For non-governmental organizations that do, or hope to do, business with the U.S. government, careful consideration must be given to whether controlled unclassified information is part of the specified contract work. Controlled unclassified information (CUI) is sensitive in nature and is restricted from public distribution. This is not classified information, rather products or by-products of contract government work that has been deemed to deserve additional protections.
The protections required are outlined in NIST SP 800-171: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. A link to this publication is included at the end of this article. The security controls to protect CUI are grouped into families. There are fourteen families, compromising just over 100 individual control measures. This article serves as a brief introduction to the control families. We’ll further explore each family and some of the specific security requirements in later articles.
Control families and a brief explanation of their purposes:
Ensuring only those personnel, accounts and system processes that require access to CUI have such access. Ensuring CUI is not released or exposed to those not approved to receive it. Often, we think of this as an information technology issue. However, protection of CUI hardcopy documents, prototypes and other artifacts may require physical security application as well.
Awareness and Training
Provide appropriate training and skills to those charged with the protection of CUI. Should include periodic cybersecurity awareness training and also includes system administrator, maintenance and even programming skills to those responsible for handling CUI.
Audit and Accountability
The contractor must know what CUI information is maintained, where it is stored and processed, and by whom, when and where it is handled. Software, system and data inventories assist in accountability. System, event and access logs help to meet the audit requirements. Again, physical artifacts may require manual measures.
Each component and process of an IT system has a configuration that dictates how it operates. By standardizing and managing configurations, systems and software should perform in definable and measurable ways.
Identification and Authentication
Employ measures that ensure authorized access is achieved only by those whose identities are confirmed and approved. These controls must be robust enough that they are not easily spoofed or faked, especially in remote access scenarios.
In this day and age, a compromise or breach of some degree is inevitable, that’s the world we now live in. Creating and practicing a response plan helps to ensure the business can recover and resume operations.
Hardware, firmware and software components of IT systems must be kept up-to-date to ensure vulnerabilities are addressed, holes patched, and subsystems keep functioning.
Create policies for how physical media is handled, stored and transported. It must be labeled and protected from unauthorized access.
Systems and data are only as secure as the personnel with access to them. Ensure employees, contractors and vendors are properly vetted, authorized and approved.
Systems that contain CUI may be prone to theft or damage. Protections for portable workstations, laptops and mobile devices are critical, as well as appropriate security for servers and data storage areas.
Periodically evaluate the risks to personnel, systems and information and review control measures for adequacy.
Periodically test and review security control measures, both logical and physical to verify they meet objectives; refine and update as needed.
System and Communications Protection
Further measures to protect CUI data from unauthorized exposure; encryption is an important consideration.
System and Information Integrity
Making sure systems and the data and information they process is trustworthy and has not been maliciously or accidentally altered.
In reviewing the above families of controls, it is evident that achieving and maintaining compliance is business effort, not just something for the IT team. Some controls require policy development while others are IT configurations; some are physical processes while other may be automated. All, however, require a plan and constant, cognizant oversight.
In future articles, we’ll delve into each of the control families and explore options for how they might be met.
Assured Bridge offers services and solutions to help small businesses meet their security and compliance objectives. Whether you need a fully compliant environment, or a trusted expert partner to advise and consult, we’re available to help.