Earlier this month the National Institute of Standards and Technology (NIST) published the final draft of SP 800-171, Protecting Controlled Unclassified Information (CUI) in Nonfederal Information Systems and Organizations. The final version of this guidance document will support the regulations that the National Archives and Records Administration (NARA) is expected to publish later this year on marking and protecting CUI. The two types of CUI that most readers of this blog will deal with will be the Protected Critical Infrastructure Information (PCII) program and the Chemical-terrorism Vulnerability Information (CVI) program.
The security measures (both physical and cyber) outlined in this document are expected to apply to any computer systems used to store or transmit. It only applies to systems meeting the following criteria (1.1 pg 2):
∙ When the CUI is resident in nonfederal information systems and organizations;
∙ Where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or government-wide policy for the CUI category or subcategory listed in the Registry; and
∙ When the information systems where the CUI resides are not operated by organizations on behalf of the federal government.
Neither the PCII Procedures Manual nor the CVI Procedures Manual provide significant guidance on the protection of documents on computer systems. This should mean that the final version of these guidelines should apply to computer systems used to store or transmit PCII or CVI information. To be sure of that we will have to wait to see exactly what the NARA regulations say.
This document outlines fourteen security requirement families (Table 1, pg 7)
∙ Access control;
∙ Awareness and training;
∙ Audit and accountability;
∙ Configuration management;
∙ Identification and authentication;
∙ Incident and response;
∙ Media protection;
∙ Personnel security;
∙ Physical protection;
∙ Risk assessment;
∙ Security assessment;
∙ System and communications protection; and
∙ System and information integrity.
The security requirements for each of these families are outline briefly in Chapter 3. According to a footnote on page 8 these requirements may be waived for control systems containing CUI. It states:
“Some specialized systems such as medical devices, Computer Numerical Control (CNC) machines, or industrial control systems may have restrictions or limitations on the application of certain CUI requirements and may be granted waivers or exemptions from the requirements by the federal agency providing oversight.”
I suppose if we include in the definition of ‘industrial control systems’ such systems as access control systems and video surveillance systems, then we could conceivably find CVI or PCII on industrial control systems. I cannot imagine, however, anyone granting a waiver to such systems due to their direct impact on facility security.
NIST is soliciting public input on this document. As has become standard for the NIST comment process, a prepared comment template has been provided. Comments should be provided by May 15th, 2015. NIST expects to publish the final document in June, 2015. There is no specific indication when the NARA regulations will be published.