Add to collection(s) Add to saved
  1. No category
Uploaded by chat g

2022.01.04 FSU CUI Security Training Slides V2

advertisement 
INFORMATION TECHNOLOGY SERVICES
NIST 800-171 COMPLIANCE AT FSU CONTROLLED UNCLASSIFIED INFORMATION
INFORMATION TECHNOLOGY SERVICES
OVERVIEW
Controlled Unclassified Information
How to Identify and Protect CUI
Intro to NIST SP 800-171 & CMMC
How to Help
Training
Resources
INFORMATION TECHNOLOGY SERVICES
CONTROLLED UNCLASSIFIED INFORMATION
Welcome! In order to make the best use of your time, we
have broken the security awareness training curriculum into
two parts:
– Part 1: FSU Basic Cybersecurity training.
– Part 2: This Controlled Unclassified InformationSpecific PowerPoint presentation.
o Access to Controlled Unclassified Information data will
be restricted to those users who have completed both
parts (this is a requirement of NIST SP 800-171).
INFORMATION TECHNOLOGY SERVICES
WHAT IS CONTROLLED UNCLASSIFIED INFORMATION?
Information that law, regulation, or government-wide policy
requires to have safeguarding or disseminating controls,
excluding information that is classified under Executive Order
13526, Classified National Security Information, December
29, 2009, or any predecessor or successor order, or the
Atomic Energy Act of 1954, as amended.
-- Executive Order 13556
INFORMATION TECHNOLOGY SERVICES
WHAT IS CONTROLLED UNCLASSIFIED INFORMATION?
• Controlled Unclassified Information (CUI) is sensitive
information, but not classified.
• CUI is data that must be specifically protected within
an information system. CUI can be found in
government contracts or provided to a contractor by
the Department of Defense (DoD), as well as passed
to any vendors that these contractors are working
with. FSU is often a subcontractor.
INFORMATION TECHNOLOGY SERVICES
CONTROLLED UNCLASSIFIED INFORMATION
o Historically, federal agencies developed their own
practices for sensitive information, resulting in a
patchwork of processes across federal agencies.
Similar information might be labeled differently, or
different types of information might have the same
markings with different meanings.
o For example, CUI replaces labels such as For
Official Use Only (FOUO), Sensitive But
Unclassified (SBU) and more.
INFORMATION TECHNOLOGY SERVICES
CONTROLLED UNCLASSIFIED INFORMATION
o Any CUI residing in nonfederal information systems and organizations must
be protected using the control requirements of NIST SP 800-171.
o FSU has research projects which have been identified as having CUI data.
o FSU agreed to protect this data and meet the required controls when these
contracts and grants were accepted by the University. FSU Research and
ITS work together to ensure that each project or contract which requires
compliance, meets that compliance.
o By developing a standard compliance methodology for all FSU research
requiring compliance, it is hoped that researchers will be able to dedicate
more time on research and less time on meeting the requirements of the
controls.
o FSU Research also sees compliance as a possible competitive advantage
for FSU researchers when competing with other universities which cannot
meet these compliance requirements.
INFORMATION TECHNOLOGY SERVICES
WHY ARE WE SEEING THESE RULES?
The protection of Controlled Unclassified Information
while residing in nonfederal information systems and
organizations is of paramount importance to federal
agencies and can directly impact the ability of the federal
government to successfully carry out its designated
missions and business operations.
--NIST Special Publication 800-171
INFORMATION TECHNOLOGY SERVICES
HOW TO IDENTIFY CUI
o If it is not clear, the nonfederal organization should ASK
the federal organization.
o FSU often identifies a contract or grant as having CUI by
the inclusion of the following clauses within the contract:
– FAR Clauses 52.204-2, 52.204-21, and any others
that may require compliance.
– DFARS Clauses 252.204-7008, 252.204-7009,
252.204-7012, 252.204-7019 and any others that may
require compliance.
INFORMATION TECHNOLOGY SERVICES
IS IT CUI OR NOT?
o The federal organization is responsible for informing the
nonfederal organization:
– DFAR (DoD contracts)
o Requires that CUI be marked
o Sub-contractors dependent on the prime may not
receive the same information provided to the prime.
– FAR (Civilian agency contracts)
o FAR Rule requires civilian agencies to mark CUI
o A CUI notice will be issued notifying agencies to identify
CUI in contracts and agreements.
INFORMATION TECHNOLOGY SERVICES
CUI EXAMPLES
The National Archives CUI Registry identifies the information considered to be CUI by
category/subcategories. A non-exhaustive list of categories includes:
•
•
•
•
•
•
Controlled technical information with military or space application
Critical infrastructure information (e.g., energy infrastructure, water systems, etc.)
Export controlled information or materials used in research
Nuclear information related to protecting reactors, materials, or security
Statistical information (e.g., U.S. Census)
Transportation information (e.g., railroad safety, etc.)
Research data and other project information that a research team receives, possesses,
or creates during the performance of federally funded research may also be CUI.
The CUI Registry is the authoritative online repository for information, policy,
requirements and guidance on handling CUI.
INFORMATION TECHNOLOGY SERVICES
CYBERTHREATS
Insider Threat
Malicious activities by a current or
former employee, contractor, or
trusted business partner,
including fraud, IT sabotage, theft
of intellectual property, and
espionage.
Malware
Malware (short for "malicious
software") is any program or
file that is harmful to a
computer user, including
computer viruses, worms,
Trojans and spyware.
Hackers
Hackers are people who
secretly get access to a
computer system in order to
steal information or cause
damage.
Phishing
Phishing steals personal
information by tricking you into
clicking a link or entering your
username & password. Phishing
comes in many forms: emails,
phone calls, website downloads.
INFORMATION TECHNOLOGY SERVICES
CYBERTHREATS
o
CUI should be safeguarded against a range of threats:
o
Malware: Be wary of invitations to download software from unknown sources; even
clicking advertisements can result in malware downloads like ransomware, spyware,
and adware.
o
Phishing: Be skeptical of messages that require “immediate action” or threaten that
you will lose something.
o
Insider Threat: Potential indicators of insider threat include behaviors such as
attempts to gain access to information that is not required for job performance,
bullying or sexual harassment of fellow employees, workplace violence and other
serious violations of policies and procedures.
o
The above threats other security concerns should be reported to management.
INFORMATION TECHNOLOGY SERVICES
PROTECTION OF CUI
•
When sending or receiving sensitive unclassified
information individuals must
– Implement need-to-know criterion
– Employ available methods of safeguarding data while
in transit (i.e., digital signatures, encryption methods,
and classified fax machines, first class mail, password
protected email attachments, etc.)
•
When no longer required, materials containing
sensitive unclassified information will be promptly
destroyed
– Cross-cut shred or dispose in shredder bins
– Sanitize IT systems
•
The information owner may have additional
protection requirements that will be addressed on a
case-by-case basis
INFORMATION TECHNOLOGY SERVICES
PROTECTION OF CUI
•
Physical Protection measures:
–
Maintain a need-to-know principle
–
Utilize Unclassified protection
coversheets and notice labels (if
available/used)
▪
–
Use copiers or printers without hard
drives, if available
▪
–
When at rest, hand carrying,
sending via interoffice mail, or
faxing (external mail, only use
coversheets)
If unavailable, device hard drives
must be destroyed or sanitized
when no longer used by
contractor
Lock in a cabinet, desk, or office, or
properly destroy if no longer required
INFORMATION TECHNOLOGY SERVICES
PROTECTION OF CUI
•
Physical Protection measures:
–
Use proper disposal and destruction
methods
▪
Destruction Bags (If used,
maintain positive control at all
times)
▪
Shredders
–
Use data encryption for internal and
external transmittal
–
Use password protected screensavers
(Always lock your system when
leaving your work area)
–
When possible, encryption should be
implemented on systems containing
this information
INFORMATION TECHNOLOGY SERVICES
WHAT IS NIST SP 800-171?
• The National Institute of Standards and Technology
(NIST) Special Publication 800-171 defines 110
security requirements (controls) required to protect
CUI in nonfederal information systems and
organizations.
•
The requirements apply only to components of
nonfederal information systems that process, store,
or transmit CUI, or provide security protection for
such components.
INFORMATION TECHNOLOGY SERVICES
WHAT IS NIST SP 800-171?
o Non-compliance with NIST SP 800-171 has serious
consequences for FSU.
o Failure to address NIST SP 800-171 compliance
requirements could potentially result in sanctions or
debarment imposed on the University which would
prevent future awards of grants or contracts; suspension
or termination of existing contracts; and claims of default
or breach of contract resulting in potential litigation. In
addition, non-compliance can impair the university’s
reputation as a trusted custodian of sensitive data.
INFORMATION TECHNOLOGY SERVICES
INTRO TO CMMC
o The Cybersecurity Maturity Model Certification (CMMC) 2.0
(updated in November 2021) is the DoD’s newest verification
system designed to ensure the protection of CUI. FSU is required to
self-assesses compliance with all 110 NIST 800-171 requirements
and may also be subject to external third-party assessments.
o The DoD wants to measure the level of cybersecurity maturity of
prime contractors and their supply chain that work with the DoD to
protect CUI.
o Key concern for CMMC 2.0 is the Supply chain attacks as the
adversary is going after the weakest link in the supply chain to get to
their actual target.
INFORMATION TECHNOLOGY SERVICES
HOW DOES FSU MEET CONTROL REQUIREMENTS?
o Utilizing a standard model, FSU employs cloud-based
services (currently Amazon Web Services) in addition to
standardized policies and procedures to meet the control
requirements.
o This model provides the flexibility to meet research data
security needs whether entirely cloud based or in a
hybrid model with on premise resources.
INFORMATION TECHNOLOGY SERVICES
CAN’T RESEARCHERS JUST DO THIS THEMSELVES?
o In order to ensure that control requirements are being
met, Research has decided a centrally-managed solution
is the most cost-effective and manageable way to meet
the controls.
o Most research units do not have the resources available
to meet all controls independently.
INFORMATION TECHNOLOGY SERVICES
WHAT CAN I DO TO HELP?
o Work with Research and ITS/ISPO to ensure that CUI
data is identified and protected appropriately.
o As you solicit new grants and contracts, collaborate with
designated staff to ensure any CUI data is protected
appropriately.
o Promptly notify ISPO if you suspect that any CUI data
has been compromised (lost, stolen or suspected to
have been inadvertently divulged).
INFORMATION TECHNOLOGY SERVICES
WHAT IF I NEED HELP?
o Please follow the Incident Response Procedures for details on how open a
support ticket.
o Security Incidents must be reported within 72 hours of discovery. Please
follow the Incident response procedures if a Security Incident is discovered
or suspected.
o The basic steps for opening a support ticket are to:
– Contact your local IT support first to determine if your issue can be
resolved locally
– If it cannot be resolve locally, open a ticket in the ITS Service Center or
call 644-HELP.
– When you create the case, at a minimum, enter:
o Provider Group – ITS-NIST
o Category – IT Support Services
o Specialty Type – NIST
o As much detail regarding your issue as possible.
INFORMATION TECHNOLOGY SERVICES
FSU POLICIES
o FSU has detailed Information Security and Information Privacy
Policies. These can be found here:
o Information Security Policy: http://policies.vpfa.fsu.edu/policies-andprocedures/technology/information-security-policy
o Information Privacy Policy: http://policies.vpfa.fsu.edu/policies-andprocedures/technology/information-privacy-policy
o Access to NEST policies and procedures will be provided to you
after this training.
o All FSU employees should be familiar with these policies.
INFORMATION TECHNOLOGY SERVICES
ADDITIONAL RESOURCES
▪ CUI registry (managed by National Archives and Records
Administration - NARA) https://www.archives.gov/cui
▪ NIST SP 800-171r2
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800171r2.pdf
▪ Guidance for Selected Elements of DFARS Clause 252.204-7012:
https://www.acq.osd.mil/dpap/policy/policyvault/USA002829-17DPAP.pdf
▪ DoD FAQS: http://dodprocurementtoolbox.com/faqs/cybersecurity
▪ CMMC Accreditation Body: https://cmmcab.org/
INFORMATION TECHNOLOGY SERVICES
CONTACTS
Daniel Leggett
ITS Program Director, Research Compliance
dleggett@fsu.edu
Diana Key
Director, Office of Research Compliance Programs
(850) 644-8648
dkey@fsu.edu
Related documents
HEAR FROM CURRENT CUI PARENTS:
HEAR FROM CURRENT CUI PARENTS:
Concordia University, Irvine Student Accounts Study Abroad/Exchange Program Agreement
Concordia University, Irvine Student Accounts Study Abroad/Exchange Program Agreement
Winthrop University Committee on Undergraduate Instruction Minutes
Winthrop University Committee on Undergraduate Instruction Minutes
Case digest assignment 2 - 2- 5
Case digest assignment 2 - 2- 5
Download
advertisement