INFORMATION TECHNOLOGY SERVICES NIST COMPLIANCE AT FSU - CONTROLLED UNCLASSIFIED INFORMATION

Similar documents
Grant Application Guidelines

Employee Hardship Assistance Policy

EXECUTIVE SUMMARY INTERNAL AUDIT REPORT. IOM Kingston JM JULY 2017

ARIZONA FIRE DISTRICT ASSOCIATION FINANCIAL PROCEDURES POLICY

OSHA INSPECTION CHECKLIST

TERMS OF REFERENCE FOR THE PROVISION OF OUTSOURCED INTERNAL AUDIT SERVICE

NCTJ Conflicts of Interest Policy and Procedures

The CIA certification has 4 parts. The CCSA exam and the CGAP exam are single part specialty exams.

Criteria of Peer-Reviewed Content

Student Guide. Short: Security Incidents Reporting Requirements

HOC Works Program Requirements

NHCAC North Hudson Community Action Corporation

Request for Proposal. For. Unemployment Insurance Services. November 9, 2016

ABORIGINAL ECONOMIC PARTNERSHIPS Program Application Guidelines

TD Insurance s Multi-Year Accessibility Plan

Key issuing Procedure

Audit and Risk Management Committee Charter

Independent Director and Audit Committee

University of Pittsburgh Office of the Controller General Accounting

Article 5.2 of the Grant Agreement (GA) defines forms of costs and how they can be applied to the different budget categories.

Local Code Of Corporate Governance

Guidelines and Recommendations Guidelines on periodic information to be submitted to ESMA by Credit Rating Agencies

Privacy & Data Protection Policy

Are you ready for the FUTURE of your Quality Management system?

Neighborhood Tool Kit. Office of Neighborhood Vitality City of Mesquite, Texas

ABORIGINAL ECONOMIC PARTNERSHIPS Program Grant Application Guidelines

Data Protection Policy

TERMS OF REFERENCE. Audit and Risk Committee (the "Committee") of Wilmcote Holdings Plc (the "Company")

BASHR Frequently Asked Questions

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF PLURALSIGHT, INC. Adopted May 3, 2018

Audit Committee Charter. St Andrew s Insurance (Australia) Pty Ltd St Andrew s Life Insurance Pty Ltd St Andrew s Australia Services Pty Ltd

FUNDING GUIDELINES PREVENTION GRANTS FOR CULTURALLY AND LINGUISTICALLY DIVERSE COMMUNITIES

Strategic Plan Request for Proposals. March 2018

Policy Coversheet. Link Tutors: appointment and responsibilities

CODE OF CONDUCT AND ETHICS POLICY ON CONFLICTS OF INTEREST

University of Oregon Sponsored Projects Services T32 & IGERT Group Training Grant Charge Guidance. Guidance Purpose and Overview

SWCAA TITLE III BUDGET and APPLICATION GLOSSARY

Engineering IT Application Development Governance Workflow

NUMBER: BUSF 3.30 Business and Finance. Other Educational and General Program Accounts ("E" Funds) Date: October 18, 2006 I. PURPOSE OF THE POLICY

SCHEDULE OF FEES AND CHARGES FOR GENERATOR CONNECTIONS

You can get help from government organizations that are not connected with us

RISK MANAGEMENT AND BUSINESS CONTINUANCE A FAIS Standard. An AC Guidance Note. July 2010

The Lockwood Foundation Grant Application Instructions

Windham School District Procurement Policy for Federal Funds

This is a living document that can be adjusted by a majority of the NDS Steering Committee, in consultation with the NDSC general membership.

ABLE Accounts: 10 Things You Should Know

CRSP Index Governance Committees Terms of Reference. Introduction... 2 Governance and Oversight Control Framework... 3 Index Oversight Committee...

Lapeer Conservation District

I-SEM Project Managers Group (PMG) 12 April 2018 Key Notes, Actions & Decisions

NATCHITOCHES HISTORIC DISTRICT DEVELOPMENT COMMISSION STATE OF LOUISIANA

APPLICATION FORM PROFESSIONAL PROJECT ASSISTANCE BOOK PUBLISHERS

Disciplinary Policy. WHO is this policy for?

Clearing arrangements

AUSTRALIAN CAPITAL TERRITORY (ACT) REGIONAL CERTIFYING BODY (RCB)

City of Southfield Written Public Summary of FOIA Procedures and Guidelines

Closing Out Award. The PI will work with ORA in obtaining the applicable resolution. Residuals

TWU OFFICE OF RESEARCH & SPONSORED PROGRAMS INSTRUCTIONS FOR USING THE TWU PROPOSAL APPROVAL ROUTING FORM

3. What do you need to do to take holiday or carry forward holiday prevented by sickness absence? 6. Appendix 1 Annual Leave Entitlement 7

HIPAA Privacy Rule LINKS AND RESOURCES AFFECTED ENTITIES IMPACT ON EMPLOYERS. Provided by Brown & Brown of Louisiana, LLC

Township. Public Summary of FOIA Procedures and Guidelines

Chapter 1. Introduction and Overview of Audit & Assurance

HESPERIA COMMUNITY LIBRARY WRITTEN PUBLIC SUMMARY OF FOIA PROCEDURES & GUIDELINES Effective July 1, 2015

Risk Management Policy

Questions to OSEP regarding and

TERMS AND CONDITIONS FOR APPOINTMENT OF INDEPENDENT DIRECTOR

CORPORATE GOVERNANCE POLICY

Canadian Coast Guard Auxiliary Guideline - SAR Volunteer Tax Credit

o Work Experience, General o Open Entry/Exit Distance (Hybrid Online) for online supported courses

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF ON DECK CAPITAL, INC.

Checklist for Revised Section 503 and VEVRAA

APPLICATION FORM FOR ASSISTANCE FROM THE AFRICAN WORLD HERITAGE FUND

Visitor Safety Management Procedure

PLAN DOCUMENT TEMPORARY DISABILITY INSURANCE PROGRAM FOR LAY EMPLOYEES DIOCESE OF METUCHEN OFFICE OF HUMAN RESOURCES. Effective January 1, 2014

Emergency Support Function (ESF) 18 Business and Industry

Mayor s Office of Recovery Services. Request For Proposal. Strategic Planning Consultant

Resolving Professional Differences (Escalation Policy)

Enterprise Risk Management Focusing on the Right Risks

TERMS OF REFERENCE FOR CONSULTANTS

VIVINT SOLAR, INC. COMPENSATION COMMITTEE CHARTER. (Adopted as of May 9, 2014)

PERFORMANCE DEVELOPMENT SYSTEM. Supervisory and Management Staff Appraisal. Department: Reviewer s Name: Review Period:

INDEPENDENT ACCOUNTANTS' REPORT ON APPLYING AGREED-UPON PROCEDURES

We process personal data for some or all of the following purposes depending on our relationship with the individual data subject:

Effective Practices for Managing Student-Athlete Insurance

INDEPENDENT ACCOUNTANTS' REPORT ON APPLYING AGREED-UPON PROCEDURES

Salem Township. Public Summary of FOIA Procedures and Guidelines

CHARTER OF THE COMPENSATION COMMITTEE OF THE BOARD OF DIRECTORS OF DROPBOX, INC.

St. Paul s Lutheran Grade School Tuition Agreement Form

STATE OF NEW YORK MUNICIPAL BOND BANK AGENCY

A-1110 Wien. Privacy Notice

Ramsey Million Partnership

FISCAL OFFICER TRAINING MANUAL

Annual Return Guidance

Midwest Association of Housing Cooperative. Board Candidates

AUDIT and ASSURANCE COMMITTEE TERMS OF REFERENCE

What do you need? Copy of the HIPAA Policy on Amendment of Protected Health Information

Investor Money Regulations

Social Security Administration

Kitsap County Telecommuting Policy

Charter Township of Oakland 4393 Collins Road, Rochester, MI Public Summary of FOIA Procedures and Guidelines

Audit & Risk Committee Charter

Transcription:

NIST 800-171 COMPLIANCE AT FSU - CONTROLLED UNCLASSIFIED INFORMATION

WHAT IS NIST 800-171 COMPLIANCE AND WHY DO WE HAVE TO DO IT? Any Cntrlled Unclassified Infrmatin (CUI) residing in nnfederal infrmatin systems and rganizatins must be prtected fllwing the cntrl requirements f NIST 800-171. FSU has research prjects which have been identified as having CUI data. FSU agreed t prtect this data and meet the required cntrls when these cntracts and grants were accepted by the University. FSU Research alng with ITS is wrking t ensure that each prject r cntract which requires cmpliance, meets that cmpliance. If we were t get audited, FSU Research must be able t shw that we are meeting with ur cmpliance requirements. By develping a standard cmpliance methdlgy fr all FSU research requiring cmpliance, it is hped that researchers will be able t dedicate their time n research and nt have t dedicate as much time n meeting the requirements f the cntrls. FSU Research als sees cmpliance as a pssible cmpetitive advantage fr FSU researchers when cmpeting with ther Universities which cannt meet these cmpliance requirements.

WHAT IS CONTROLLED UNCLASSIFIED INFORMATION? Infrmatin that law, regulatin, r gvernmentwide plicy requires t have safeguarding r disseminating cntrls, excluding infrmatin that is classified under Executive Order 13526, Classified Natinal Security Infrmatin, December 29, 2009, r any predecessr r successr rder, r the Atmic Energy Act f 1954, as amended. -- Executive Order 13556

WHY ARE WE SEEING THESE RULES? The prtectin f Cntrlled Unclassified Infrmatin while residing in nnfederal infrmatin systems and rganizatins is f paramunt imprtance t federal agencies and can directly impact the ability f the federal gvernment t successfully carry ut its designated missins and business peratins. -- NIST Special Publicatin 800-171

HOW TO IDENTIFY CUI CUI Supprts federal missins and business functins that affect the ecnmic and natinal security interests f the United States. Only infrmatin that requires safeguarding r disseminatin cntrls pursuant t federal law, regulatin r gvernmentwide plicy may be designated as CUI. The federal rganizatin is respnsible fr infrming the nnfederal rganizatin: DFAR (DD cntracts) Requires that CUI be marked Sub-cntractrs dependent n the prime may nt receive the same infrmatin prvided t the prime. FAR (Civilian agency cntracts) FAR Rule requires civilian agencies t mark CUI A CUI ntice will be issued ntifying agencies t identify CUI in cntracts and agrements. If it is nt clear, the nnfederal rganizatin shuld ASK the federal rganizatin. FSU ften identifies a cntract r grant as having CUI by the inclusin f the fllwing clauses within the cntract: FAR Clauses 52.204-2, 52.204-21, and any thers that may require cmpliance. DFARS Clauses 252.204-7008, 252.204-7009, 252.204-7012 and any thers that may require cmpliance.

WHAT IS NIST 800-171? NIST Special Publicatin 800-171 defines the security requirements (cntrls) required t prtect CUI in nnfederal infrmatin systems and rganizatins. Infrmatin systems that prcess, stre, r transmit CUI may be federal r nnfederal When federal (including cntractrs perating n behalf f), agency security requirements are applied (i.e., FISMA/RMF) When nnfederal, SP 800-171 security requirements are applied (FSU is a nn-federal rganizatin)

HOW DOES FSU PLAN ON MEETING THE CONTROL REQUIREMENTS? Utilizing a standard mdel, FSU emplys clud based services (currently Amazn Web Services) in additin t standardized plicies and prcedures t meet the cntrl requirements. This mdel prvides the flexibility t meet research data security needs whether entirely clud based r in a hybrid mdel with n premise resurces.

CAN T RESEARCHERS JUST DO THIS THEMSELVES? In rder t ensure that cntrl requirements are being met, Research has decided a centrally managed slutin is the mst cst effective and manageable way t meet the cntrls. Mst research units d nt have the resurces available t meet all 110 f the cntrls independently.

WHAT CAN I DO TO HELP ENSURE WE MEET THE COMPLIANCE REQUIREMENTS? Wrk with Research and ITS/ISPO t ensure that CUI data is identified and prtected apprpriately. As yu slicit new grants and cntracts, cperate with the designated staff t ensure any CUI data is prtected apprpriately. Register fr and cmplete the training detailed n the SANS SECURE THE HUMAN TRAINING slide later in this presentatin. Prmptly ntify ISPO if yu suspect that any CUI data has been cmprmised (lst, stlen r suspected t have been inadvertently divulged).

WHAT DO I DO IF I NEED HELP Please fllw the Incident Respnse Prcedures fr details n hw pen a supprt ticket. These can be fund here: Nte that Security Incidents need t be reprted within 72 hurs f discvery. Please fllw the Incident respnse prcedures if a Security Incident is discvered r suspected. The basic steps fr pening a supprt ticket are t: Cntact yur lcal IT supprt first t determine if yur issue can be reslved lcally If it cannt be reslve lcally, pen a ticket in the ITS Service Center r call 644-HELP. When yu create the case, at a minimum, enter: Prvider Grup ITS-NIST Categry IT Supprt Services Specialty Type NIST As much detail regarding yur issue as pssible. Yur case will then be directed t the apprpriate staff.

TRAINING Cntrl family 3.2 is Awareness and Training. It cnsists f three cntrls detailing the requirements t ensure that FSU persnnel are made aware f the security risks assciated with their activities and that they are aware f the applicable FSU plicies and prcedures. In rder t make the best use f yur time, we have brken the training int tw parts. This PwerPint presentatin. The SANS Securing the Human nline training. This Security Awareness training has been custmized with mdules that meet the NIST 800-171 requirements. This training can be taken at yur leisure as lng as it is cmpleted by the timeframe requested by ITS/ISPO. This makes the best use f yur time by nt requiring yu t schedule time t attend an n site presentatin. Access t the CUI data will be restricted t thse users wh have cmpleted the training (this is a requirement f NIST 800-171). Reprts will be used t identify staff wh have met these training requirements.

FSU POLICY FSU has very detailed Infrmatin Security and Infrmatin Privacy Plicies. These can be fund here: Infrmatin Security Plicy: http://plicies.vpfa.fsu.edu/plicies-andprcedures/technlgy/infrmatin-security-plicy Infrmatin Privacy Plicy: http://plicies.vpfa.fsu.edu/plicies-andprcedures/technlgy/infrmatin-privacy-plicy All FSU emplyees shuld be familiar with these plicies.

SANS SECURE THE HUMAN TRAINING Please register fr and attend the Security Awareness training T register, g t: https://bit.ly/2iyqs8d After registering, yu will be apprved fr the training by the FSU ISPO training crdinatr. This can take up t ne day, hwever he usually respnds within an hur r s f receiving yur registratin request. T access the training after yu have registered, g t: https://vle.securingthehuman.rg/auth/lgin.php When requested t Select the Curse yu wish t take, please select CUI:

CONTACTS Mike Bll Research Data Security Specialist (850) 645-3602 mbll@fsu.edu Diana Key, Directr Research Cmpliance Prgrams (850) 644-8648 dkey@fsu.edu

2024 © financedocbox.com Privacy Policy | Terms of Service | Feedback