Earlier this month the National Institute of Standards and
Technology (NIST) published the final draft of SP
800-171, Protecting Controlled
Unclassified Information (CUI) in Nonfederal Information Systems and
Organizations. The final version of this guidance document
will support the regulations that the National Archives and Records
Administration (NARA) is expected to publish later this year on marking and
protecting CUI. The two types of CUI that most readers of this blog will deal
with will be the Protected
Critical Infrastructure Information (PCII) program and the Chemical-terrorism
Vulnerability Information (CVI) program.
The security measures (both physical and cyber) outlined in
this document are expected to apply to any computer systems used to store or
transmit. It only applies to systems meeting the following criteria (1.1 pg 2):
∙ When the CUI is resident in
nonfederal information systems and organizations;
∙ Where the CUI does not have
specific safeguarding requirements prescribed by the authorizing law,
regulation, or government-wide policy for the CUI category or subcategory
listed in the Registry; and
∙ When the information systems where the CUI resides
are not operated by organizations on behalf of the federal government.
Neither the PCII
Procedures Manual nor the CVI
Procedures Manual provide significant guidance on the protection of
documents on computer systems. This should mean that the final version of these
guidelines should apply to computer systems used to store or transmit PCII or
CVI information. To be sure of that we will have to wait to see exactly what
the NARA regulations say.
This document outlines fourteen security requirement
families (Table 1, pg 7)
∙ Access control;
∙ Awareness and training;
∙ Audit and accountability;
∙ Configuration management;
∙ Identification and
authentication;
∙ Incident and response;
∙ Maintenance;
∙ Media protection;
∙ Personnel security;
∙ Physical protection;
∙ Risk assessment;
∙ Security assessment;
∙ System and communications
protection; and
∙ System and information integrity.
The security requirements for each of these families are
outline briefly in Chapter 3. According to a footnote on page 8 these requirements
may be waived for control systems containing CUI. It states:
“Some specialized systems such as
medical devices, Computer Numerical Control (CNC) machines, or industrial
control systems may have restrictions or limitations on the application of
certain CUI requirements and may be granted waivers or exemptions from the
requirements by the federal agency providing oversight.”
I suppose if we include in the definition of ‘industrial
control systems’ such systems as access control systems and video surveillance
systems, then we could conceivably find CVI or PCII on industrial control
systems. I cannot imagine, however, anyone granting a waiver to such systems
due to their direct impact on facility security.
NIST is soliciting public input on this document. As has
become standard for the NIST comment process, a prepared comment
template has been provided. Comments should be provided by May 15th,
2015. NIST expects to publish the final document in June, 2015. There is no
specific indication when the NARA regulations will be published.
Posts
No comments:
Post a Comment