CUI / CDI NIST SP 800-171 Onboarding - University of Arizona · 2017. 10. 12. · “Green”...
Transcript of CUI / CDI NIST SP 800-171 Onboarding - University of Arizona · 2017. 10. 12. · “Green”...
CUI / CDI NIST SP 800-171
Onboarding Ini$alinforma$onforPrincipalInves$gatorsworking
withdatarequiringNISTSP800-171controls
Updated:October12,2017
Ques$onscanbesubmiIedto:[email protected]
2
Outline
1. WhatisCUI/CDI/NISTSP800-171?2. “Green”versus“Red”machines3. AWSGovCloudEnvironmentOverview4. GovCloudS3BucketApplicaPon5. CUI“Green”Laptop6. ConPnuousMonitoringOverview
3
WhatisCUI/CDI/NIST800-171?
ControlledUnclassifiedInformaPon(CUI)ExecuPvebranchdatadesignaPonfordatarequiringsafeguardinganddisseminaPoncontrolstoprotecttheabilityofthefederalgovernmenttosuccessfullycarryoutitsdesignatedmissionsandbusinessoperaPons.CoveredDefenseInformaPon(CDI)Datathatiscollected,developed,received,transmi_ed,used,orstoredbyoronbehalfofthecontractorinsupportoftheperformanceofaDoDcontract.DFARS252.204-7012promulgatesCDIasCUI.NISTSP800-171Defines109securitycontrolsforprotecPngtheconfidenPalityofCUI.ThesecontrolsaremappedtothemediumsetofNIST800-53confidenPalitycontrols.
4
“Green”versus“Red”machines
GreenMachines
• Anassetthatcanlocallystore,process,ortransmitCUI,orprovidesecurityprotecPonforsuchcomponents
• Greenmachinesaremanagedassetsthatarein-scopeforall109controlsintheNISTSP800-171.
RedMachines• Anassetthatdoesnotlocally
store,process,ortransmitCUI,orprovidesecurityprotecPonforsuchcomponents
• RedmachinesareunmanagedassetsthatmayaccesstheGovCloudenvironmentbygoingthroughaterminalhost.
5
AWSGovCloudEnvironmentOverview
AmazonWebServicesGovCloud• AmazonWebServices(AWS)offersreliableandscalablecloudRAM/
CPUservices• TheGovCloudregionofAWSoffersNISTSP800-171compliantsecurity
ofthecloud– UAissPllresponsibleforNISTSP800-171complianceinthecloud
AWSGovCloudComputeEnvironment• LinuxorWindows• Customstorage/RAM/CPU/applicaPoninstallaPons• Canbeturnedoffwhennotbeingused(tosaveRAM/CPUcosts)
7
GovCloudS3BucketApplica$on
AmazonSimpleStorageService(S3)• AmazonS3storesdataasobjectswithinresourcescalled“buckets”• WehaveconfiguredourS3bucketstoencryptdataatrestaccording
toFIPS140-2,Level2,requirements
S3Bucket“DropBox”ApplicaPon• UAdevelopedapplicaPonthatsitsontopofS3bucketthatallowsa
projectsponsortoconnectandretrievedataviatwo-factorauthenPcaPon• SponsorisrequiredtohaveaNetID,whichiscreatedaspartofa
DesignatedCampusColleague(DCC)requestusingthespecialized“SponsoredResearchAuthenPcaPon”(SRA)subtype• SRADCCaccountscanberequestedbydepartmentsaferfollowingallapplicableExportControlprocesses
8
CUI“Green”Laptop
CUI“Green”Laptop• Capableoflocallystoring,processing,andtransmigngCUIdata• In-scopeforall109controlsoftheNISTSP800-171• TobeusedforCUIworkonly• USBportsshouldnotbeuPlizedunlessthedeviceisspecifically
authorizedbytheprojectTechnologyControlPlan(TCP)• RunsWindows10withNISTSP800-171requiredsecurityhardening• RequestedthroughdepartmentalITStaff
9
Con$nuousMonitoring
Requirements• Allassetsthatstore,process,ortransmitCUIdata,orprovidesecurity
forsuchcomponentsarerequiredtobeconPnuouslymonitoredforsecurityincidents• Thereisarequired72hourreporPngwindowforreporPngcyber
incidentsCurrentConfiguraPon• AllassetshaveSplunkagentssendlogstoacentralaggregatorinthe
AWSGovCloudenvironment• LogsareconPnuouslymonitoredbyanexternalSecurityOperaPons
Center(SOC)• AlertsareescalatedtotheUAOperaPonsteam