NIST 800-171 COMPLIANCE AT FSU - CONTROLLED UNCLASSIFIED INFORMATION
WHAT IS NIST 800-171 COMPLIANCE AND WHY DO WE HAVE TO DO IT? Any Cntrlled Unclassified Infrmatin (CUI) residing in nnfederal infrmatin systems and rganizatins must be prtected fllwing the cntrl requirements f NIST 800-171. FSU has research prjects which have been identified as having CUI data. FSU agreed t prtect this data and meet the required cntrls when these cntracts and grants were accepted by the University. FSU Research alng with ITS is wrking t ensure that each prject r cntract which requires cmpliance, meets that cmpliance. If we were t get audited, FSU Research must be able t shw that we are meeting with ur cmpliance requirements. By develping a standard cmpliance methdlgy fr all FSU research requiring cmpliance, it is hped that researchers will be able t dedicate their time n research and nt have t dedicate as much time n meeting the requirements f the cntrls. FSU Research als sees cmpliance as a pssible cmpetitive advantage fr FSU researchers when cmpeting with ther Universities which cannt meet these cmpliance requirements.
WHAT IS CONTROLLED UNCLASSIFIED INFORMATION? Infrmatin that law, regulatin, r gvernmentwide plicy requires t have safeguarding r disseminating cntrls, excluding infrmatin that is classified under Executive Order 13526, Classified Natinal Security Infrmatin, December 29, 2009, r any predecessr r successr rder, r the Atmic Energy Act f 1954, as amended. -- Executive Order 13556
WHY ARE WE SEEING THESE RULES? The prtectin f Cntrlled Unclassified Infrmatin while residing in nnfederal infrmatin systems and rganizatins is f paramunt imprtance t federal agencies and can directly impact the ability f the federal gvernment t successfully carry ut its designated missins and business peratins. -- NIST Special Publicatin 800-171
HOW TO IDENTIFY CUI CUI Supprts federal missins and business functins that affect the ecnmic and natinal security interests f the United States. Only infrmatin that requires safeguarding r disseminatin cntrls pursuant t federal law, regulatin r gvernmentwide plicy may be designated as CUI. The federal rganizatin is respnsible fr infrming the nnfederal rganizatin: DFAR (DD cntracts) Requires that CUI be marked Sub-cntractrs dependent n the prime may nt receive the same infrmatin prvided t the prime. FAR (Civilian agency cntracts) FAR Rule requires civilian agencies t mark CUI A CUI ntice will be issued ntifying agencies t identify CUI in cntracts and agrements. If it is nt clear, the nnfederal rganizatin shuld ASK the federal rganizatin. FSU ften identifies a cntract r grant as having CUI by the inclusin f the fllwing clauses within the cntract: FAR Clauses 52.204-2, 52.204-21, and any thers that may require cmpliance. DFARS Clauses 252.204-7008, 252.204-7009, 252.204-7012 and any thers that may require cmpliance.
WHAT IS NIST 800-171? NIST Special Publicatin 800-171 defines the security requirements (cntrls) required t prtect CUI in nnfederal infrmatin systems and rganizatins. Infrmatin systems that prcess, stre, r transmit CUI may be federal r nnfederal When federal (including cntractrs perating n behalf f), agency security requirements are applied (i.e., FISMA/RMF) When nnfederal, SP 800-171 security requirements are applied (FSU is a nn-federal rganizatin)
HOW DOES FSU PLAN ON MEETING THE CONTROL REQUIREMENTS? Utilizing a standard mdel, FSU emplys clud based services (currently Amazn Web Services) in additin t standardized plicies and prcedures t meet the cntrl requirements. This mdel prvides the flexibility t meet research data security needs whether entirely clud based r in a hybrid mdel with n premise resurces.
CAN T RESEARCHERS JUST DO THIS THEMSELVES? In rder t ensure that cntrl requirements are being met, Research has decided a centrally managed slutin is the mst cst effective and manageable way t meet the cntrls. Mst research units d nt have the resurces available t meet all 110 f the cntrls independently.
WHAT CAN I DO TO HELP ENSURE WE MEET THE COMPLIANCE REQUIREMENTS? Wrk with Research and ITS/ISPO t ensure that CUI data is identified and prtected apprpriately. As yu slicit new grants and cntracts, cperate with the designated staff t ensure any CUI data is prtected apprpriately. Register fr and cmplete the training detailed n the SANS SECURE THE HUMAN TRAINING slide later in this presentatin. Prmptly ntify ISPO if yu suspect that any CUI data has been cmprmised (lst, stlen r suspected t have been inadvertently divulged).
WHAT DO I DO IF I NEED HELP Please fllw the Incident Respnse Prcedures fr details n hw pen a supprt ticket. These can be fund here: Nte that Security Incidents need t be reprted within 72 hurs f discvery. Please fllw the Incident respnse prcedures if a Security Incident is discvered r suspected. The basic steps fr pening a supprt ticket are t: Cntact yur lcal IT supprt first t determine if yur issue can be reslved lcally If it cannt be reslve lcally, pen a ticket in the ITS Service Center r call 644-HELP. When yu create the case, at a minimum, enter: Prvider Grup ITS-NIST Categry IT Supprt Services Specialty Type NIST As much detail regarding yur issue as pssible. Yur case will then be directed t the apprpriate staff.
TRAINING Cntrl family 3.2 is Awareness and Training. It cnsists f three cntrls detailing the requirements t ensure that FSU persnnel are made aware f the security risks assciated with their activities and that they are aware f the applicable FSU plicies and prcedures. In rder t make the best use f yur time, we have brken the training int tw parts. This PwerPint presentatin. The SANS Securing the Human nline training. This Security Awareness training has been custmized with mdules that meet the NIST 800-171 requirements. This training can be taken at yur leisure as lng as it is cmpleted by the timeframe requested by ITS/ISPO. This makes the best use f yur time by nt requiring yu t schedule time t attend an n site presentatin. Access t the CUI data will be restricted t thse users wh have cmpleted the training (this is a requirement f NIST 800-171). Reprts will be used t identify staff wh have met these training requirements.
FSU POLICY FSU has very detailed Infrmatin Security and Infrmatin Privacy Plicies. These can be fund here: Infrmatin Security Plicy: http://plicies.vpfa.fsu.edu/plicies-andprcedures/technlgy/infrmatin-security-plicy Infrmatin Privacy Plicy: http://plicies.vpfa.fsu.edu/plicies-andprcedures/technlgy/infrmatin-privacy-plicy All FSU emplyees shuld be familiar with these plicies.
SANS SECURE THE HUMAN TRAINING Please register fr and attend the Security Awareness training T register, g t: https://bit.ly/2iyqs8d After registering, yu will be apprved fr the training by the FSU ISPO training crdinatr. This can take up t ne day, hwever he usually respnds within an hur r s f receiving yur registratin request. T access the training after yu have registered, g t: https://vle.securingthehuman.rg/auth/lgin.php When requested t Select the Curse yu wish t take, please select CUI:
CONTACTS Mike Bll Research Data Security Specialist (850) 645-3602 mbll@fsu.edu Diana Key, Directr Research Cmpliance Prgrams (850) 644-8648 dkey@fsu.edu