Controlled Unclassified Information with Organizations under non-federal information systems and its security

Short Review on Controlled Unclassified Information

Information that requires the protection of laws, regulations or policies in government or the classification of information controllers under Executive Order 13526. National Security Rating Information, December 29, 2009, or any successor order or predecessor, Or the Atomic Energy Act of 1954, which has been amended. Supports business operations and federal missions that affect national security and economic conditions.

Executive Order 13556 under Controlled Unclassified Information

The government-developed Unclassified Information (CUI) developed to coordinate the way executive members handle information that does not require protection. The National Archives Administration (NARA) has been appointed executive officer of the CUI program.

Information that must be protected or disclosed in a restricted manner in accordance with federal laws, regulations, or government policies is pursuant to CUI.


Online database, tips, and guidelines Requirements for dealing with CUI, including emissions from CUI Managing Agent.

Identify approved categories and subcategories (With descriptions of each) and the basis of control. Defining the procedures for using CUI, including, but not limited to, restricted to labeling, security, transportation, distribute, re-using, and delete information.

National imperatives

The protection of unclassified information controlled in non-federal information systems organizations is of the utmost importance to federal agencies. However, this could have a direct impact on the federal government’s ability to perform intended business functions and operations.

Federal Information System

An information system used or operated by an executive agency, a contractor of an executive agency, or other organization on behalf of an executive agency.

Non-Federal Information System

An information system that does not meet the criteria for a federal information system.

Nonfederal Organization

A company that owns manages or maintains a non-federal information system.

Some Examples of Non-Federal Organizations

· Federal contractor

· State, local and tribal governments

· Colleges and universities

Parts plan for CUI protection

The federal CUI rule (32 CFR Part 2002) specifies the checks and markings required for CUI across the government. NIST Special Publication 800–171 defines security Requirements to protect CUI in non-state information systems and organizations. Federal Procurement Regulation (FAR) clause on the application of requirements of the federal standard CUI and SP 800–171 Non-federal organizations (planned for 2017).

Sayings of CUI Regulation

Code according to which CUI is at least moderate for C.

Defined “on behalf of an agency”

Information systems that process, store or

The CUI broadcast can be federal or non-federal

If the federal government (including contractors working on behalf of), the safety requirements of the authorities (e.g. FISMA / RMF) apply.

If not federal, SP 800–171 protection requirements apply.

According to the CUI Regulation (section 2002.4) for an agency

It occurs when a non-executive branch uses or operates an information system or manages or collects information for the purpose of processing, storing, or transmitting federal information, and these activities do not contribute to the provision of a service or product to the government.

Purpose of SP 800–171: Requirement to protect CUI’s privacy and provide recommendations to federal agencies. When the CUI contains non-state information Systems and organizations. If the CUI does not take special precautions licensing law requirements, Government regulations or rules for which the category or subcategory is displayed in the CUI log. If a non-federal, organization does not collect Retain information on behalf of the federal authority or use or manage a customized information system by a federal agency.

Applicability of SP 800–171

CUI requirements only apply to components Non-federal information systems that process, archive, or send CUIs or provide them with security protection Ingredients. Requirements apply to federal use agencies in contractual vehicles or other contracts established between these organizations and non-federal organizations.

Three Basic Assumptions

1. Legal and regulatory requirements to protect CUI are consistent whether that information resides in federal information systems or information outside the federal government Systems.

2. Safety precautions to secure the CUI are consistent federal and non — federal information systems Organizations.

3. The less the value of confidentiality the less I am moderate according to FIPS 199 publications.

Some Additional Assumptions

Have an IT infrastructure

· The system was not specially designed or purchased to process, store, or send the CUI.

Have controls to protect your information.

· Meeting CUI requirements may be sufficient.

Is there a necessary organizational structure resource to meet all CUI security requirements?

· Alternative, but equally effective, security measures can be implemented.

You can implement some possible security solutions.

· Directly or through the use of managed services

Requirements of CUI Security

The basic and inferred security requirements are:

First taken from FIPS 200 and NIST SP 800–53, and then adapted accordingly to eliminate the following requirements:

The federal government itself (i.e. mainly Federal Government).

It has nothing to do with CUI’s privacy protection.

You are expected to be regularly satisfied by the non-federal government organization without specifications.

Security Requirements Derived from FIPS 200 and NIST special publication 800–53

· Access Control

· Audit and Accountability

· Media Protection

· Physical Protection

· Personnel Security

· Awareness and Training

· Identification and Authentication

· Security Assessment.

· System and Communications Protection

· Incident Response

· Maintenance

· Risk Assessment

· Configuration Management

· System and Information Integrity

Structure of security requirements

Safety requirements have a precisely defined structure, consisting of the following elements:

Basic FIPS 200 security requirements

Safety requirements derived from SP 800–53

Configuration Management Example with Security Requirement

Essential Security Requirements (FIPS 200): Create and maintain organizational baselines and inventories for information systems (including hardware, software, firmware and documentation) throughout the life cycle of the relevant system.

Set up and apply security settings for the platform information technology products used in the company’s information systems.

Derived Safety Requirements (SP 800–53): Follow-up, review, approval/disapproval, and control of changes in

Information systems. Analyze the impact of changes on security before they are implemented. Define, document, approve and apply physical and logical access restrictions associated with changes in the information system.

Wajid Hassan is a Ph.D. Fellow in Technology Management at Indiana State University, USA. He is a Technology Evangelist and a fierce promoter of STEM Education