NIST 800-171 Simplifying CUI and DFARS Compliance

EmeSec Incorporated ©20171

Maria Horton, CISSP-ISSMP

GTSC Capacity Building Day

Countdown to ComplianceCUI & DFARS

August 17, 2017

2

We help our clients protect their mission, reputation and their growth engine by harnessing the power of

security and compliance within their organization

• We are a Security Solutions Company

• Cloud Security and Engineering

• Regulatory Compliance Services

• A FedRAMP accredited 3PAO

• Hold 4 ISO certifications:

• ISO 9001:2015,

• ISO/IEC 20000-1:2011,

• ISO/IEC 27001:2013,

• ISO/IEC 17020: 2012

EmeSec


3

• CUI and DFARS 7012 compliance is mandated

• Either December 2017, or within 30 days of contract award

• CUI and DFARS applies to all contractors

• Prime and their subcontractors• Flow down requirements include 1099 staff as well

• High tech and low tech companies

CUI – Wow!

135 Days & counting ….


• NARA Registry http://www.archives.gov/cui/registry/category-list.html

• Federal Acquisition Requirements (FAR) 52.204.21

• Defense Federal Acquisition Regulations Supplement (DFARS) 252.204.7012

• Two key requirements

• (1) Adequate Security

• (2) Incident Reporting

• NIST SP 800-171, Rev. 1

• Published December 2016

• Made SSP a requirement for compliance

Oversight & Enforcement

• Controlled Unclassified Information (CUI)

• Unclassified information that requires safeguarding or dissemination controls

• Covered Defense Information (CDI)

• Unclassified controlled technical information (CTI) or other information that requires safeguarding or dissemination controls

• Covered Contractor System

• An information system owned or operated by a contractor that processes, stores, or transmits Federal contract information

Definitions

What is CUI ?


4

http://www.archives.gov/cui/registry/category-list.html

5

CUI and DFARS Information Supply Chain Protection


• CUI requires compliance with 14 security control families

• More complex than presented • NIST SP 800-171, Page v

states:

• Satisfying these requirements should not be assumed to meet NIST SP 800-53 and FIPS 200

Elements of CUI Compliance


Acronym Security Control Family

AC Access Control

AT Awareness & Training

AU Audit & Accountability

CM Configuration Management

IA Identification & Authentication

IR Incident Response

MA Maintenance

MP Media Protection

PE Physical & Environmental

PS Personnel Security

RA Risk Assessment

SA Security Assessment

SC System & Communication Protection

SI System & Information Integrity

• Why?• Today, every business is a

digital business

• Every business has third party and supply chain connections

• Due diligence is taking the effort to avoid harm or loss through reasonable care

Liability almost always comes from not demonstrating due diligence

Compliance Due Diligence Liability

The implications of non-compliance risks and liabilities to your company


8

1. CUI is more than Cyber

2. CUI is about a comprehensive InfoSec

3. CUI isn’t isolated – protect all of your data flow

4. Leadership and accountability is critical to CUI

1. Not accounting for non-cyber

2. Using a Checklist Mentality

3. Light Manufacturing Issues

4. Decision makers not in the process

Common MistakesCUI and DFARS Compliance


• Maria Horton, CEO

• Phone: 703.429.4492/4491

• Email: [email protected]

• @EmeSec

• @mariahorton

Thank you for your time!

We would love to hear from you.

Contact us for a free CUI primer and Tips Handout!Remember, there is still time to meet the deadline!


9

mailto:[email protected]

NIST 800-171 Simplifying CUI and DFARS Compliance

Government & Nonprofit

Transcript of NIST 800-171 Simplifying CUI and DFARS Compliance