations to be in compliance with statutory and regulatory requirements and to consistently implement safeguards for the protection of CUI Finally NARA in its capacity as the CUI Executive Agent also plans to sponsor in 2017 a single Federal Acquisition Regulation FAR clause that will apply the requirements contained in the federal CUI regulation and Special Publication 800-171 to contractors This will further promote standardization to benefit a substantial number of nonfederal organizations that are attempting to meet the current range and type of contract clauses where differing requirements and conflicting guidance from federal agencies for the same information gives rise to confusion and inefficiencies Until the formal process of establishing such a single FAR clause takes place the CUI requirements in NIST Special Publication 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements If necessary Special Publication 800-171 will be updated to remain consistent with the federal CUI regulation and the FAR clause PAGE vii Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Framework for Improving Critical Infrastructure Cybersecurity Organizations that have implemented or plan to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity can find in Appendix D of this publication a direct mapping of the Controlled Unclassified Information CUI security requirements to the security controls in NIST Special Publication 800-53 and ISO IEC 27001 Once identified those controls can be located in the specific categories and subcategories associated with Cybersecurity Framework core functions Identify Protect Detect Respond and Recover The security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs when such programs have been built around the NIST or ISO IEC security controls See http www nist gov cyberframework PAGE viii Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table of Contents CHAPTER ONE INTRODUCTION 1 1 1 PURPOSE AND APPLICABILITY 2 1 2 TARGET AUDIENCE 4 1 3 ORGANIZATION OF THIS SPECIAL PUBLICATION 4 CHAPTER TWO THE FUNDAMENTALS 5 2 1 BASIC ASSUMPTIONS 5 2 2 DEVELOPMENT OF CUI REQUIREMENTS 6 CHAPTER THREE THE REQUIREMENTS 8 3 1 ACCESS CONTROL 9 3 2 AWARENESS AND TRAINING 9 3 3 AUDIT AND ACCOUNTABILITY 10 3 4 CONFIGURATION MANAGEMENT 10 3 5 IDENTIFICATION AND AUTHENTICATION 11 3 6 INCIDENT RESPONSE 11 3 7 MAINTENANCE 12 3 8 MEDIA PROTECTION 12 3 9 PERSONNEL SECURITY 12 3 10 PHYSICAL PROTECTION 13 3 11 RISK ASSESSMENT 13 3 12 SECURITY ASSESSMENT 13 3 13 SYSTEM AND COMMUNICATIONS PROTECTION 13 3 14 SYSTEM AND INFORMATION INTEGRITY 14 APPENDIX A REFERENCES 16 APPENDIX B GLOSSARY 18 APPENDIX C ACRONYMS 27 APPENDIX D MAPPING TABLES 28 APPENDIX E TAILORING CRITERIA 51 PAGE ix Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Errata This table contains changes that have been incorporated into Special Publication 800-171 Revision 1 Errata updates can include corrections clarifications or other minor changes in the publication that are either editorial or substantive in nature DATE TYPE CHANGE PAGE x PAGE Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CHAPTER ONE INTRODUCTION THE NEED TO PROTECT CONTROLLED UNCLASSIFIED INFORMATION T oday more than at any time in history the federal government is relying on external service providers to help carry out a wide range of federal missions and business functions using state-of-the-practice information systems Many federal contractors for example routinely process store and transmit sensitive federal information in their information systems 1 to support the delivery of essential products and services to federal agencies e g providing credit card and other financial services providing Web and electronic mail services conducting background investigations for security clearances processing healthcare data providing cloud services and developing communications satellite and weapons systems Additionally federal information is frequently provided to or shared with entities such as State and local governments colleges and universities and independent research organizations The protection of sensitive federal information while residing in nonfederal information systems 2 and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations including those missions and functions related to the critical infrastructure The protection of unclassified federal information in nonfederal information systems and organizations is dependent on the federal government providing a disciplined and structured process for identifying the different types of information that are routinely used by federal agencies On November 4 2010 the President signed Executive Order 13556 Controlled Unclassified Information The Executive Order established a governmentwide Controlled Unclassified Information CUI 3 Program to standardize the way the executive branch handles unclassified information that requires protection and designated the National Archives and Records Administration NARA as the Executive Agent 4 to implement that program Only information that requires safeguarding or dissemination controls pursuant to federal law regulation or governmentwide policy may be designated as CUI The CUI Program is designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings inadequate safeguarding and needless restrictions both by standardizing procedures and by providing common definitions through a CUI Registry The CUI Registry is the online repository for information guidance policy and requirements on handling CUI including issuances by the CUI Executive Agent Among other information the CUI Registry identifies approved CUI categories and subcategories provides general descriptions for each identifies the basis for controls and sets out procedures for the use 1 An information system is a discrete set of information resources organized expressly for the collection processing maintenance use sharing dissemination or disposition of information Information systems also include specialized systems such as industrial process control systems 2 A federal information system is a system that is used or operated by an executive agency by a contractor of an executive agency or by another organization on behalf of an executive agency An information system that does not meet such criteria is a nonfederal information system 3 Controlled Unclassified Information is any information that law regulation or governmentwide policy requires to have safeguarding or disseminating controls excluding information that is classified under Executive Order 13526 Classified National Security Information December 29 2009 or any predecessor or successor order or the Atomic Energy Act of 1954 as amended 4 NARA has delegated this authority to the Information Security Oversight Office which is a component of NARA CHAPTER 1 PAGE 1 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ of CUI including but not limited to marking safeguarding transporting disseminating reusing and disposing of the information Executive Order 13556 also required that the CUI Program emphasize openness transparency and uniformity of governmentwide practices and that the implementation of the program take place in a manner consistent with applicable policies established by the Office of Management and Budget OMB and federal standards and guidelines issued by the National Institute of Standards and Technology NIST The federal CUI regulation 5 developed by the CUI Executive Agent provides guidance to federal agencies on the designation safeguarding dissemination marking decontrolling and disposition of CUI establishes self-inspection and oversight requirements and delineates other facets of the program 1 1 PURPOSE AND APPLICABILITY The purpose of this publication is to provide federal agencies with recommended requirements for protecting the confidentiality of CUI i when the CUI is resident in nonfederal information systems and organizations ii when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating an information system on behalf of an agency 6 and iii where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law regulation or governmentwide policy for the CUI category or subcategory listed in the CUI Registry 7 The security requirements apply only to components of nonfederal information systems that process store or transmit CUI or that provide security protection for such components 8 The CUI requirements are intended for use by federal agencies in appropriate contractual vehicles or other agreements established between those agencies and nonfederal organizations In CUI guidance and the CUI Federal Acquisition Regulation FAR 9 the CUI Executive Agent will address determining compliance with CUI requirements In accordance with the federal CUI regulation federal agencies using federal information systems to process store or transmit CUI as a minimum must comply with • 5 Federal Information Processing Standards FIPS Publication 199 Standards for Security Categorization of Federal Information and Information Systems moderate confidentiality impact 10 32 CFR Part 2002 Controlled Unclassified Information Final to be published in 2016 6 Nonfederal organizations that collect or maintain information on behalf of a federal agency or that use or operate an information system on behalf of an agency must comply with the requirements in FISMA including the requirements in FIPS Publication 200 and the security controls in NIST Special Publication 800-53 See 44 USC 3554 a 1 A 7 The requirements in this publication can be used to comply with the FISMA requirement for senior agency officials to provide information security for the information that supports the operations and assets under their control including CUI that is resident in nonfederal systems and organizations See 44 USC 3554 a 1 A and 3554 a 2 8 Information system components include for example mainframes workstations servers input and output devices network components operating systems virtual machines and applications 9 NARA in its capacity as the CUI Executive Agent plans to sponsor in 2017 a single FAR clause that will apply the requirements of the federal CUI regulation and NIST Special Publication 800-171 to contractors Until the formal process of establishing such a single FAR clause takes place the CUI requirements in NIST Special Publication 800171 may be referenced in federal contracts consistent with federal law and regulatory requirements 10 FIPS Publication 199 defines three values of potential impact i e low moderate high on organizations assets or individuals should there be a breach of security e g a loss of confidentiality The potential impact is moderate if the loss of confidentiality could be expected to have a serious adverse effect on organizational operations organizational assets or individuals CHAPTER 1 PAGE 2 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ • Federal Information Processing Standards FIPS Publication 200 Minimum Security Requirements for Federal Information and Information Systems • NIST Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations and • NIST Special Publication 800-60 Guide for Mapping Types of Information and Information Systems to Security Categories 11 The responsibility of federal agencies to protect and ensure the control of CUI does not change when such information is shared with nonfederal partners Therefore a similar level of protection is needed when CUI is processed stored or transmitted by nonfederal organizations using nonfederal information systems 12 The specific requirements for safeguarding CUI in nonfederal information systems and organizations are derived from the above authoritative federal standards and guidelines to maintain a consistent level of protection However recognizing that the scope of the safeguarding requirements in the federal CUI regulation is limited to the security objective of confidentiality i e not directly addressing integrity and availability and that some of the security requirements expressed in the NIST standards and guidelines are uniquely federal the requirements in this publication have been tailored for nonfederal entities The tailoring criteria described in Chapter Two are not intended to reduce or minimize the federal requirements for the safeguarding of CUI as expressed in the federal CUI regulation Rather the intent is to express the requirements in a manner that allows for and facilitates the equivalent safeguarding measures within nonfederal information systems and organizations and does not diminish the level of protection of CUI required for moderate confidentiality Additional or differing requirements other than those requirements described in this publication may be applied only when such requirements are based on law regulation or governmentwide policy and when indicated in the CUI Registry as CUI-specified The provision of safeguarding requirements for CUI in a particular specified category will be addressed by NARA in its CUI guidance and in the CUI FAR and reflected as specific requirements in contracts or other agreements If nonfederal organizations entrusted with protecting CUI designate specific information systems or system components for the processing storage or transmission of CUI then the organizations may limit the scope of the CUI security requirements to those particular systems or components Isolating CUI into its own security domain by applying architectural design principles or concepts e g implementing subnetworks with firewalls or other boundary protection devices may be the most cost-effective and efficient approach for nonfederal organizations to satisfy the requirements and protect the confidentiality of CUI Security domains may employ physical separation logical separation or a combination of both This approach can i reasonably provide adequate security for the CUI and ii avoid increasing the organization’s security posture to a level beyond which it typically requires for protecting its missions operations and assets Nonfederal organizations may choose to use the same CUI infrastructure for multiple government contracts or agreements as long as the CUI infrastructure meets the safeguarding requirements for all of the organization’s CUI-related contracts agreements including specific safeguarding required or permitted by the authorizing law regulation or governmentwide policy 11 NIST Special Publication 800-60 is under revision to align with the CUI categories and subcategories in the CUI Registry 12 A nonfederal organization is any entity that owns operates or maintains a nonfederal information system Examples of nonfederal organizations include State local and tribal governments colleges and universities and contractors CHAPTER 1 PAGE 3 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 1 2 TARGET AUDIENCE This publication is intended to serve a diverse group of individuals and organizations in both the public and private sectors including but not limited to • Individuals with information system development life cycle responsibilities e g program managers mission business owners information owners stewards system designers and developers information system security engineers systems integrators • Individuals with acquisition or procurement responsibilities e g contracting officers • Individuals with information system security and or risk management and oversight responsibilities e g authorizing officials chief information officers chief information security officers information system owners information security managers and • Individuals with information security assessment and monitoring responsibilities e g auditors system evaluators assessors independent verifiers validators analysts The above roles and responsibilities can be viewed from two distinct perspectives i the federal perspective as the entity establishing and conveying the CUI security requirements in contractual vehicles or other types of inter-organizational agreements and ii the nonfederal perspective as the entity responding to and complying with the CUI security requirements set forth in contracts or agreements 1 3 ORGANIZATION OF THIS SPECIAL PUBLICATION The remainder of this special publication is organized as follows • Chapter Two describes the assumptions and methodology used to develop the CUI security requirements the format and structure of the requirements and the tailoring criteria applied to the NIST standards and guidelines to obtain the requirements • Chapter Three describes the fourteen families of security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations • Supporting appendices provide additional information related to the protection of CUI in nonfederal information systems and organizations including i general references ii a glossary of definitions and terms iii acronyms used in this publication iv mapping tables relating the CUI security requirements to the security controls in NIST Special Publication 800-53 and ISO IEC 27001 and v an explanation of the tailoring actions employed on the moderate security control baseline CHAPTER 1 PAGE 4 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CHAPTER TWO THE FUNDAMENTALS ASSUMPTIONS AND METHODOLOGY FOR DEVELOPING CUI SECURITY REQUIREMENTS T his chapter describes i the basic assumptions and methodology used to develop the security requirements to protect CUI in nonfederal information systems and organizations and ii the structure of the basic and derived CUI requirements and the tailoring criteria applied to the federal information security requirements and controls 2 1 BASIC ASSUMPTIONS The CUI security requirements described in this publication have been developed based on three fundamental assumptions • Statutory and regulatory requirements for the protection of CUI are consistent whether such information resides in federal information systems or nonfederal information systems including the environments in which those systems operate • Safeguards implemented to protect CUI are consistent in both federal and nonfederal information systems and organizations and • The confidentiality impact value for CUI is no lower than moderate 13 in accordance with Federal Information Processing Standards FIPS Publication 199 14 The above assumptions reinforce the concept that federal information designated as CUI has the same intrinsic value and potential adverse impact if compromised—whether such information resides in a federal or a nonfederal organization Thus protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation Additional assumptions also impacting the development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include • Nonfederal organizations have information technology infrastructures in place and are not necessarily developing or acquiring information systems specifically for the purpose of processing storing or transmitting CUI • Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements • Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services to satisfy CUI security requirements and • Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative but equally effective security measures to compensate for the inability to satisfy a particular requirement 13 The moderate impact value defined in FIPS Publication 199 may become part of a moderate impact system in FIPS Publication 200 which in turn requires the use of the moderate security control baseline in NIST Special Publication 800-53 as the starting point for tailoring actions 14 In accordance with 32 CFR Part 2002 Controlled Unclassified Information there will be only one level of safeguarding for CUI i e moderate impact for confidentiality unless federal law regulation or governmentwide policy specifies otherwise CHAPTER 2 PAGE 5 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 2 2 DEVELOPMENT OF CUI REQUIREMENTS Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of i a basic security requirements section and ii a derived security requirements section The basic security requirements are obtained from FIPS Publication 200 which provides the high-level and fundamental security requirements for federal information and information systems The derived security requirements which supplement the basic security requirements are taken from the security controls in NIST Special Publication 800-53 Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline i e the minimum level of protection required for CUI in federal information systems and organizations the requirements and controls are tailored to eliminate requirements controls or parts of controls that are • Uniquely federal i e primarily the responsibility of the federal government • Not directly related to protecting the confidentiality of CUI or • Expected to be routinely satisfied by nonfederal organizations without specification 15 Appendix E provides a complete listing of security controls that support the CUI derived security requirements and those controls that have been eliminated from the NIST Special Publication 800-53 moderate baseline based on the CUI tailoring criteria described above The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST Special Publication 800-53 with respect to the protection of the confidentiality of CUI in nonfederal information systems and organizations Appendix D provides informal mappings of the CUI security requirements to the relevant security controls in NIST Special Publication 800-53 and ISO IEC 27001 The mappings are included to promote a better understanding of the CUI security requirements and are not intended to impose additional requirements on nonfederal organizations The following example taken from the Configuration Management family illustrates the structure of a typical CUI security requirement Basic Security Requirements - Establish and maintain baseline configurations and inventories of organizational information systems including hardware software firmware and documentation throughout the respective system development life cycles - Establish and enforce security configuration settings for information technology products employed in organizational information systems Derived Security Requirements - Track review approve disapprove and audit changes to information systems - Analyze the security impact of changes prior to implementation 15 The CUI requirements developed from the tailored FIPS Publication 200 security requirements and the NIST Special Publication 800-53 moderate security control baseline represent a subset of the safeguarding measures necessary for a comprehensive information security program The strength and quality of such programs in nonfederal organizations depend on the degree to which the organizations implement the security requirements and controls that are expected to be routinely satisfied without specification by the federal government This includes implementing security policies procedures and practices that support an effective risk-based information security program Nonfederal organizations are encouraged to refer to Appendix E and Special Publication 800-53 for a complete listing of security controls in the moderate baseline deemed out of scope for the CUI requirements in Chapter Three CHAPTER 2 PAGE 6 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ - Define document approve and enforce physical and logical access restrictions associated with changes to the information system - Employ the principle of least functionality by configuring the information system to provide only essential capabilities - Restrict disable and prevent the use of nonessential programs functions ports protocols and services - Apply deny-by-exception blacklist policy to prevent the use of unauthorized software or deny-all permit-by-exception whitelisting policy to allow the execution of authorized software - Control and monitor user-installed software Parameterization of Requirements For ease of reading the requirements in this publication do not include the NIST SP 800-53 use of security control parameters implemented using assignment and selection statements indicating the organizational responsibility to define the parameters of a requirement This parameterization is assumed throughout to be a nonfederal organization’s responsibility For example requirement 3 1 10 “Use session lock with pattern-hiding displays to prevent access and viewing of data after period of inactivity” can be viewed as “Use session lock with pattern-hiding displays to prevent access and viewing of data after Assignment organization-defined time period of inactivity ” The parameters that are defined by nonfederal organizations for the requirements are limited to the parameters available in NIST SP 800-53 For ease of use the security requirements are organized into fourteen families Each family contains the requirements related to the general security topic of the family The families are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200 The contingency planning system and services acquisition and planning requirements are not included within the scope of this publication due to the aforementioned tailoring criteria 16 Table 1 lists the security requirement families addressed in this publication TABLE 1 SECURITY REQUIREMENT FAMILIES FAMILY FAMILY Access Control Media Protection Awareness and Training Personnel Security Audit and Accountability Physical Protection Configuration Management Risk Assessment Identification and Authentication Security Assessment Incident Response System and Communications Protection Maintenance System and Information Integrity 16 Three exceptions include i a requirement to protect the confidentiality of system backups derived from CP-9 from the contingency planning family ii a requirement to develop and implement a system security plan derived from PL-2 from the planning family and iii a requirement to implement system security engineering principles derived from SA-8 from the system and services acquisition family For convenience these requirements are included with the CUI media protection security assessment and system and communications protection requirements families respectively CHAPTER 2 PAGE 7 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CHAPTER THREE THE REQUIREMENTS SECURITY REQUIREMENTS FOR PROTECTING THE CONFIDENTIALITY OF CUI T his chapter describes fourteen families of security requirements including basic and derived requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations 17 The security controls from NIST Special Publication 800-53 associated with the basic and derived requirements are also listed in Appendix D 18 Organizations can use Special Publication 800-53 to obtain additional non-prescriptive information related to the CUI security requirements e g supplemental guidance related to each of the referenced security controls mapping tables to ISO IEC security controls and a catalog of optional controls that can be used to help specify additional CUI requirements if needed This information can help clarify or interpret the requirements in the context of mission and business requirements operational environments or assessments of risk Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services to satisfy CUI security requirements and may implement alternative but equally effective security measures to compensate for the inability to satisfy a particular requirement 19 Nonfederal organizations describe in a system security plan SSP how the CUI requirements are met or how organizations plan to meet the requirements The SSP describes the boundary of the information system the operational environment for the system how the security requirements are implemented and the relationships with or connections to other systems When requested the SSP and any associated plans of action and milestones POAM for any planned implementations or mitigations should be submitted to the responsible federal agency or contracting officer to demonstrate the nonfederal organization’s implementation or planned implementation of the CUI requirements Federal agencies may consider the submitted SSPs and POAMs as critical inputs to an overall risk management decision to process store or transmit CUI on an information system hosted by a nonfederal organization and whether or not to pursue an agreement or contract with the nonfederal organization The CUI requirements in this publication should be applied to the nonfederal organization’s general purpose internal information systems processing storing or transmitting CUI Some specialized systems e g industrial process control systems medical devices or Computer Numerical Control machines may have restrictions or limitations on the application of certain CUI requirements The system security plan Requirement 3 12 4 should be used to describe any enduring exceptions to the requirements to accommodate such issues Other individual isolated or temporary deficiencies should be managed though plans of action Requirement 3 12 2 17 While the primary purpose of this publication is to define requirements to protect the confidentiality of CUI there is a close relationship between confidentiality and integrity since many of the underlying security mechanisms at the information system level support both security objectives Thus the integrity requirements either basic or derived may have a significant albeit indirect effect on the ability of an organization to protect the confidentiality of CUI 18 The security control references in Appendix D are included to promote a better understanding of the CUI security requirements The control references are not intended to impose additional requirements on nonfederal organizations Moreover because the security controls were developed for federal agencies the supplemental guidance associated with those controls may not be applicable to nonfederal organizations 19 To promote consistency transparency and comparability compensatory security measures selected by organizations should be based on or derived from existing and recognized security standards and control sets including for example ISO IEC 27001 or NIST Special Publication 800-53 CHAPTER 3 PAGE 8 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 3 1 ACCESS CONTROL Basic Security Requirements 3 1 1 Limit information system access to authorized users processes acting on behalf of authorized users or devices including other information systems 3 1 2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute Derived Security Requirements 3 1 3 Control the flow of CUI in accordance with approved authorizations 3 1 4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion 3 1 5 Employ the principle of least privilege including for specific security functions and privileged accounts 3 1 6 Use non-privileged accounts or roles when accessing nonsecurity functions 3 1 7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions 3 1 8 Limit unsuccessful logon attempts 3 1 9 Provide privacy and security notices consistent with applicable CUI rules 3 1 10 Use session lock with pattern-hiding displays to prevent access and viewing of data after period of inactivity 3 1 11 Terminate automatically a user session after a defined condition 3 1 12 Monitor and control remote access sessions 3 1 13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions 3 1 14 Route remote access via managed access control points 3 1 15 Authorize remote execution of privileged commands and remote access to security-relevant information 3 1 16 Authorize wireless access prior to allowing such connections 3 1 17 Protect wireless access using authentication and encryption 3 1 18 Control connection of mobile devices 3 1 19 Encrypt CUI on mobile devices 3 1 20 Verify and control limit connections to and use of external information systems 3 1 21 Limit use of organizational portable storage devices on external information systems 3 1 22 Control CUI posted or processed on publicly accessible information systems 3 2 AWARENESS AND TRAINING Basic Security Requirements 3 2 1 Ensure that managers systems administrators and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies standards and procedures related to the security of organizational information systems 3 2 2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities CHAPTER 3 PAGE 9 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Derived Security Requirements 3 2 3 Provide security awareness training on recognizing and reporting potential indicators of insider threat 3 3 AUDIT AND ACCOUNTABILITY Basic Security Requirements 3 3 1 Create protect and retain information system audit records to the extent needed to enable the monitoring analysis investigation and reporting of unlawful unauthorized or inappropriate information system activity 3 3 2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions Derived Security Requirements 3 3 3 Review and update audited events 3 3 4 Alert in the event of an audit process failure 3 3 5 Correlate audit review analysis and reporting processes for investigation and response to indications of inappropriate suspicious or unusual activity 3 3 6 Provide audit reduction and report generation to support on-demand analysis and reporting 3 3 7 Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records 3 3 8 Protect audit information and audit tools from unauthorized access modification and deletion 3 3 9 Limit management of audit functionality to a subset of privileged users 3 4 CONFIGURATION MANAGEMENT Basic Security Requirements 3 4 1 Establish and maintain baseline configurations and inventories of organizational information systems including hardware software firmware and documentation throughout the respective system development life cycles 3 4 2 Establish and enforce security configuration settings for information technology products employed in organizational information systems Derived Security Requirements 3 4 3 Track review approve disapprove and audit changes to information systems 3 4 4 Analyze the security impact of changes prior to implementation 3 4 5 Define document approve and enforce physical and logical access restrictions associated with changes to the information system 3 4 6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities 3 4 7 Restrict disable and prevent the use of nonessential programs functions ports protocols and services 3 4 8 Apply deny-by-exception blacklist policy to prevent the use of unauthorized software or denyall permit-by-exception whitelisting policy to allow the execution of authorized software 3 4 9 Control and monitor user-installed software CHAPTER 3 PAGE 10 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 3 5 IDENTIFICATION AND AUTHENTICATION Basic Security Requirements 3 5 1 Identify information system users processes acting on behalf of users or devices 3 5 2 Authenticate or verify the identities of those users processes or devices as a prerequisite to allowing access to organizational information systems Derived Security Requirements 3 5 3 Use multifactor authentication 20 for local and network access 21 to privileged accounts and for network access to non-privileged accounts 3 5 4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts 3 5 5 Prevent reuse of identifiers for a defined period 3 5 6 Disable identifiers after a defined period of inactivity 3 5 7 Enforce a minimum password complexity and change of characters when new passwords are created 3 5 8 Prohibit password reuse for a specified number of generations 3 5 9 Allow temporary password use for system logons with an immediate change to a permanent password 3 5 10 Store and transmit only cryptographically-protected passwords 3 5 11 Obscure feedback of authentication information 3 6 INCIDENT RESPONSE Basic Security Requirements 3 6 1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation detection analysis containment recovery and user response activities 3 6 2 Track document and report incidents to appropriate officials and or authorities both internal and external to the organization Derived Security Requirements 3 6 3 Test the organizational incident response capability 20 Multifactor authentication requires two or more different factors to achieve authentication Factors include i something you know e g password PIN ii something you have e g cryptographic identification device token or iii something you are e g biometric The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification PIV card or Department of Defense Common Access Card CAC like solutions A variety of multifactor solutions including those with replay resistance using tokens and biometrics are commercially available Such solutions may employ hard tokens e g smartcards key fobs or dongles or soft tokens to store user credentials 21 Local access is any access to an information system by a user or process acting on behalf of a user communicating through a direct connection without the use of a network Network access is any access to an information system by a user or a process acting on behalf of a user communicating through a network e g local area network wide area network Internet CHAPTER 3 PAGE 11 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 3 7 MAINTENANCE Basic Security Requirements 3 7 1 Perform maintenance on organizational information systems 22 3 7 2 Provide effective controls on the tools techniques mechanisms and personnel used to conduct information system maintenance Derived Security Requirements 3 7 3 Ensure equipment removed for off-site maintenance is sanitized of any CUI 3 7 4 Check media containing diagnostic and test programs for malicious code before the media are used in the information system 3 7 5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete 3 7 6 Supervise the maintenance activities of maintenance personnel without required access authorization 3 8 MEDIA PROTECTION Basic Security Requirements 3 8 1 Protect i e physically control and securely store information system media containing CUI both paper and digital 3 8 2 Limit access to CUI on information system media to authorized users 3 8 3 Sanitize or destroy information system media containing CUI before disposal or release for reuse Derived Security Requirements 3 8 4 Mark media with necessary CUI markings and distribution limitations 23 3 8 5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas 3 8 6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards 3 8 7 Control the use of removable media on information system components 3 8 8 Prohibit the use of portable storage devices when such devices have no identifiable owner 3 8 9 Protect the confidentiality of backup CUI at storage locations 3 9 PERSONNEL SECURITY Basic Security Requirements 3 9 1 Screen individuals prior to authorizing access to information systems containing CUI 3 9 2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers Derived Security Requirements None 22 In general system maintenance requirements tend to support the security objective of availability However improper system maintenance or a failure to perform maintenance can result in the unauthorized disclosure of CUI thus compromising confidentiality of that information 23 The implementation of this requirement is informed by the CUI federal regulation and marking guidance in the CUI Registry CHAPTER 3 PAGE 12 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 3 10 PHYSICAL PROTECTION Basic Security Requirements 3 10 1 Limit physical access to organizational information systems equipment and the respective operating environments to authorized individuals 3 10 2 Protect and monitor the physical facility and support infrastructure for those information systems Derived Security Requirements 3 10 3 Escort visitors and monitor visitor activity 3 10 4 Maintain audit logs of physical access 3 10 5 Control and manage physical access devices 3 10 6 Enforce safeguarding measures for CUI at alternate work sites e g telework sites 3 11 RISK ASSESSMENT Basic Security Requirements 3 11 1 Periodically assess the risk to organizational operations including mission functions image or reputation organizational assets and individuals resulting from the operation of organizational information systems and the associated processing storage or transmission of CUI Derived Security Requirements 3 11 2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified 3 11 3 Remediate vulnerabilities in accordance with assessments of risk 3 12 SECURITY ASSESSMENT Basic Security Requirements 3 12 1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application 3 12 2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems 3 12 3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls 3 12 4 Develop document periodically update and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems Derived Security Requirements None 3 13 SYSTEM AND COMMUNICATIONS PROTECTION Basic Security Requirements 3 13 1 Monitor control and protect organizational communications i e information transmitted or received by organizational information systems at the external boundaries and key internal boundaries of the information systems 3 13 2 Employ architectural designs software development techniques and systems engineering principles that promote effective information security within organizational information systems Derived Security Requirements 3 13 3 Separate user functionality from information system management functionality CHAPTER 3 PAGE 13 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 3 13 4 Prevent unauthorized and unintended information transfer via shared system resources 3 13 5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks 3 13 6 Deny network communications traffic by default and allow network communications traffic by exception i e deny all permit by exception 3 13 7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks 3 13 8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards 3 13 9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity 3 13 10 Establish and manage cryptographic keys for cryptography employed in the information system 3 13 11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI 3 13 12 Prohibit remote activation 24 of collaborative computing devices and provide indication of devices in use to users present at the device 3 13 13 Control and monitor the use of mobile code 3 13 14 Control and monitor the use of Voice over Internet Protocol VoIP technologies 3 13 15 Protect the authenticity of communications sessions 3 13 16 Protect the confidentiality of CUI at rest 3 14 SYSTEM AND INFORMATION INTEGRITY Basic Security Requirements 3 14 1 Identify report and correct information and information system flaws in a timely manner 3 14 2 Provide protection from malicious code at appropriate locations within organizational information systems 3 14 3 Monitor information system security alerts and advisories and take appropriate actions in response Derived Security Requirements 3 14 4 Update malicious code protection mechanisms when new releases are available 3 14 5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded opened or executed 3 14 6 Monitor the information system including inbound and outbound communications traffic to detect attacks and indicators of potential attacks 3 14 7 Identify unauthorized use of the information system 24 Dedicated video conferencing systems which rely on one of the participants calling or connecting to the other party to activate the video conference are excluded CHAPTER 3 PAGE 14 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ NARA CUI Requirements and the FAR Clause Executive Order 13556 Controlled Unclassified Information November 4 2010 established the CUI Program and designated the National Archives and Record Administration NARA as its Executive Agent to implement the Order and to oversee agency actions to ensure compliance with the Order Regarding contractors the CUI Executive Agent anticipates establishing a single Federal Acquisition Regulation FAR clause in 2017 to apply the requirements of NIST Special Publication 800-171 to the contractor environment as well as to determine oversight responsibilities and requirements The CUI Executive Agent also addresses its oversight of federal agencies in the 32 CFR Part 2002 Approaches to federal oversight will be determined through the uniform CUI FAR clause future understandings and any agreements between federal agencies and their nonfederal informationsharing partners CHAPTER 3 PAGE 15 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ APPENDIX A REFERENCES LAWS EXECUTIVE ORDERS REGULATIONS INSTRUCTIONS STANDARDS AND GUIDELINES 25 LEGISLATION EXECUTIVE ORDERS AND REGULATIONS 1 Federal Information Security Modernization Act of 2014 P L 113-283 December 2014 http www gpo gov fdsys pkg PLAW-113publ283 pdf PLAW-113publ283 pdf 2 Executive Order 13556 Controlled Unclassified Information November 2010 http www gpo gov fdsys pkg FR-2010-11-09 pdf 2010-28360 pdf 3 Executive Order 13636 Improving Critical Infrastructure Cybersecurity February 2013 http www gpo gov fdsys pkg FR-2013-02-19 pdf 2013-03915 pdf 4 32 CFR Part 2002 Controlled Unclassified Information Final to be published in 2016 STANDARDS GUIDELINES AND INSTRUCTIONS 1 National Institute of Standards and Technology Federal Information Processing Standards Publication 199 as amended Standards for Security Categorization of Federal Information and Information Systems http csrc nist gov publications fips fips199 FIPS-PUB-199-final pdf 2 National Institute of Standards and Technology Federal Information Processing Standards Publication 200 as amended Minimum Security Requirements for Federal Information and Information Systems http csrc nist gov publications fips fips200 FIPS-200-final-march pdf 3 National Institute of Standards and Technology Special Publication 800-53 as amended Security and Privacy Controls for Federal Information Systems and Organizations http dx doi org 10 6028 NIST SP 800-53r4 4 National Institute of Standards and Technology Special Publication 800-60 as amended Guide for Mapping Types of Information and Information Systems to Security Categories Volume 1 http dx doi org 10 6028 NIST SP 800-60v1r1 5 National Institute of Standards and Technology Special Publication 800-60 as amended Guide for Mapping Types of Information and Information Systems to Security Categories Volume 2 http dx doi org 10 6028 NIST SP 800-60v2r1 6 National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity as amended http www nist gov cyberframework 7 International Organization for Standardization International Electrotechnical Commission ISO IEC 27001 2013 Information technology -- Security techniques -- Information security management systems -- Requirements September 2013 25 References in this section without specific publication dates or revision numbers are assumed to refer to the most recent updates to those publications APPENDIX A PAGE 16 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ 8 International Organization for Standardization International Electrotechnical Commission ISO IEC 27002 2013 Information technology -- Security techniques -- Code of practice for information security controls September 2013 9 Committee on National Security Systems Instruction 4009 as amended National Information Assurance Glossary https www cnss gov OTHER RESOURCES 1 National Archives and Records Administration Controlled Unclassified Information Registry http www archives gov cui registry category-list html APPENDIX A PAGE 17 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ APPENDIX B GLOSSARY COMMON TERMS AND DEFINITIONS Appendix B provides definitions for security terminology used within Special Publication 800171 Unless specifically defined in this glossary all terms used in this publication are consistent with the definitions contained in CNSS Instruction 4009 National Information Assurance Glossary agency See executive agency assessment See Security Control Assessment assessor See Security Control Assessor audit log CNSSI 4009 A chronological record of information system activities including records of system accesses and operations performed in a given period audit record An individual entry in an audit log related to an audited event authentication FIPS 200 Verifying the identity of a user process or device often as a prerequisite to allowing access to resources in an information system availability Ensuring timely and reliable access to and use of information 44 U S C Sec 3542 baseline configuration A documented set of specifications for an information system or a configuration item within a system that has been formally reviewed and agreed on at a given point in time and which can be changed only through change control procedures blacklisting The process used to identify i software programs that are not authorized to execute on an information system or ii prohibited Universal Resource Locators URL websites confidentiality Preserving authorized restrictions on information access and disclosure including means for protecting personal privacy and proprietary information 44 U S C Sec 3542 configuration management A collection of activities focused on establishing and maintaining the integrity of information technology products and information systems through control of processes for initializing changing and monitoring the configurations of those products and systems throughout the system development life cycle configuration settings The set of parameters that can be changed in hardware software or firmware that affect the security posture and or functionality of the information system APPENDIX B PAGE 18 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ controlled area CNSSI 4009 controlled unclassified information E O 13556 Any area or space for which the organization has confidence that the physical and procedural protections provided are sufficient to meet the requirements established for protecting the information and or information system Information that law regulation or governmentwide policy requires to have safeguarding or disseminating controls excluding information that is classified under Executive Order 13526 Classified National Security Information December 29 2009 or any predecessor or successor order or the Atomic Energy Act of 1954 as amended CUI categories or subcategories Those types of information for which laws regulations or governmentwide policies require or permit agencies to exercise safeguarding or dissemination controls and which the CUI Executive Agent has approved and listed in the CUI Registry CUI Executive Agent The National Archives and Records Administration NARA which implements the executive branch-wide CUI Program and oversees federal agency actions to comply with Executive Order 13556 NARA has delegated this authority to the Director of the Information Security Oversight Office ISOO CUI program The executive branch-wide program to standardize CUI handling by all federal agencies The program includes the rules organization and procedures for CUI established by Executive Order 13556 32 CFR Part 2002 and the CUI Registry CUI registry The online repository for all information guidance policy and requirements on handling CUI including everything issued by the CUI Executive Agent other than 32 CFR Part 2002 Among other information the CUI Registry identifies all approved CUI categories and subcategories provides general descriptions for each identifies the basis for controls establishes markings and includes guidance on handling procedures environment of operation The physical surroundings in which an information system processes stores and transmits information NIST SP 800-37 executive agency 41 U S C Sec 403 external information system or component APPENDIX B An executive department specified in 5 U S C Sec 105 a military department specified in 5 U S C Sec 102 an independent establishment as defined in 5 U S C Sec 104 1 and a wholly owned Government corporation fully subject to the provisions of 31 U S C Chapter 91 An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness PAGE 19 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ external information system service An information system service that is implemented outside of the authorization boundary of the organizational information system i e a service that is used by but not a part of the organizational information system and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness external information system service provider A provider of external information system services to an organization through a variety of consumer-producer relationships including but not limited to joint ventures business partnerships outsourcing arrangements i e through contracts interagency agreements lines of business arrangements licensing agreements and or supply chain exchanges external network A network not controlled by the organization federal agency See executive agency federal information system An information system used or operated by an executive agency by a contractor of an executive agency or by another organization on behalf of an executive agency 40 U S C Sec 11331 FIPS-validated cryptography A cryptographic module validated by the Cryptographic Module Validation Program CMVP to meet requirements specified in FIPS Publication 140-2 as amended As a prerequisite to CMVP validation the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program CAVP See NSA-Approved Cryptography firmware Computer programs and data stored in hardware - typically in read-only memory ROM or programmable read-only memory PROM - such that the programs and data cannot be dynamically written or modified during execution of the programs CNSSI 4009 hardware CNSSI 4009 identifier CNSSI 4009 The physical components of an information system See Software and Firmware Unique data used to represent a person’s identity and associated attributes A name or a card number are examples of identifiers A unique label used by an information system to indicate a specific entity object or group impact The effect on organizational operations organizational assets individuals other organizations or the Nation including the national security interests of the United States of a loss of confidentiality integrity or availability of information or an information system impact value The assessed potential impact resulting from a compromise of the confidentiality of information e g CUI expressed as a value of low moderate or high APPENDIX B PAGE 20 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ incident FIPS 200 information CNSSI 4009 information flow control CNSSI 4009 information resources 44 U S C Sec 3502 information security 44 U S C Sec 3542 information system 44 U S C Sec 3502 information system component NIST SP 800-128 Adapted An occurrence that actually or potentially jeopardizes the confidentiality integrity or availability of an information system or the information the system processes stores or transmits or that constitutes a violation or imminent threat of violation of security policies security procedures or acceptable use policies Any communication or representation of knowledge such as facts data or opinions in any medium or form including textual numerical graphic cartographic narrative or audiovisual Procedure to ensure that information transfers within an information system are not made in violation of the security policy Information and related resources such as personnel equipment funds and information technology The protection of information and information systems from unauthorized access use disclosure disruption modification or destruction in order to provide confidentiality integrity and availability A discrete set of information resources organized for the collection processing maintenance use sharing dissemination or disposition of information A discrete identifiable information technology asset e g hardware software firmware that represents a building block of an information system Information system components include commercial information technology products information system service A capability provided by an information system that facilitates information processing storage or transmission information technology Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition storage manipulation management movement control display switching interchange transmission or reception of data or information by the executive agency For purposes of the preceding sentence equipment is used by an executive agency if the equipment is used by the executive agency directly or is used by a contractor under a contract with the executive agency which i requires the use of such equipment or ii requires the use to a significant extent of such equipment in the performance of a service or the furnishing of a product The term information technology includes computers ancillary equipment software firmware and similar procedures services including support services and related resources 40 U S C Sec 1401 insider threat CNSSI 4009 APPENDIX B The threat that an insider will use her his authorized access wittingly or unwittingly to do harm to the security of the United States This threat can include damage to the United States through espionage terrorism unauthorized disclosure or through the loss or degradation of departmental resources or capabilities PAGE 21 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ integrity 44 U S C Sec 3542 Guarding against improper information modification or destruction and includes ensuring information non-repudiation and authenticity internal network A network where i the establishment maintenance and provisioning of security controls are under the direct control of organizational employees or contractors or ii cryptographic encapsulation or similar security technology implemented between organization-controlled endpoints provides the same effect at least with regard to confidentiality and integrity An internal network is typically organization-owned yet may be organization-controlled while not being organization-owned least privilege The principle that a security architecture should be designed so that each entity is granted the minimum system resources and authorizations that the entity needs to perform its function CNSSI 4009 local access Access to an organizational information system by a user or process acting on behalf of a user communicating through a direct connection without the use of a network malicious code Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality integrity or availability of an information system A virus worm Trojan horse or other code-based entity that infects a host Spyware and some forms of adware are also examples of malicious code media Physical devices or writing surfaces including but not limited to magnetic tapes optical disks magnetic disks Large-Scale Integration LSI memory chips and printouts but not including display media onto which information is recorded stored or printed within an information system FIPS 200 mobile code Software programs or parts of programs obtained from remote information systems transmitted across a network and executed on a local information system without explicit installation or execution by the recipient mobile device A portable computing device that i has a small form factor such that it can easily be carried by a single individual ii is designed to operate without a physical connection e g wirelessly transmit or receive information iii possesses local nonremovable or removable data storage and iv includes a self-contained power source Mobile devices may also include voice communication capabilities on-board sensors that allow the devices to capture information and or built-in features for synchronizing local data with remote locations Examples include smartphones tablets and E-readers APPENDIX B PAGE 22 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ multifactor authentication Authentication using two or more different factors to achieve authentication Factors include i something you know e g password PIN ii something you have e g cryptographic identification device token or iii something you are e g biometric See Authenticator nonfederal information system An information system that does not meet the criteria for a federal information system nonfederal organization An entity that owns operates or maintains a nonfederal information system network Information system s implemented with a collection of interconnected components Such components may include routers hubs cabling telecommunications controllers key distribution centers and technical control devices CNSSI 4009 network access Access to an information system by a user or a process acting on behalf of a user communicating through a network e g local area network wide area network Internet nonlocal maintenance Maintenance activities conducted by individuals communicating through a network either an external network e g the Internet or an internal network on behalf of an agency A situation that occurs when i a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing storing or transmitting Federal information and ii those activities are not incidental to providing a service or product to the government 32 CFR Part 2002 organization FIPS 200 Adapted An entity of any size complexity or positioning within an organizational structure portable storage device An information system component that can be inserted into and removed from an information system and that is used to store data or information e g text video audio and or image data Such components are typically implemented on magnetic optical or solid state devices e g floppy disks compact digital video disks flash thumb drives external hard disk drives and flash memory cards drives that contain nonvolatile memory potential impact The loss of confidentiality integrity or availability could be expected to have i a limited adverse effect FIPS Publication 199 low ii a serious adverse effect FIPS Publication 199 moderate or iii a severe or catastrophic adverse effect FIPS Publication 199 high on organizational operations organizational assets or individuals FIPS 199 privileged account An information system account with authorizations of a privileged user privileged user A user that is authorized and therefore trusted to perform security-relevant functions that ordinary users are not authorized to perform CNSSI 4009 APPENDIX B PAGE 23 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ records The recordings automated and or manual of evidence of activities performed or results achieved e g forms reports test results which serve as a basis for verifying that the organization and the information system are performing as intended Also used to refer to units of related data fields i e groups of data fields that can be accessed by a program and that contain the complete set of information on particular items remote access Access to an organizational information system by a user or a process acting on behalf of a user communicating through an external network e g the Internet remote maintenance Maintenance activities conducted by individuals communicating through an external network e g the Internet replay resistance Protection against the capture of transmitted authentication or access control information and its subsequent retransmission with the intent of producing an unauthorized effect or gaining unauthorized access risk A measure of the extent to which an entity is threatened by a potential circumstance or event and typically a function of i the adverse impacts that would arise if the circumstance or event occurs and ii the likelihood of occurrence Information system-related security risks are those risks that arise from the loss of confidentiality integrity or availability of information or information systems and reflect the potential adverse impacts to organizational operations including mission functions image or reputation organizational assets individuals other organizations and the Nation FIPS 200 Adapted risk assessment The process of identifying risks to organizational operations including mission functions image reputation organizational assets individuals other organizations and the Nation resulting from the operation of an information system Part of risk management incorporates threat and vulnerability analyses and considers mitigations provided by security controls planned or in place Synonymous with risk analysis sanitization Actions taken to render data written on media unrecoverable by both ordinary and for some forms of sanitization extraordinary means Process to remove information from media such that data recovery is not possible It includes removing all classified labels markings and activity logs security A condition that results from the establishment and maintenance of protective measures that enable an enterprise to perform its mission or critical functions despite risks posed by threats to its use of information systems Protective measures may involve a combination of deterrence avoidance prevention detection recovery and correction that should form part of the enterprise’s risk management approach CNSSI 4009 APPENDIX B PAGE 24 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ security assessment See Security Control Assessment security control A safeguard or countermeasure prescribed for an information system or an organization designed to protect the confidentiality integrity and availability of its information and to meet a set of defined security requirements FIPS 199 Adapted security control assessment CNSSI 4009 Adapted The testing or evaluation of security controls to determine the extent to which the controls are implemented correctly operating as intended and producing the desired outcome with respect to meeting the security requirements for an information system or organization security functionality The security-related features functions mechanisms services procedures and architectures implemented within organizational information systems or the environments in which those systems operate security functions The hardware software and or firmware of the information system responsible for enforcing the system security policy and supporting the isolation of code and data on which the protection is based security relevance Functions or mechanisms that are relied upon directly or indirectly to enforce a security policy that governs confidentiality integrity and availability protections split tunneling The process of allowing a remote user device to simultaneously establish a non-remote connection with an information system and communicate via some other connection to a resource in an external network This method of network access enables a user to access remote devices e g a networked printer at the same time as accessing uncontrolled networks supplemental guidance Statements used to provide additional explanatory information for security controls or security control enhancements system See Information System system security plan Formal document that provides an overview of the security requirements for an information system and describes the security controls in place or planned for meeting those requirements NIST SP 800-18 threat CNSSI 4009 Adapted user CNSSI 4009 adapted whitelisting APPENDIX B Any circumstance or event with the potential to adversely impact organizational operations including mission functions image or reputation organizational assets individuals other organizations or the Nation through an information system via unauthorized access destruction disclosure modification of information and or denial of service Individual or system process acting on behalf of an individual authorized to access an information system The process used to identify i software programs that are authorized to execute on an information system or ii authorized Universal Resource Locators URL websites PAGE 25 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ wireless technology CNSSI 4009 APPENDIX B Technology that permits the transfer of information between separated points without physical connection PAGE 26 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ APPENDIX C ACRONYMS COMMON ABBREVIATIONS CFR Code of Federal Regulations CIO Chief Information Officer CNSS Committee on National Security Systems CUI Controlled Unclassified Information FIPS Federal Information Processing Standards FISMA Federal Information Security Modernization Act ISO IEC International Organization for Standardization International Electrotechnical Commission ISOO Information Security Oversight Office ITL Information Technology Laboratory NARA National Archives and Records Administration NFO Nonfederal Organization NIST National Institute of Standards and Technology OMB Office of Management and Budget POAM Plan of Action and Milestones SP Special Publication SSP System Security Plan APPENDIX C PAGE 27 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ APPENDIX D MAPPING TABLES MAPPING CUI SECURITY REQUIREMENTS TO SECURITY CONTROLS Tables D-1 through D-14 provide an informal mapping of the CUI security requirements to the relevant security controls in NIST Special Publication 800-53 The mapping tables are included for informational purposes only and are not intended to convey or impart any additional CUI security requirements beyond those requirements defined in Chapter Three Moreover because the security controls were developed for federal agencies the supplemental guidance associated with those controls may not be applicable to nonfederal organizations In some cases the relevant security controls include additional expectations beyond those required to protect CUI and have been tailored using the criteria in Chapter Two Only the portion of the security control relevant to the CUI security requirement is applicable The tables also include a secondary mapping of the security controls from Special Publication 800-53 to the relevant controls in ISO IEC 27001 Annex A The NIST to ISO IEC mapping is obtained from Special Publication 800-53 Appendix H An asterisk indicates that the ISO IEC control does not fully satisfy the intent of the NIST control It is also important to note that due to the tailoring for CUI satisfaction of a basic or derived security requirement does not mean that the corresponding security control or control enhancement from NIST Special Publication 800-53 has been met since certain elements of the control or control enhancement that are not essential to protecting the confidentiality of CUI are not reflected in those requirements Organizations that have implemented or plan to implement the NIST Framework for Improving Critical Infrastructure Cybersecurity can use the mapping of the CUI security requirements to the security controls in NIST Special Publication 800-53 and ISO IEC 27001 to locate the equivalent controls in the categories and subcategories associated with the core functions of the Framework identify protect detect respond and recover The security control mapping information can be useful to organizations that wish to demonstrate compliance to the CUI security requirements in the context of their established information security programs when such programs have been built around the NIST or ISO IEC security controls APPENDIX D PAGE 28 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-1 Mapping Access Control Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 1 ACCESS CONTROL Basic Security Requirements 3 1 1 3 1 2 Limit information system access to authorized users processes acting on behalf of authorized users or devices including other information systems Limit information system access to the types of transactions and functions that authorized users are permitted to execute AC-2 Account Management A 9 2 1 A 9 2 2 A 9 2 3 A 9 2 5 A 9 2 6 AC-3 Access Enforcement A 6 2 2 A 9 1 2 A 9 4 1 A 9 4 4 A 9 4 5 A 13 1 1 A 14 1 2 A 14 1 3 AC-17 Remote Access User registration and de-registration User access provisioning Management of privileged access rights Review of user access rights Removal or adjustment of access rights Teleworking Access to networks and network services Information access restriction Use of privileged utility programs Access control to program source code Network controls Securing application services on public networks Protecting application services transactions A 18 1 3 A 6 2 1 Protection of records Mobile device policy A 6 2 2 A 13 1 1 Teleworking Network controls Information transfer policies and procedures A 13 2 1 A 14 1 2 Securing application services on public networks A 13 1 3 Segregation in networks Information transfer policies and procedures Securing application services on public networks Protecting application services transactions Derived Security Requirements 3 1 3 Control the flow of CUI in accordance with approved authorizations AC-4 Information Flow Enforcement A 13 2 1 A 14 1 2 A 14 1 3 APPENDIX D PAGE 29 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS 3 1 4 3 1 5 Separate the duties of individuals to reduce the risk of malevolent activity without collusion Employ the principle of least privilege including for specific security functions and privileged accounts NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls AC-5 Separation of Duties A 6 1 2 Segregation of duties AC-6 Least Privilege A 9 1 2 Access to networks and network services Management of privileged access rights A 9 2 3 A 9 4 4 A 9 4 5 3 1 6 3 1 7 Use non-privileged accounts or roles when accessing nonsecurity functions Prevent non-privileged users from executing privileged functions and audit the execution of such functions 3 1 8 Limit unsuccessful logon attempts 3 1 9 Provide privacy and security notices consistent with applicable CUI rules 3 1 10 Use session lock with pattern-hiding displays to prevent access viewing of data after period of inactivity Use of privileged utility programs Access control to program source code AC-6 1 Least Privilege No direct mapping AC-6 5 Least Privilege No direct mapping AC-6 2 Least Privilege No direct mapping AC-6 9 Least Privilege No direct mapping AC-6 10 Least Privilege No direct mapping AC-7 Unsuccessful Logon Attempts A 9 4 2 AC-8 System Use Notification A 9 4 2 AC-11 Session Lock A 11 2 8 Authorize Access to Security Functions Privileged Accounts Non-Privileged Access for Nonsecurity Functions Auditing Use of Privileged Functions Prohibit Non-Privileged Users from Executing Privileged Functions A 11 2 9 Secure logon procedures Secure logon procedures Unattended user equipment Clear desk and clear screen policy AC-11 1 Session Lock No direct mapping 3 1 11 Terminate automatically a user session after a defined condition 3 1 12 Monitor and control remote access sessions AC-12 Session Termination No direct mapping AC-17 1 Remote Access No direct mapping 3 1 13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions 3 1 14 Route remote access via managed access control points AC-17 2 Remote Access No direct mapping AC-17 3 Remote Access No direct mapping APPENDIX D Pattern-Hiding Displays Automated Monitoring Control Protection of Confidentiality Integrity Using Encryption Managed Access Control Points PAGE 30 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 1 15 Authorize remote execution of privileged commands and remote access to securityrelevant information 3 1 16 Authorize wireless access prior to allowing such connections AC-17 4 Remote Access No direct mapping AC-18 Wireless Access A 6 2 1 A 13 1 1 A 13 2 1 3 1 17 Protect wireless access using authentication and encryption 3 1 18 Control connection of mobile devices AC-18 1 Wireless Access No direct mapping AC-19 Access Control for Mobile Devices A 6 2 1 A 11 2 6 Privileged Commands Access Authentication and Encryption A 13 2 1 3 1 19 Encrypt CUI on mobile devices AC-19 5 3 1 20 Verify and control limit connections to and use of external information systems AC-20 Mobile device policy Network controls Information transfer policies and procedures Mobile device policy Security of equipment and assets off-premises Information transfer policies and procedures Access Control for Mobile Devices No direct mapping Use of External Information Systems A 11 2 6 Security of equipment and assets off-premises A 13 1 1 A 13 2 1 Network controls Information transfer policies and procedures Full Device ContainerBased Encryption AC-20 1 Use of External Information Systems No direct mapping Use of External Information Systems No direct mapping Publicly Accessible Content No direct mapping Limits on Authorized Use 3 1 21 Limit use of organizational portable storage devices on external information systems AC-20 2 3 1 22 Control CUI posted or processed on publicly accessible information systems AC-22 APPENDIX D Portable Storage Devices PAGE 31 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-2 Mapping Awareness and Training Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 2 AWARENESS AND TRAINING Basic Security Requirements 3 2 1 3 2 2 Ensure that managers systems administrators and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies standards and procedures related to the security of organizational information systems Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities Derived Security Requirements 3 2 3 Provide security awareness training on recognizing and reporting potential indicators of insider threat APPENDIX D AT-2 Security Awareness Training A 7 2 2 A 12 2 1 Information security awareness education and training Controls against malware Information security awareness education and training AT-3 Role-Based Security Training A 7 2 2 AT-2 2 Security Awareness Training No direct mapping Insider Threat PAGE 32 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-3 Mapping Audit and Accountability Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 3 AUDIT AND ACCOUNTABILITY Basic Security Requirements 3 3 1 3 3 2 Create protect and retain information system audit records to the extent needed to enable the monitoring analysis investigation and reporting of unlawful unauthorized or inappropriate information system activity Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions AU-2 Audit Events No direct mapping AU-3 Content of Audit Records A 12 4 1 AU-3 1 Content of Audit Records No direct mapping AU-6 Audit Review Analysis and Reporting A 12 4 1 A 16 1 2 Additional Audit Information A 16 1 4 AU-12 Event logging Audit Generation A 12 4 1 A 12 4 3 Event logging Reporting information security events Assessment of and decision on information security events Event logging Administrator and operator logs Derived Security Requirements 3 3 3 3 3 4 3 3 5 3 3 6 3 3 7 3 3 8 Review and update audited events Alert in the event of an audit process failure Correlate audit review analysis and reporting processes for investigation and response to indications of inappropriate suspicious or unusual activity Provide audit reduction and report generation to support on-demand analysis and reporting Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records Protect audit information and audit tools from unauthorized access modification and deletion APPENDIX D AU-2 3 Audit Events No direct mapping AU-5 Response to Audit Processing Failures Audit Review Analysis and Reporting No direct mapping AU-7 Audit Reduction and Report Generation No direct mapping AU-8 Time Stamps A 12 4 4 AU-8 1 Time Stamps No direct mapping AU-9 Protection of Audit Information A 12 4 2 Protection of log information A 12 4 3 Administrator and operator logs A 18 1 3 Protection of records AU-6 3 Reviews and Updates No direct mapping Correlate Audit Repositories Clock synchronization Synchronization With Authoritative Time Source PAGE 33 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS 3 3 9 Limit management of audit functionality to a subset of privileged users APPENDIX D NIST SP 800-53 Relevant Security Controls AU-9 4 Protection of Audit Information ISO IEC 27001 Relevant Security Controls No direct mapping Access by Subset of Privileged Users PAGE 34 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-4 Mapping Configuration Management Requirements to Security Controls 26 CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 4 CONFIGURATION MANAGEMENT Basic Security Requirements 3 4 1 Establish and maintain baseline configurations and inventories of organizational information systems including hardware software firmware and documentation throughout the respective system development life cycles 3 4 2 Establish and enforce security configuration settings for information technology products employed in organizational information systems Derived Security Requirements CM-2 CM-6 CM-8 3 4 3 CM-3 Track review approve disapprove and audit changes to information systems CM-8 1 Baseline Configuration Configuration Settings Information System Component Inventory No direct mapping Information System Component Inventory No direct mapping Configuration Change Control A 12 1 2 A 14 2 2 No direct mapping A 8 1 1 Inventory of assets A 8 1 2 Ownership of assets Updates During Installations Removals A 14 2 3 A 14 2 4 3 4 4 Analyze the security impact of changes prior to implementation CM-4 Security Impact Analysis A 14 2 3 3 4 5 Define document approve and enforce physical and logical access restrictions associated with changes to the information system CM-5 Access Restrictions for Change A 9 2 3 A 9 4 5 A 12 1 2 A 12 1 4 A 12 5 1 Change management System change control procedures Technical review of applications after operating platform changes Restrictions on changes to software packages Technical review of applications after operating platform changes Management of privileged access rights Access control to program source code Change management Separation of development testing and operational environments Installation of software on operational systems 26 CM-7 5 a least functionality whitelisting policy is listed as an alternative to CM-7 4 the least functionality blacklisting policy for organizations desiring greater protection for information systems containing CUI CM-7 5 is only required in federal information systems at the high security control baseline in accordance with NIST Special Publication 800-53 APPENDIX D PAGE 35 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS 3 4 6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities 3 4 7 Restrict disable and prevent the use of nonessential functions ports protocols and services 3 4 8 Apply deny-by-exception blacklist policy to prevent the use of unauthorized software or deny-all permit-by-exception whitelisting policy to allow the execution of authorized software 3 4 9 Control and monitor userinstalled software NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls Least Functionality A 12 5 1 CM-7 1 Least Functionality No direct mapping CM-7 2 Least Functionality No direct mapping CM-7 4 Least Functionality No direct mapping CM-7 5 Least Functionality No direct mapping CM-11 User-Installed Software A 12 5 1 Periodic Review Prevent program execution Unauthorized Software Blacklisting Authorized Software Whitelisting A 12 6 2 APPENDIX D Installation of software on operational systems CM-7 Installation of software on operational systems Restrictions on software installation PAGE 36 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-5 Mapping Identification and Authentication Requirements to Security Controls 27 CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 5 IDENTIFICATION AND AUTHENTICATION Basic Security Requirements 3 5 1 3 5 2 Identify information system users processes acting on behalf of users or devices Authenticate or verify the identities of those users processes or devices as a prerequisite to allowing access to organizational information systems IA-2 IA-5 Identification and Authentication Organizational Users Authenticator Management A 9 2 1 User registration and de-registration A 9 2 1 User registration and de-registration A 9 2 4 Management of secret authentication information of users Use of secret authentication information Password management system A 9 3 1 A 9 4 3 Derived Security Requirements 3 5 3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts IA-2 1 Identification and Authentication Organizational Users No direct mapping Identification and Authentication Organizational Users No direct mapping Identification and Authentication Organizational Users No direct mapping Identification and Authentication Organizational Users No direct mapping Identification and Authentication Organizational Users No direct mapping Identifier Management A 9 2 1 Network Access to Privileged Accounts IA-2 2 Network Access to NonPrivileged Accounts IA-2 3 Local Access to Privileged Accounts 3 5 4 Employ replay-resistant authentication mechanisms for network access to privileged and nonprivileged accounts IA-2 8 Network Access to Privileged Accounts-Replay Resistant IA-2 9 Network Access to NonPrivileged Accounts-Replay Resistant 3 5 5 Prevent reuse of identifiers for a defined period IA-4 User registration and de-registration 27 IA-2 9 is not currently in the NIST Special Publication 800-53 moderate security control baseline although it will be added to the baseline in the next update Employing multifactor authentication without a replay-resistant capability for non-privileged accounts creates a significant vulnerability for information systems transmitting CUI APPENDIX D PAGE 37 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS 3 5 6 Disable identifiers after a defined period of inactivity 3 5 7 Enforce a minimum password complexity and change of characters when new passwords are created 3 5 8 Prohibit password reuse for a specified number of generations 3 5 9 Allow temporary password use for system logons with an immediate change to a permanent password 3 5 10 Store and transmit only cryptographically-protected passwords 3 5 11 Obscure feedback of authentication information APPENDIX D NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls User registration and de-registration IA-4 Identifier Management A 9 2 1 IA-5 1 Authenticator Management No direct mapping Authenticator Feedback A 9 4 2 Password-Based Authentication IA-6 Secure logon procedures PAGE 38 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-6 Mapping Incident Response Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 6 INCIDENT RESPONSE Basic Security Requirements 3 6 1 3 6 2 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation detection analysis containment recovery and user response activities Track document and report incidents to appropriate organizational officials and or authorities IR-2 Incident Response Training A 7 2 2 Information security awareness education and training IR-4 Incident Handling A 16 1 4 Assessment of and decision on information security events Response to information security incidents Learning from information security incidents A 16 1 5 A 16 1 6 IR-5 Incident Monitoring No direct mapping IR-6 Incident Reporting A 6 1 3 A 16 1 2 Contact with authorities Reporting information security events IR-7 Incident Response Assistance No direct mapping IR-3 Incident Response Testing No direct mapping IR-3 2 Incident Response Testing No direct mapping Derived Security Requirements 3 6 3 Test the organizational incident response capability Coordination with Related Plans APPENDIX D PAGE 39 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-7 Mapping Maintenance Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 7 MAINTENANCE Basic Security Requirements 3 7 1 3 7 2 Perform maintenance on organizational information systems Provide effective controls on the tools techniques mechanisms and personnel used to conduct system maintenance MA-2 Controlled Maintenance A 11 2 4 Equipment maintenance MA-3 MA-3 1 Maintenance Tools Maintenance Tools A 11 2 5 No direct mapping Removal of assets MA-3 2 Maintenance Tools No direct mapping MA-2 Controlled Maintenance A 11 2 4 Equipment maintenance A 11 2 5 Removal of assets No direct mapping Inspect Tools Inspect media Derived Security Requirements 3 7 3 3 7 4 3 7 5 3 7 6 Ensure equipment removed for off-site maintenance is sanitized of any CUI Check media containing diagnostic and test programs for malicious code before the media are used in the information system Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete Supervise the maintenance activities of maintenance personnel without required access authorization APPENDIX D MA-3 2 Maintenance Tools No direct mapping MA-4 Nonlocal Maintenance No direct mapping MA-5 Maintenance Personnel No direct mapping PAGE 40 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-8 Mapping Media Protection Requirements to Security Controls 28 CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 8 MEDIA PROTECTION Basic Security Requirements 3 8 1 3 8 2 3 8 3 Protect i e physically control and securely store information system media containing CUI both paper and digital Limit access to CUI on information system media to authorized users Sanitize or destroy information system media containing CUI before disposal or release for reuse MP-2 Media Access A 8 2 3 A 8 3 1 A 11 2 9 MP-4 Media Storage A 8 2 3 A 8 3 1 A 11 2 9 MP-6 Media Sanitization Handling of Assets Management of removable media Clear desk and clear screen policy Handling of Assets Management of removable media Clear desk and clear screen policy A 8 2 3 A 8 3 1 Handling of Assets Management of removable media A 8 3 2 A 11 2 7 Disposal of media Secure disposal or reuse of equipment Derived Security Requirements 3 8 4 3 8 5 3 8 6 3 8 7 Mark media with necessary CUI markings and distribution limitations Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas MP-3 Media Marking A 8 2 2 Labelling of Information MP-5 Media Transport A 8 2 3 A 8 3 1 Handling of Assets Management of removable media A 8 3 3 Physical media transfer A 11 2 5 A 11 2 6 Removal of assets Security of equipment and assets off-premises Implement cryptographic mechanisms to protect the confidentiality of information stored on digital media during transport outside of controlled areas unless otherwise protected by alternative physical safeguards Control the use of removable media on information system components MP-5 4 Media Transport No direct mapping MP-7 Media Use A 8 2 3 Handling of Assets A 8 3 1 Management of removable media Cryptographic Protection 28 CP-9 Information System Backup is included with the Media Protection family since the Contingency Planning family was not included in the CUI security requirements APPENDIX D PAGE 41 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS 3 8 8 3 8 9 Prohibit the use of portable storage devices when such devices have no identifiable owner Protect the confidentiality of backup CUI at storage locations APPENDIX D NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls MP-7 1 Media Use No direct mapping CP-9 Information System Backup A 12 3 1 Information backup A 17 1 2 Implementing information security continuity A 18 1 3 Protection of records Prohibit Use Without Owner PAGE 42 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-9 Mapping Personnel Security Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 9 PERSONNEL SECURITY Basic Security Requirements 3 9 1 3 9 2 Screen individuals prior to authorizing access to information systems containing CUI Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers Derived Security Requirements APPENDIX D PS-3 Personnel Screening A 7 1 1 PS-4 Personnel Termination A 7 3 1 PS-5 Personnel Transfer A 8 1 4 Screening Termination or change of employment responsibilities A 7 3 1 Return of assets Termination or change of employment responsibilities A 8 1 4 Return of assets None PAGE 43 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-10 Mapping Physical Protection Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 10 PHYSICAL PROTECTION Basic Security Requirements 3 10 1 Limit physical access to organizational information systems equipment and the respective operating environments to authorized individuals 3 10 2 Protect and monitor the physical facility and support infrastructure for those information systems PE-2 Physical Access Authorizations Access Control for Output Devices A 11 1 2 Physical entry controls A 11 1 2 Physical entry controls Securing offices rooms and facilities PE-6 Monitoring Physical Access No direct mapping PE-3 Physical Access Control A 11 1 1 Physical security perimeter A 11 1 2 A 11 1 3 Physical entry controls Securing offices rooms and facilities A 6 2 2 Teleworking Security of equipment and assets offpremises Information transfer policies and procedures PE-5 A 11 1 3 Derived Security Requirements 3 10 3 Escort visitors and monitor visitor activity 3 10 4 Maintain audit logs of physical access 3 10 5 Control and manage physical access devices 3 10 6 Enforce safeguarding measures for CUI at alternate work sites e g telework sites PE-17 Alternate Work Site A 11 2 6 A 13 2 1 APPENDIX D PAGE 44 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-11 Mapping Risk Assessment Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 11 RISK ASSESSMENT Basic Security Requirements 3 11 1 Periodically assess the risk to organizational operations including mission functions image or reputation organizational assets and individuals resulting from the operation of organizational information systems and the associated processing storage or transmission of CUI RA-3 Risk Assessment A 12 6 1 Management of technical vulnerabilities 3 11 2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified RA-5 Vulnerability Scanning A 12 6 1 Management of technical vulnerabilities RA-5 5 Vulnerability Scanning No direct mapping 3 11 3 Remediate vulnerabilities in accordance with assessments of risk RA-5 Vulnerability Scanning A 12 6 1 Derived Security Requirements APPENDIX D Privileged Access Management of technical vulnerabilities PAGE 45 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-12 Mapping Security Assessment Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 12 SECURITY ASSESSMENT Basic Security Requirements 3 12 1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application 3 12 2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems 3 12 3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls 3 12 4 Develop document periodically update and implement system security plans for organizational information systems that describe the security requirements in place or planned for the systems CA-2 Derived Security Requirements None APPENDIX D Security Assessments A 14 2 8 A 18 2 2 A 18 2 3 CA-5 CA-7 PL-2 Plan of Action and Milestones Continuous Monitoring System Security Plan System security testing Compliance with security policies and standards Technical compliance review No direct mapping No direct mapping A 6 1 2 Information security coordination PAGE 46 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-13 Mapping System and Communications Protection Requirements to Security Controls 29 CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 13 SYSTEM AND COMMUNICATIONS PROTECTION Basic Security Requirements 3 13 1 Monitor control and protect organizational communications i e information transmitted or received by organizational information systems at the external boundaries and key internal boundaries of the information systems 3 13 2 Employ architectural designs software development techniques and systems engineering principles that promote effective information security within organizational information systems SC-7 Boundary Protection A 13 1 1 A 13 1 3 A 13 2 1 A 14 1 3 Network controls Segregation in networks Information transfer policies and procedures Protecting application services transactions Secure system engineering principles SA-8 Security Engineering Principles A 14 2 5 3 13 3 Separate user functionality from information system management functionality e g privileged user functions 3 13 4 Prevent unauthorized and unintended information transfer via shared system resources SC-2 Application Partitioning No direct mapping SC-4 Information In Shared Resources No direct mapping 3 13 5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks SC-7 Boundary Protection A 13 1 1 Derived Security Requirements A 13 1 3 A 13 2 1 A 14 1 3 3 13 6 Deny network communications traffic by default and allow network communications traffic by exception i e deny all permit by exception SC-7 5 Boundary Protection Network controls Segregation in networks Information transfer policies and procedures Protecting application services transactions No direct mapping Deny By Default Allow By Exception 29 SA-8 Security Engineering Principles is included with the System and Communications Protection family since the System and Services Acquisition family was not included in the CUI security requirements APPENDIX D PAGE 47 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls 3 13 7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks i e split tunneling SC-7 7 3 13 8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards SC-8 Boundary Protection ISO IEC 27001 Relevant Security Controls No direct mapping Prevent Split Tunneling for Remote Devices Transmission Confidentiality and Integrity A 8 2 3 Handling of Assets A 13 1 1 A 13 2 1 Network controls Information transfer policies and procedures A 13 2 3 A 14 1 2 Electronic messaging Securing application services on public networks Protecting application services transactions A 14 1 3 SC-8 1 Transmission Confidentiality and Integrity No direct mapping Cryptographic or Alternate Physical Protection 3 13 9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity SC-10 Network Disconnect A 13 1 1 Network controls 3 13 10 Establish and manage cryptographic keys for cryptography employed in the information system SC-12 Cryptographic Key Establishment and Management A 10 1 2 Key Management 3 13 11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI SC-13 Cryptographic Protection A 10 1 1 Policy on the use of cryptographic controls Securing application services on public networks Protecting application services transactions Regulation of cryptographic controls Information transfer policies and procedures A 14 1 2 A 14 1 3 A 18 1 5 3 13 12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device APPENDIX D SC-15 Collaborative Computing Devices A 13 2 1 PAGE 48 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 13 13 Control and monitor the use of mobile code SC-18 Mobile Code No direct mapping 3 13 14 Control and monitor the use of Voice over Internet Protocol VoIP technologies SC-19 Voice over Internet Protocol No direct mapping 3 13 15 Protect the authenticity of communications sessions SC-23 Session Authenticity No direct mapping 3 13 16 Protect the confidentiality of CUI at rest SC-28 Protection of Information at Rest A 8 2 3 APPENDIX D Handling of Assets PAGE 49 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table D-14 Mapping System and Information Integrity Requirements to Security Controls CUI SECURITY REQUIREMENTS NIST SP 800-53 Relevant Security Controls ISO IEC 27001 Relevant Security Controls 3 14 SYSTEM AND INFORMATION INTEGRITY Basic Security Requirements 3 14 1 Identify report and correct information and information system flaws in a timely manner 3 14 2 Provide protection from malicious code at appropriate locations within organizational information systems 3 14 3 Monitor information system security alerts and advisories and take appropriate actions in response SI-2 Flaw Remediation A 12 6 1 A 14 2 2 A 14 2 3 A 16 1 3 SI-3 SI-5 Malicious Code Protection Security Alerts Advisories and Directives A 12 2 1 A 6 1 4 Management of technical vulnerabilities System change control procedures Technical review of applications after operating platform changes Reporting information security weaknesses Controls against malware Contact with special interest groups Derived Security Requirements 3 14 4 Update malicious code protection mechanisms when new releases are available Controls against malware SI-3 Malicious Code Protection A 12 2 1 3 14 6 Monitor the information system including inbound and outbound communications traffic to detect attacks and indicators of potential attacks SI-4 Information System Monitoring Information System Monitoring No direct mapping 3 14 7 Identify unauthorized use of the information system SI-4 Information System Monitoring No direct mapping 3 14 5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded opened or executed APPENDIX D SI-4 4 No direct mapping Inbound and Outbound Communications Traffic PAGE 50 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ APPENDIX E TAILORING CRITERIA LISTING OF MODERATE SECURITY CONTROL BASELINE AND TAILORING ACTIONS This appendix provides a complete listing of the security controls in the NIST Special Publication 800-53 moderate baseline one of the sources along with FIPS Publication 200 for the final CUI security requirements described in Chapter Three Tables E-1 through E-17 contain the tailoring actions by family that have been carried out on the security controls in the moderate baseline in accordance with the tailoring criteria established by NIST and NARA 30 The tailoring actions facilitated the development of the CUI derived security requirements which supplement the basic security requirements obtained from the security requirements in FIPS Publication 200 31 There are three primary criteria for eliminating a security control or control enhancement from the moderate baseline including— • The control or control enhancement is uniquely federal i e primarily the responsibility of the federal government • The control or control enhancement is not directly related to protecting the confidentiality of CUI 32 or • The control or control enhancement is expected to be routinely satisfied by nonfederal organizations without specification 33 The following symbols are used in Tables E-1 through E-17 to specify the particular tailoring actions taken or when no tailoring actions were required TAILORING SYMBOL TAILORING CRITERIA NCO NOT DIRECTLY RELATED TO PROTECTING THE CONFIDENTIALITY OF CUI FED UNIQUELY FEDERAL PRIMARILY THE RESPONSIBILITY OF THE FEDERAL GOVERNMENT NFO EXPECTED TO BE ROUTINELY SATISFIED BY NONFEDERAL ORGANIZATIONS WITHOUT SPECIFICATION CUI THE CUI BASIC OR DERIVED SECURITY REQUIREMENT IS REFLECTED IN AND IS TRACEABLE TO THE SECURITY CONTROL CONTROL ENHANCEMENT OR SPECIFIC ELEMENTS OF THE CONTROL ENHANCEMENT 30 Organizations can use the information in Appendix E to build a CUI confidentiality overlay as defined in NIST Special Publication 800-53 Appendix I 31 The same tailoring criteria were applied to the security requirements in FIPS Publication 200 resulting in the CUI basic security requirements in described in Chapter Three and Appendix D 32 While the primary purpose of this publication is to define requirements to protect the confidentiality of CUI there is a close relationship between the security objectives of confidentiality and integrity Therefore most of security controls in the NIST Special Publication 800-53 moderate baseline that support protection against unauthorized disclosure also support protection against unauthorized modification 33 The security controls tailored out of the moderate baseline in Special Publication 800-53 with regard to the protection of CUI i e controls specifically marked as either NCO or NFO in Tables E-1 through E-17 are often included as part of an organization’s comprehensive security program APPENDIX E PAGE 51 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-1 Tailoring Actions for Access Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION AC-1 Access Control Policy and Procedures NFO AC-2 Account Management CUI AC-2 1 ACCOUNT MANAGEMENT AUTOMATED SYSTEM ACCOUNT MANAGEMENT NCO AC-2 2 ACCOUNT MANAGEMENT REMOVAL OF TEMPORARY EMERGENCY ACCOUNTS NCO AC-2 3 ACCOUNT MANAGEMENT DISABLE INACTIVE ACCOUNTS NCO AC-2 4 ACCOUNT MANAGEMENT AUTOMATED AUDIT ACTIONS NCO AC-3 Access Enforcement CUI AC-4 Information Flow Enforcement CUI AC-5 Separation of Duties CUI AC-6 Least Privilege CUI AC-6 1 LEAST PRIVILEGE AUTHORIZE ACCESS TO SECURITY FUNCTIONS CUI AC-6 2 LEAST PRIVILEGE NON-PRIVILEGED ACCESS FOR NONSECURITY FUNCTIONS CUI AC-6 5 LEAST PRIVILEGE PRIVILEGED ACCOUNTS CUI AC-6 9 LEAST PRIVILEGE AUDITING USE OF PRIVILEGED FUNCTIONS CUI AC-6 10 LEAST PRIVILEGE PROHIBIT NON-PRIVILEGED USERS FROM EXECUTING PRIVILEGED FUNCTIONS CUI AC-7 Unsuccessful Logon Attempts CUI AC-8 System Use Notification CUI AC-11 Session Lock CUI AC-11 1 SESSION LOCK PATTERN-HIDING DISPLAYS CUI AC-12 Session Termination CUI AC-14 Permitted Actions without Identification or Authentication FED AC-17 Remote Access CUI AC-17 1 REMOTE ACCESS AUTOMATED MONITORING CONTROL CUI AC-17 2 REMOTE ACCESS PROTECTION OF CONFIDENTIALITY INTEGRITY USING ENCRYPTION CUI AC-17 3 REMOTE ACCESS MANAGED ACCESS CONTROL POINTS CUI AC-17 4 REMOTE ACCESS PRIVILEGED COMMANDS ACCESS CUI AC-18 Wireless Access CUI AC-18 1 WIRELESS ACCESS AUTHENTICATION AND ENCRYPTION CUI AC-19 Access Control for Mobile Devices CUI AC-19 5 ACCESS CONTROL FOR MOBILE DEVICES FULL DEVICE CONTAINER-BASED ENCRYPTION CUI AC-20 Use of External Information Systems CUI AC-20 1 USE OF EXTERNAL INFORMATION SYSTEMS LIMITS ON AUTHORIZED USE CUI AC-20 2 USE OF EXTERNAL INFORMATION SYSTEMS PORTABLE STORAGE DEVICES CUI AC-21 Information Sharing FED AC-22 Publicly Accessible Content CUI APPENDIX E PAGE 52 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-2 Tailoring Actions for Awareness and Training Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION AT-1 Security Awareness and Training Policy and Procedures NFO AT-2 Security Awareness Training CUI AT-2 2 SECURITY AWARENESS INSIDER THREAT CUI AT-3 Role-Based Security Training CUI Security Training Records NFO AT-4 APPENDIX E PAGE 53 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-3 Tailoring Actions for Audit and Accountability Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION AU-1 Audit and Accountability Policy and Procedures NFO AU-2 Audit Events CUI AU-2 3 AUDIT EVENTS REVIEWS AND UPDATES CUI AU-3 Content of Audit Records CUI AU-3 1 CONTENT OF AUDIT RECORDS ADDITIONAL AUDIT INFORMATION CUI AU-4 Audit Storage Capacity NCO AU-5 Response to Audit Processing Failures CUI AU-6 Audit Review Analysis and Reporting CUI AU-6 1 AUDIT REVIEW ANALYSIS AND REPORTING PROCESS INTEGRATION NCO AU-6 3 AUDIT REVIEW ANALYSIS AND REPORTING CORRELATE AUDIT REPOSITORIES CUI AU-7 Audit Reduction and Report Generation CUI AU-7 1 AUDIT REDUCTION AND REPORT GENERATION AUTOMATIC PROCESSING NCO AU-8 Time Stamps CUI AU-8 1 TIME STAMPS SYNCHRONIZATION WITH AUTHORITATIVE TIME SOURCE CUI AU-9 Protection of Audit Information CUI AU-9 4 PROTECTION OF AUDIT INFORMATION ACCESS BY SUBSET OF PRIVILEGED USERS CUI AU-11 Audit Record Retention NCO AU-12 Audit Generation CUI APPENDIX E PAGE 54 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-4 Tailoring Actions for Security Assessment and Authorization Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION CA-1 Security Assessment and Authorization Policies and Procedures NFO CA-2 Security Assessments CUI CA-2 1 SECURITY ASSESSMENTS INDEPENDENT ASSESSORS NFO CA-3 System Interconnections NFO CA-3 5 SYSTEM INTERCONNECTIONS RESTRICTIONS ON EXTERNAL SYSTEM CONNECTIONS NFO CA-5 Plan of Action and Milestones CUI CA-6 Security Authorization FED CA-7 Continuous Monitoring CUI CA-7 1 CONTINUOUS MONITORING INDEPENDENT ASSESSMENT NFO CA-9 Internal System Connections NFO APPENDIX E PAGE 55 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-5 Tailoring Actions for Configuration Management Controls 34 NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION CM-1 Configuration Management Policy and Procedures NFO CM-2 Baseline Configuration CUI CM-2 1 BASELINE CONFIGURATION REVIEWS AND UPDATES NFO CM-2 3 BASELINE CONFIGURATION RETENTION OF PREVIOUS CONFIGURATIONS NCO CM-2 7 BASELINE CONFIGURATION CONFIGURE SYSTEMS COMPONENTS OR DEVICES FOR HIGH-RISK AREAS NFO CM-3 Configuration Change Control CUI CM-3 2 CONFIGURATION CHANGE CONTROL TEST VALIDATE DOCUMENT CHANGES NFO CM-4 Security Impact Analysis CUI CM-5 Access Restrictions for Change CUI CM-6 Configuration Settings CUI CM-7 Least Functionality CUI CM-7 1 LEAST FUNCTIONALITY PERIODIC REVIEW CUI CM-7 2 LEAST FUNCTIONALITY PREVENT PROGRAM EXECUTION CUI CM-7 4 5 LEAST FUNCTIONALITY UNAUTHORIZED OR AUTHORIZED SOFTWARE BLACKLISTING OR WHITELISTING CUI CM-8 Information System Component Inventory CUI CM-8 1 INFORMATION SYSTEM COMPONENT INVENTORY UPDATES DURING INSTALLATIONS REMOVALS CUI CM-8 3 INFORMATION SYSTEM COMPONENT INVENTORY AUTOMATED UNAUTHORIZED COMPONENT DETECTION NCO CM-8 5 INFORMATION SYSTEM COMPONENT INVENTORY NO DUPLICATE ACCOUNTING OF COMPONENTS NFO CM-9 Configuration Management Plan NFO CM-10 Software Usage Restrictions NCO CM-11 User-Installed Software CUI 34 CM-7 5 Least Functionality whitelisting is not in the moderate security control baseline in accordance with NIST Special Publication 800-53 However it is offered as an optional and stronger policy alternative to blacklisting APPENDIX E PAGE 56 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-6 Tailoring Actions for Contingency Planning Controls 35 NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION CP-1 Contingency Planning Policy and Procedures NCO CP-2 Contingency Plan NCO CP-2 1 CONTINGENCY PLAN COORDINATE WITH RELATED PLANS NCO CP-2 3 CONTINGENCY PLAN RESUME ESSENTIAL MISSIONS BUSINESS FUNCTIONS NCO CP-2 8 CONTINGENCY PLAN IDENTIFY CRITICAL ASSETS NCO CP-3 Contingency Training NCO CP-4 Contingency Plan Testing NCO CP-4 1 CONTINGENCY PLAN TESTING COORDINATE WITH RELATED PLANS NCO CP-6 Alternate Storage Site NCO CP-6 1 ALTERNATE STORAGE SITE SEPARATION FROM PRIMARY SITE NCO CP-6 3 ALTERNATE STORAGE SITE ACCESSIBILITY NCO CP-7 Alternate Processing Site NCO CP-7 1 ALTERNATE PROCESSING SITE SEPARATION FROM PRIMARY SITE NCO CP-7 2 ALTERNATE PROCESSING SITE ACCESSIBILITY NCO CP-7 3 ALTERNATE PROCESSING SITE PRIORITY OF SERVICE NCO CP-8 Telecommunications Services NCO CP-8 1 TELECOMMUNICATIONS SERVICES PRIORITY OF SERVICE PROVISIONS NCO CP-8 2 TELECOMMUNICATIONS SERVICES SINGLE POINTS OF FAILURE NCO CP-9 Information System Backup CUI CP-9 1 INFORMATION SYSTEM BACKUP TESTING FOR RELIABILITY INTEGRITY NCO CP-10 Information System Recovery and Reconstitution NCO CP-10 2 INFORMATION SYSTEM RECOVERY AND RECONSTITUTION TRANSACTION RECOVERY NCO 35 CP-9 is grouped with the security controls in the Media Protection family in Appendix D since the Contingency Planning family was not included in the CUI security requirements APPENDIX E PAGE 57 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-7 Tailoring Actions for Identification and Authentication Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION IA-1 Identification and Authentication Policy and Procedures NFO IA-2 Identification and Authentication Organizational Users CUI IA-2 1 IDENTIFICATION AND AUTHENTICATION ORGANIZATIONAL USERS NETWORK ACCESS TO PRIVILEGED CUI ACCOUNTS IA-2 2 IDENTIFICATION AND AUTHENTICATION ORGANIZATIONAL USERS NETWORK ACCESS TO NON-PRIVILEGED CUI ACCOUNTS IA-2 3 IDENTIFICATION AND AUTHENTICATION ORGANIZATIONAL USERS LOCAL ACCESS TO PRIVILEGED CUI ACCOUNTS IA-2 8 IDENTIFICATION AND AUTHENTICATION ORGANIZATIONAL USERS NETWORK ACCESS TO PRIVILEGED CUI IA-2 9 IDENTIFICATION AND AUTHENTICATION ORGANIZATIONAL USERS NETWORK ACCESS TO NON-PRIVILEGED CUI IA-2 11 IDENTIFICATION AND AUTHENTICATION ORGANIZATIONAL USERS REMOTE ACCESS - SEPARATE DEVICE FED IA-2 12 IDENTIFICATION AND AUTHENTICATION ORGANIZATIONAL USERS ACCEPTANCE OF PIV CREDENTIALS FED IA-3 Device Identification and Authentication NCO IA-4 Identifier Management CUI IA-5 Authenticator Management CUI IA-5 1 AUTHENTICATOR MANAGEMENT PASSWORD-BASED AUTHENTICATION CUI IA-5 2 AUTHENTICATOR MANAGEMENT PKI-BASED AUTHENTICATION FED IA-5 3 AUTHENTICATOR MANAGEMENT IN-PERSON OR TRUSTED THIRD-PARTY REGISTRATION FED IA-5 11 AUTHENTICATOR MANAGEMENT HARDWARE TOKEN-BASED AUTHENTICATION FED IA-6 Authenticator Feedback CUI IA-7 Cryptographic Module Authentication FED IA-8 Identification and Authentication Non-Organizational Users FED IA-8 1 IDENTIFICATION AND AUTHENTICATION NON-ORGANIZATIONAL USERS ACCEPTANCE OF PIV CREDENTIALS FED ACCOUNTS - REPLAY RESISTANT ACCOUNTS - REPLAY RESISTANT FROM OTHER AGENCIES IA-8 2 IDENTIFICATION AND AUTHENTICATION NON-ORGANIZATIONAL USERS ACCEPTANCE OF THIRD-PARTY FED CREDENTIALS IA-8 3 IDENTIFICATION AND AUTHENTICATION NON-ORGANIZATIONAL USERS USE OF FICAM-APPROVED FED PRODUCTS IA-8 4 APPENDIX E IDENTIFICATION AND AUTHENTICATION NON-ORGANIZATIONAL USERS USE OF FICAM-ISSUED PROFILES FED PAGE 58 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-8 Tailoring Actions for Incident Response Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION IR-1 Incident Response Policy and Procedures NFO IR-2 Incident Response Training CUI IR-3 Incident Response Testing CUI IR-3 2 INCIDENT RESPONSE TESTING COORDINATION WITH RELATED PLANS CUI IR-4 Incident Handling CUI IR-4 1 INCIDENT HANDLING AUTOMATED INCIDENT HANDLING PROCESSES NCO IR-5 Incident Monitoring CUI IR-6 Incident Reporting CUI IR-6 1 INCIDENT REPORTING AUTOMATED REPORTING NCO IR-7 Incident Response Assistance CUI IR-7 1 INCIDENT RESPONSE ASSISTANCE AUTOMATION SUPPORT FOR AVAILABILITY OF INFORMATION SUPPORT NCO IR-8 Incident Response Plan NFO APPENDIX E PAGE 59 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-9 Tailoring Actions for Maintenance Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION MA-1 System Maintenance Policy and Procedures NFO MA-2 Controlled Maintenance CUI MA-3 Maintenance Tools CUI MA-3 1 MAINTENANCE TOOLS INSPECT TOOLS CUI MA-3 2 MAINTENANCE TOOLS INSPECT MEDIA CUI MA-4 Nonlocal Maintenance CUI MA-4 2 NONLOCAL MAINTENANCE DOCUMENT NONLOCAL MAINTENANCE NFO MA-5 Maintenance Personnel CUI MA-6 Timely Maintenance NCO APPENDIX E PAGE 60 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-10 Tailoring Actions for Media Protection Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION MP-1 Media Protection Policy and Procedures NFO MP-2 Media Access CUI MP-3 Media Marking CUI MP-4 Media Storage CUI MP-5 Media Transport CUI MP-5 4 MEDIA TRANSPORT CRYPTOGRAPHIC PROTECTION CUI MP-6 Media Sanitization CUI MP-7 Media Use CUI MP-7 1 MEDIA USE PROHIBIT USE WITHOUT OWNER CUI APPENDIX E PAGE 61 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E11 Tailoring Actions for Physical and Environmental Protection Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION PE-1 Physical and Environmental Protection Policy and Procedures NFO PE-2 Physical Access Authorizations CUI PE-3 Physical Access Control CUI PE-4 Access Control for Transmission Medium NFO PE-5 Access Control for Output Devices CUI PE-6 Monitoring Physical Access CUI PE-6 1 MONITORING PHYSICAL ACCESS INTRUSION ALARMS SURVEILLANCE EQUIPMENT NFO PE-8 Visitor Access Records NFO PE-9 Power Equipment and Cabling NCO PE-10 Emergency Shutoff NCO PE-11 Emergency Power NCO PE-12 Emergency Lighting NCO PE-13 Fire Protection NCO PE-13 3 FIRE PROTECTION AUTOMATIC FIRE SUPPRESSION NCO PE-14 Temperature and Humidity Controls NCO PE-15 Water Damage Protection NCO PE-16 Delivery and Removal NFO PE-17 Alternate Work Site CUI APPENDIX E PAGE 62 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-12 Tailoring Actions for Planning Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION PL-1 Security Planning Policy and Procedures NFO PL-2 System Security Plan CUI PL-2 3 SYSTEM SECURITY PLAN PLAN COORDINATE WITH OTHER ORGANIZATIONAL ENTITIES NFO PL-4 Rules of Behavior NFO PL-4 1 RULES OF BEHAVIOR SOCIAL MEDIA AND NETWORKING RESTRICTIONS NFO PL-8 Information Security Architecture NFO APPENDIX E PAGE 63 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-13 Tailoring Actions for Personnel Security Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION PS-1 Personnel Security Policy and Procedures NFO PS-2 Position Risk Designation FED PS-3 Personnel Screening CUI PS-4 Personnel Termination CUI PS-5 Personnel Transfer CUI PS-6 Access Agreements NFO PS-7 Third-Party Personnel Security NFO PS-8 Personnel Sanctions NFO APPENDIX E PAGE 64 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-14 Tailoring Actions for Risk Assessment Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION RA-1 Risk Assessment Policy and Procedures NFO RA-2 Security Categorization FED RA-3 Risk Assessment CUI RA-5 Vulnerability Scanning CUI RA-5 1 VULNERABILITY SCANNING UPDATE TOOL CAPABILITY NFO RA-5 2 VULNERABILITY SCANNING UPDATE BY FREQUENCY PRIOR TO NEW SCAN WHEN IDENTIFIED NFO RA-5 5 VULNERABILITY SCANNING PRIVILEGED ACCESS CUI APPENDIX E PAGE 65 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-15 Tailoring Actions for System and Services Acquisition Controls 36 NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION SA-1 System and Services Acquisition Policy and Procedures NFO SA-2 Allocation of Resources NFO SA-3 System Development Life Cycle NFO SA-4 Acquisition Process NFO SA-4 1 ACQUISITION PROCESS FUNCTIONAL PROPERTIES OF SECURITY CONTROLS NFO SA-4 2 ACQUISITION PROCESS DESIGN IMPLEMENTATION INFORMATION FOR SECURITY CONTROLS NFO SA-4 9 ACQUISITION PROCESS FUNCTIONS PORTS PROTOCOLS SERVICES IN USE NFO SA-4 10 ACQUISITION PROCESS USE OF APPROVED PIV PRODUCTS NFO SA-5 Information System Documentation NFO SA-8 Security Engineering Principles CUI SA-9 External Information System Services NFO SA-9 2 EXTERNAL INFORMATION SYSTEMS IDENTIFICATION OF FUNCTIONS PORTS PROTOCOLS SERVICES NFO SA-10 Developer Configuration Management NFO SA-11 Developer Security Testing and Evaluation NFO 36 SA-8 is grouped with the security controls in the System and Communications Protection family in Appendix D since the System and Services Acquisition family was not included in the CUI security requirements APPENDIX E PAGE 66 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-16 Tailoring Actions for System and Communications Protection Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION SC-1 System and Communications Protection Policy and Procedures NFO SC-2 Application Partitioning CUI SC-4 Information in Shared Resources CUI SC-5 Denial of Service Protection NCO SC-7 Boundary Protection CUI SC-7 3 BOUNDARY PROTECTION ACCESS POINTS NFO SC-7 4 BOUNDARY PROTECTION EXTERNAL TELECOMMUNICATIONS SERVICES NFO SC-7 5 BOUNDARY PROTECTION DENY BY DEFAULT ALLOW BY EXCEPTION CUI SC-7 7 BOUNDARY PROTECTION PREVENT SPLIT TUNNELING FOR REMOTE DEVICES CUI SC-8 Transmission Confidentiality and Integrity CUI SC-8 1 TRANSMISSION CONFIDENTIALITY AND INTEGRITY CRYPTOGRAPHIC OR ALTERNATE PHYSICAL PROTECTION CUI SC-10 Network Disconnect CUI SC-12 Cryptographic Key Establishment and Management CUI SC-13 Cryptographic Protection CUI SC-15 Collaborative Computing Devices CUI SC-17 Public Key Infrastructure Certificates FED SC-18 Mobile Code CUI SC-19 Voice over Internet Protocol CUI SC-20 Secure Name Address Resolution Service Authoritative Source NFO SC-21 Secure Name Address Resolution Service Recursive or Caching Resolver NFO SC-22 Architecture and Provisioning for Name Address Resolution Service NFO SC-23 Session Authenticity CUI SC-28 Protection of Information at Rest CUI SC-39 Process Isolation NFO APPENDIX E PAGE 67 Draft Special Publication 800-171 Revision 1 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations ________________________________________________________________________________________________ Table E-17 Tailoring Actions for System and Information Integrity Controls NIST SP 800-53 MODERATE BASELINE SECURITY CONTROLS TAILORING ACTION SI-1 System and Information Integrity Policy and Procedures NFO SI-2 Flaw Remediation CUI SI-2 2 FLAW REMEDIATION AUTOMATED FLAW REMEDIATION STATUS NCO SI-3 Malicious Code Protection CUI SI-3 1 MALICIOUS CODE PROTECTION CENTRAL MANAGEMENT NCO SI-3 2 MALICIOUS CODE PROTECTION AUTOMATIC UPDATES NCO SI-4 Information System Monitoring CUI SI-4 2 INFORMATION SYSTEM MONITORING AUTOMATED TOOLS FOR REAL-TIME ANALYSIS NCO SI-4 4 INFORMATION SYSTEM MONITORING INBOUND AND OUTBOUND COMMUNICATIONS TRAFFIC CUI SI-4 5 INFORMATION SYSTEM MONITORING SYSTEM-GENERATED ALERTS NFO SI-5 Security Alerts Advisories and Directives CUI SI-7 Software Firmware and Information Integrity NCO SI-7 1 SOFTWARE FIRMWARE AND INFORMATION INTEGRITY INTEGRITY CHECKS NCO SI-7 7 SOFTWARE FIRMWARE AND INFORMATION INTEGRITY INTEGRATION OF DETECTION AND RESPONSE NCO SI-8 Spam Protection NCO SI-8 1 SPAM PROTECTION CENTRAL MANAGEMENT NCO SI-8 2 SPAM PROTECTION AUTOMATIC UPDATES NCO SI-10 Information Input Validation NCO SI-11 Error Handling NCO SI-12 Information Handling and Retention FED Memory Protection NFO SI-16 APPENDIX E PAGE 68