briefing outline cui program –benefits –executive order 13556 –defining the world of cui...
TRANSCRIPT
2
Briefing Outline CUI Program
– Benefits – Executive Order 13556– Defining the World of CUI– Categories and the CUI Registry– Basic and Specified CUI
Phased Implementation Approach to Contractor Environment CUI and IT Implementation
– NIST Special Publication 800-171– Moderate Baseline (Select Controls)
32 CFR Part 2002 (Draft policy points)
Why is the CUI Program necessary?
Executive departments and agencies apply their own ad-hoc policies and markings to unclassified information that requires
safeguarding or dissemination controls, resulting in:
An inefficient patchwork
system with more than
100 different policies
and markings across the executive
branch
Inconsistent
marking and
safeguarding of
documents
Unclear or
unnecessarily
restrictive dissemina
tion policies
Impediments to
authorized
information sharing
3
What are the benefits of the CUI Program?
One uniform, shared, and transparent system for safeguarding and disseminating CUI that:
Establishes
common understan
ding of CUI
control
Promotes information sharing
Reinforces existing legislation
and regulation
s
Clarifies difference between
CUI controls
and FOIA exemptio
ns
4
Executive Order 13556
Established CUI Program– In consultation with affected agencies
(CUI Advisory Council)
Designated an Executive Agent (EA) to implement the E.O. and oversee department and agency actions to ensure compliance. – National Archives and Records
Administration– Information Security Oversight Office
An open and uniform program to manage all unclassified information within the executive branch that requires safeguarding and dissemination controls as required by law, regulation, and Government-wide policy
5
6
Where do we begin? Define the world of CUI
EO 13556 called for a review of the categories, subcategories, and markings currently used by agencies.
– Agencies submitted to NARA/ISOO what they were protecting and the basis for that protection
– Over 2,200 submissions were received
– Information types were grouped together, legal authorities were examined, and a CUI Registry was published.
• Bank Secrecy• DNA• Investigation
• Census• Investment Survey
Approved CUI Categories
7
23 Categories
1. Agriculture
2. Copyright
3. Critical Infrastructure
4. Emergency Management
5. Export Control
6. Financial
7. Foreign Government
8. Geodetic Product Information
9. Immigration
10. Information Systems Vulnerability Information
11. Intelligence
12. Law Enforcement
13. Legal
14. NATO
15. Nuclear
16. Patent
17. Privacy
18. Proprietary Business
19. Safety Act Information
20. Statistical
21. Tax
22. Transportation
Agriculture Law Enforcement
Controlled Technical Information Legal
Copyright NATO
Critical Infrastructure Nuclear
Export Control Patent
Emergency Management Privacy
Financial Proprietary Business
Foreign Government Safety Act Information
Geodetic Product Information Statistical
Immigration Tax
Information Systems Vulnerability Information Transportation
Intelligence
82 Subcategories (examples listed)
• Financial• Health Information• Personnel
8
Online Registry
23 Categories
82 Sub-categories
315 unique Control citations
106 unique Sanction citations
http://www.archives.gov/cui
9
Two types: Basic and Specified
CUI Basic versus CUI Specified
CUI Basic = LRGWP identifies an information type and says protect it.
CUI Specified = LRGWP identifies an information type and says protect it but specifies exactly how it should be protected or handled.
10
Category Creation
Sample of analysis (Legal/Witness Protection):
Identify information types and any specific protection/handling requirements
11
Category Creation
Who can designate the information?
What information needs to be protected?
Who can authorize the dissemination (sharing)?
Phased Implementation
E.O. 13556 Sec. 5. Implementation (b):After a review of agency plans, and in consultation with affected agencies and the Office of Management and Budget, the Executive Agent shall establish deadlines for phased implementation by agencies.
12
Monitor & Report on Phased Implementation
Phased Implementation
13
Planning Readiness Initiation Final
Prepare environment and workforce for the CUI transition
Identify and initiate planning activities for CUI implementation
Full Implementation of the CUI program
• Publish 32 CFR Part 2002 Rule & Supplemental Guidance (Day 0)
• Augment Registry
• Provide Awareness Materials & Products
• Consult with OMB & Provide Budget Guidance
• Review Agency Policies
• Oversee Executive Branch Implementation
• Resolve Disputes & Complaints
• Initiate On-site Reviews
• Oversee Executive Branch Implementation
• Collect Reporting Data
Begin implementation of CUI practices
Begin Phase Out of obsolete practices
Ke
y E
A A
cti
vit
ies
Ph
as
es
IOC FOC
• Develop & Publish Policy*
• Develop Training/Awareness
• Develop IT Transition Plan
• Continue Internal Budget Planning
• Develop Self-Inspection Plan
• Develop Process to Manage CUI Status Challenges
Ke
y D
/A A
cti
vit
ies
• Assert Physical Safeguarding*
• Conduct Training*
• Initiate Awareness
• Prepare IT Transition
• Continue Internal Budget Planning
• Initiate CUI Implementation• Handle• Recognize• Receive
• Initiate IT Transition
• Permit Creation of CUI
• Initiate Self-Inspection Program
• Eliminate Old Markings
• Assure use of only New Markings
• Complete IT Transition
• Meet Refresher Training Requirements
• Publish CUI Training (Day
180)
• Provide Additional Guidance as needed
• Establish Schedule for On-site Reviews
• Provide Training Support & Consultation
Day 0 Day 180 Year 1 Year 3-4
As of 3/17/15
*Required for IOC
What is needed to implement a CUI Program?
Policy – Roles and Responsibilities– Identify CUI handled– Specialized implementation
Suitable physical environment Training (of all affected
personnel)– Basic– Specified
Suitable electronic environment– Moderate Confidentiality 14
180 Days
Year 1
Year 3-4
32 CFR Part 2002 is scheduled to be published in 2016
CUI Approach for Contractor Environment
15
E.O. 13556 Registry
32 CFR 2002 & Supplemental
Guidance
FAR
GovernmentIndustry
Until the formal process of establishing a single FAR clause takes place, the CUI requirements in NIST SP 800-171 may be referenced in federal contracts consistent with federal law and regulatory requirements.
The Department of Defense is in the process of revising its DFARS to reference the new publication.
NIST SP 800-171
16
Three-part Plan for CUI Protection
Federal CUI rule (32 CFR Part 2002) to establish the required controls and markings for CUI governmentwide.
NIST Special Publication 800-171 to define security requirements for protecting CUI in nonfederal information systems and organizations.
Federal Acquisition Regulation (FAR) clause to apply the requirements of the federal CUI rule and NIST Special Publication 800-171 to contractors.
17
NIST Special Publication 800-171This publication provides federal agencies with recommended requirements for protecting the confidentiality of CUI:
(i) when the CUI is resident in nonfederal information systems and organizations;
(ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and
(iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the CUI Registry.
The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.
18
Development of Requirements
The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems.
The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53.
Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline (i.e., the minimum level of protection required for CUI in federal information systems and organizations), the requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are:
1. Uniquely federal (i.e., primarily the responsibility of the federal government);
2. Not directly related to protecting the confidentiality of CUI; or
3. Expected to be routinely satisfied by nonfederal organizations without specification.
Access Control. Audit and Accountability.
Awareness and Training. Configuration Management.
Identification and Authentication. Incident Response.
Maintenance. Media Protection.
Physical Protection. Personnel Security.
Risk Assessment. Security Assessment.
System and Communications Protection System and Information Integrity.
Obtained from FIPS 200 and NIST Special Publication 800-53.
Security Requirements: 14 Families
19
20
Structure of NIST SP 800-171
Basic Security Requirements & Derived Security Requirements
Tables that illustrate the mapping of CUI requirements to security controls in:– National Institute of Standards
and Technology Special Publication (NIST SP) 800-53
– International Organization for Standardization / International Electrotechnical Commission (ISO/IEC) 27001
21
Moderate Baseline (Select Controls)Access Control, 3.1.13, Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
Awareness and Training, 3.2.3, Provide security awareness training on recognizing and reporting potential indicators of insider threat.
Audit and Accountability, 3.3.2, Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Incident Response, 3.6.1, Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
Media Protection:3.8.1, Protect (i.e., physically control and securely store) information
system media containing CUI, both paper and digital. 3.8.3, Sanitize or destroy information system media containing CUI before
disposal or release for reuse.
22
Moderate Baseline (Select Controls)
Physical Protection, 3.10.1, Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
Identification and Authentication, 3.5.3, Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
Multifactor authentication requires two or more different factors to achieve authentication. Factors include: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., cryptographic identification device, token); or (iii) something you are (e.g., biometric).
The requirement for multifactor authentication should not be interpreted as requiring federal Personal Identity Verification (PIV) card or Department of Defense Common Access Card (CAC)-like solutions. A variety of multifactor solutions (including those with replay resistance) using tokens and biometrics are commercially available. Such solutions may employ hard tokens (e.g., smartcards, key fobs, or dongles) or soft tokens to store user credentials.
23
Moderate Baseline (Select Controls)
System and Information Integrity:
3.14.6, Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
3.14.7, Identify unauthorized use of the information system. Security Assessment, 3.12.3, Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
24
Moderate Baseline (Select Controls)
Systems and Communications Protection:
3.13.8, Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
3.13.11, Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
A cryptographic module validated by the Cryptographic Module Validation Program (CMVP) to meet requirements specified in FIPS Publication 140-2 (as amended). As a prerequisite to CMVP validation, the cryptographic module is required to employ a cryptographic algorithm implementation that has successfully passed validation testing by the Cryptographic Algorithm Validation Program (CAVP).
25
32 CFR Part 2002
New Terms…
Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes within the scope of its legal authorities.
Legacy material is unclassified information that was marked or otherwise controlled prior to implementation of the CUI Program.
Uncontrolled unclassified information is information that neither the Order (EO 13556) nor classified information authorities cover as protected. Although this information is not controlled or classified, agencies must still handle it consistently with Federal Information Security Management Act (FISMA) requirements.
Decontrolling occurs when an agency removes safeguarding or disseminating controls from CUI that no longer requires them.
DRAFT
26
Limitations on applicability
Limitations on applicability of agency CUI policies
– Agency policies pertaining to CUI do not apply to entities outside that agency unless the CUI Executive Agent approves their application and publishes them in the CUI Registry.
– Agencies may not levy any requirements in addition to those contained in the Order, this Part, or the CUI Registry when entering into contracts, treaties, or other agreements about handling CUI by entities outside of that agency.
DRAFT
27
32 CFR Part 2002: Sharing
Access and Dissemination (Sharing)
Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes within the scope of its legal authorities.
Agencies should permit access and dissemination of CUI, provided such access or dissemination:– Abides by the law, regulation, or Government-wide policy that
established the CUI category or subcategory;– Furthers a Lawful Government Purpose;– Is not restricted by an authorized limited dissemination control
established by the CUI Executive Agent; and,– Is not otherwise prohibited by law.
DRAFT
28
32 CFR Part 2002: Marking
Agencies must uniformly and conspicuously apply CUI markings to all CUI prior to disseminating it unless otherwise specifically permitted by the CUI Executive Agent or as provided below.– When marking is excessively burdensome, an
agency’s CUI senior agency official may approve waivers of all or some of the marking requirements for CUI designated within that agency.
The CUI banner marking must appear, at a minimum, at the top center of each page containing CUI
DRAFT
Banner Marking
29
CONTROLLED/Categories or Subcategories//Dissemination
CUI Control Marking
CategoryMarking
(if required)
DisseminationControl
Marking
The banner marking consists of the CUI control marking, category markings (if required), and dissemination control markings.
• The CUI control marking (the word “CONTROLLED” or the acronym “CUI”) is mandatory for all CUI banners.
• Category markings are mandatory in the case of CUI Specified, and for CUI Basic when required by agency policy. Either complete category names or abbreviations may be used in banners to designate the categories of CUI contained within the document.
• All dissemination control markings must be approved by the CUI EA and published in the CUI Registry. Access to and dissemination of CUI must be allowed as extensively as necessary, consistent with or in furtherance of a Lawful Government Purpose.
DRAFT
Top center of each page
containing CUI
Portion Marking
30
Portion marking is permitted and encouraged to facilitate information sharing and proper handling of the information. Portion markings must use only those abbreviations that are approved and listed in the CUI Registry. When used, the abbreviations, in parentheses, are placed at the beginning of the portion to which they apply and throughout the entire document.
Department of Good Works Washington, D.C. 20006
June 27, 2013
MEMORANDUM FOR THE DIRECTOR
From: John E. Doe, Chief Division 5
Subject: (U) Examples
(U) We support the President by ensuring that the Government protects and provides proper access to information to advance the national and public interest.
(CUI) We lead efforts to standardize and assess the management of classified and controlled unclassified information through oversight, policy development, guidance, education, and reporting.
CONTROLLED
CONTROLLED
Portion Markings
Portion Marking = Best P
ractice
DRAFTPortion Marking = Best Practice
31
CONTROLLED
Forms & emailsDRAFT
32
Marking Handbook
--------
2016--------
Coversheet Consolidation
34
New Coversheets: Optional Forms
Optional Form 901. Basic CUI Coversheet. Acceptable for all forms of CUI. Optional Form 902.
Category/Subcategory CUI Coversheet. Acceptable for all forms of CUI. Categories or Subcategories can be identified in the spaces provided.
Optional Form 903. Detailed CUI Coversheet. Acceptable for all forms of CUI. The space indicated can be used to convey specific categories or subcategories used, special instructions, or relevant points of contact.
35
Legacy Information
Sensitive unclassified information that was marked prior to the implementation of the CUI Program which meets the standards for CUI is considered legacy information.
Agencies are not required to review and re-mark legacy information until and unless the information is re-used, restated, or paraphrased. In such instances, pre-CUI markings must not be carried forward. If the information falls under the CUI Program, new documents containing the information must be marked in accordance with CUI directives.
DRAFT
36
Reproducing CUI
You may reproduce (e.g., copy, scan, print, electronically duplicate) CUI in furtherance of a lawful Government purpose.
When reproducing CUI documents on equipment such as printers, copiers, scanners, or fax machines, you must ensure that the equipment does not retain data or otherwise sanitize it in accordance with NIST SP 800-53.
DRAFT
37
Controlled Environments
Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers and managed access controls) for protecting CUI from unauthorized access or disclosure.
Reception Area used to control access to workspace.
When outside a controlled environment, you must keep the CUI under your direct control or protect it with at least one physical barrier. You or the physical barrier must reasonably protect the CUI from unauthorized access or observation.
DRAFT
38
General Safeguarding Policy
Agencies must safeguard CUI at all times in a manner that minimizes the risk of unauthorized disclosure while allowing for access by authorized holders.– For categories designated as CUI Specified,
personnel must also follow the procedures in the underlying law, regulation, or Government-wide policy that established the specific category or subcategory involved.
Safeguarding measures that are authorized or accredited for classified information are sufficient for safeguarding CUI.
DRAFT
39
Destruction
When destroying CUI, including in electronic form, you must do so in a manner that makes it unreadable, indecipherable, and irrecoverable, using any of the following:
– Guidance for destruction in NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and NIST SP 800-88, Guidelines for Media Sanitization;
– Any method of destruction approved for Classified National Security Information, as delineated in 32 CFR 2001.47, Destruction, or any implementing or successor guidance; or
– Any specific destruction methods required by law, regulation, or Government-wide policy for that item.
DRAFT
40
Questions?
Contact Information
Information Security Oversight OfficeNational Archives and Records Administration
700 Pennsylvania Avenue, N.W., Room 100Washington, DC 20408-0001
(202) 357-6870 (voice)(202) 357-6871/6872 (fax)
41