The Protection of Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations

Jim Dries, Director, Cyber Strategy & GRC

As the US federal government is rolling out their new standards for Federal Contract Information (FCI) and Controlled Unclassified Information (CUI) shared with contractors and subcontractors within its Cybersecurity Maturity Model Certification (CMMC) 2.0 requirement, NIST is in the process of revising their CUI standards. NIST SP 800-171 Rev 3 is currently in final draft review and is available for Initial Public Draft (IPD) as of November 9th, 2023.  As CMMC is consolidating its levels in 2.0 to three levels, NIST SP 800-171 and 172 will align to the new CMMC Level 2 “Advanced Level” and Level 3 “Expert Level” respectively.

Summary of changes in NIST SP 800-171 Rev 3:

NIST has made sweeping changes to align 171 with its SP 800-53 Security and Privacy Controls for Information Systems and Organizations. Of the 96 controls in 171 Rev 3; 43 (or 45%) of the changes NIST considers as “Significant”, 15 as “Minor” and 17 as “New” requirements. If you happen to follow our Guide to the 2023 NYDFS Regulation Amendments in early November 2023, there is striking similarity in the number of changes, in the type of changes and in the increased detail of the changes between the two sets of requirements. Both governing bodies have moved from general control statements, providing entities with discretion in how they are defined, to now injecting a more procedural level of detail into their updated requirements as some of the examples below illustrate.

Here is a breakdown of three of the NIST 800-171 control Families with the most changes in their requirements for entities.

Access Controls

NIST made the most changes within the Access Control family of controls. In general, NIST has aligned themselves the most heavily towards 800-53 with similar specificity and detail of requirements, but for the purposes of protecting CUI. A multiple step-change for entities in the threshold to implement and satisfy.

For example, a comparison of the Rev 2 Account Management requirement to Rev 3.

Other requirements with Significant changes within the Access Control Family; All of the following requirements are updated to align to NIST 800-53 controls.

  • Least Privilege: specifies ”least privilege” to authorize and provide access to users that is only necessary to accomplish their assigned duties and to periodically review such access.
  • Least Privilege – Privileged Accounts: requirement now to also include the need to restrict privileged accounts to defined personnel or roles, as well as requiring users with privileged accounts use their non-privileged accounts for non-security functions.
  • Remote Access: requires strict control of remote access sessions including the specifying restrictions, specifying connection requirements, authorizations, directed routing of access into the entity and authorization of privileged commands and security-relevant information.
  • Wireless Access: requires strict control of wireless access including specifying the restrictions, specifying connection requirements, authorizations, directed routing of wireless access in the entity and the disablement of wireless capabilities prior to issuance and deployment if not intended for use.
  • Access Control for Mobile Devices: requires strict control of mobile devices including specifying the restrictions, specifying connection requirements, authorizations and the use of full-device or container-based encryption.
  • Use of External Systems: one of the more extensive additional requirements including prohibiting external systems unless specifically authorized (assume audit record required), satisfaction of terms and conditions and security requirements prior to access by those systems, authorized access by external systems only after verification of the security requirements on the external system(s) and after retention of agreements with the external system entity and the restricted use of portable storage devices by users of external systems.
  • Publicly Accessible Content: requires the training of those posting content to publicly accessible systems to ensure no CUI is included and that there is a documented routine review and removal of CUI on publicly accessible information.

Audit and Accountability

These Audit and Accountability requirements relate to the ability for information security operations to capture and accurately represent system event logs. Like the changes to the Access Controls Family, the Audit and Accountability controls have nearly as many changes both in number and in specification.  Eight Signification changes in total.

For example, a comparison of the Rev 2 Audit Record Content requirement to Rev 3.

Other requirements with Significant changes within the Audit and Accountability Family.  All but one of these requirements is updated to align to NIST 800-53 controls.

  • Event Logging: requires specifying the event types and a defined process to review and update on a periodic basis.
  • Audit Record Generation: requires audit retention of the Audit Record Content and Event Logging requirement consistent with organizational retention policies.
  • Response to Audit Logging Process Failures: requires personnel or roles to be alerted of failures, a time-bound response to failures and the entity to define additional procedures for failures.
  • Audit Record Review, Analysis and Reporting: requires periodic (means a defined period) review and analysis for inappropriate or unusual activity, the reporting to defined personnel or roles and the need to correlate the analysis across different repositories for entity-wide situational awareness.
  • Audit Record Reduction and Report Generation: now requires that the audit reduction and report generation capability “supports audit record review, analysis, reporting requirements, and after-the-fact investigations of incidents” as well as to “preserve the original content and time ordering of audit records.
  • Time Stamps: a requirement that moves from the need to compare and synchronize internal system time clocks for audit records and moves to maintain internal system clocks and provide an offset from internal clocks to Coordinated Universal Time (UTC) with audit record time stamps.
  • Protection of Audit Information: adds an additional requirement beyond just the protection of audit information collected to now include limited number privileged users or roles.

Identification and Authentication

What most commercial entities would consider a subset of Access Controls, NIST focuses its Significant Identification and Authentication requirement changes to identification and password management.

For example, a comparison of the Rev 2 Password Management requirement to Rev 3.

How MorganFranklin Can Help

Navigating the evolving landscape of cybersecurity standards, such as the upcoming changes in NIST SP 800-171, requires a strategic and comprehensive approach. At MorganFranklin, we specialize in providing tailored solutions to ensure that your organization not only meets regulatory requirements but also enhances its overall cybersecurity posture.

Our team of experts understands the intricacies of NIST standards, including the latest revisions, and can guide your organization through the necessary steps for compliance. From compliance assessments and gap analyses to implementation support and continuous monitoring, MorganFranklin offers a range of services to support alignment to NIST SP 800-171.

LET’S WORK TOGETHER

We are experienced, engaged professionals that are highly energetic and motivated to work in challenging, high stakes environments.