Are you looking for clarification on the CUI (Controlled Unclassified Information) security measures recommended in National Institute of Standards and Technology Special Publication (NIST SP) 800-171? These government guidelines can often seem complex, and it can be a challenge to determine the extent to which you have aligned with their policies. Parsing through the business requirements and risk assessments associated with appropriate CUI security protections can be a drain on your time and resources.
The following 14 questions are based on the 14 security control families outlined in NIST 800-171. Your answers regarding how your organization manages CUI security will reveal where you should focus your security efforts.
Do You Have Access Controls in Place?
Access to your CUI should always be heavily regulated. Controlling who can gain entry to your solution and what CUI they can access while they’re logged in is a key step to ensuring your data is protected. Solution access should be limited to authorized users and devices. You should also limit how authorized parties can use your solution once they are logged in. Assess your information system functions carefully to determine which functions should be permitted for which users.
What Do Your Awareness and Training Policies Entail?
Everyone in your organization, from your CEO to your interns, should be educated on your security standards. When employees are aware of both the risks and expectations associated with CUI security, they’re better equipped to do their part to protect your data. Employees who cut corners or don’t take security risks seriously are the greatest vulnerability for your organization.
You should first outline and communicate the CUI-related risks your company is facing. Once everyone is aware of these risks, each employee should be trained on the specific role they play in the CUI protection process.
How Do You Conduct Audits to Maintain Accountability?
If you don’t already have audit capabilities in place, you need to find a solution that provides them. The ability to audit the actions of your users in terms of CUI is vital. This allows you to know who is accessing your data, how it is used, and where hackers were able to infiltrate your system. With the appropriate audit capabilities, you will know where your vulnerabilities are, and how to patch them. You should be able to audit down to the actions of an exact user. This ensures each employee is accountable for their actions.
How Do You Manage Configuration Permissions?
Managing who is able to alter your solutions means you’re always up-to-date on who had made authorized changes and who had attempted unauthorized changes. You need baseline configurations for your information systems that are established and documented. You also need the administrative power to limit who can make configuration changes.
How Effectively Do You Identify and Authenticate Your Users?
To monitor both for employee alignment with your standards and the potential for a data security breach, you must have the capability to identify and authenticate your users to an exact individual. Knowing that the users logged in to your solution really are who they claim to be will give you peace of mind and protect your CUI. You should not only be able to authenticate the identity of each of your users, but the devices from which they are logging in as well.
Do You Have an Incident Response Protocol?
At some point, regardless of your efforts, a data breach will likely occur. When it does, you need incident response measures in place to quickly identify and contain the data breach. Stopping the data breach as soon as possible will mitigate the damage, and ensure no further CUI is impacted.
Create an incident-response protocol that is shared with and communicated to your team members. Following an incident, you need to document and report it to the appropriate authorities.
What Steps Have You Taken to Ensure CUI Protection during Maintenance?
Maintenance on your information systems is inevitable. However, many organizations forget that they need to take action to protect their CUI even in times of system maintenance. You should have the effective tools and controls in place to prevent maintenance personnel from gaining unauthorized access to CUI. You should also properly sanitize all devices of CUI before they are taken off premises for maintenance.
Is Media Housing CUI Protected?
All media devices used to store or share sensitive data need to be properly secured. Both physical CUI and digital CUI should be protected on these devices. All media, from laptops and tablets down to USB drives, need to be subject to security protocols. For example, devices housing CUI should be password protected. Also, they should never be left unattended in a public place.
What Are Your Personnel Security Policies?
Every organization should have personnel security policies in place. These policies should address how you plan to protect CUI during employee transfer or termination. You should also ensure that all employees are thoroughly vetted prior to gaining authorized access to your CUI information systems.
How Are Your Physical Facilities Protected?
Much of CUI security standards deal with how to protect your digital data. However, you also need measures in place to protect the physical locations where your data is housed. Physical access to your facilities and your equipment should be limited to authorized individuals. You should also monitor and secure your facilities to prevent intruders from gaining unauthorized access.
Do You Regularly Conduct Risk Assessments?
Assessing risk can provide insight into the health of your CUI security measures. It can also identify potential gaps in your policies where CUI could be at risk. Regularly assessing your organization for risk is a key preemptive measure to maintain CUI security. Assessment of CUI storage and transmission processes must be conducted on an ongoing basis.
Do You Regularly Assess Your Security Controls?
Many organizations implement security controls, test them following implementation, and fail to monitor their effectiveness in the future. You should be assessing your CUI security controls on a regular basis, verifying that they are working properly and protecting your CUI effectively.
Create and document security assessment procedures so they can be uniformly and regularly repeated. Once you identify potential vulnerabilities in your security controls, you should take action to quickly address the issue.
Are You Protecting Your Systems and Communications?
All of your organizational communications could be subject to a data breach at some point. That’s why it’s important to remember this type of data when you’re taking steps to protect your CUI. Monitoring and protecting your organizational communications, both internal and external, should be a priority.
Other aspects of your organization, like architectural designs, software development, and systems engineering, should be executed in ways that promote data security. Establish standards for these processes and communicate those standards to the applicable team members.
How Do You Maintain System and Information Integrity?
When system flaws arise, what processes do you have in place to address them? You need to identify, report, and correct any flaws as quickly as possible before your information systems are negatively impacted. Ensure CUI security measures are in place to protect against malicious code. You also need to establish a system of alerts, so you are notified when security incidents occur.
With the proper security measures in place, you can limit the risk of a data breach and effectively protect your CUI. To make the process even easier, you could adopt a secure file sharing solution that already has many of these guidelines in place.
Find out more about the CUI security measures you should establish. Download this DFARS security checklist now.