3.1.3 has a weight of -1 points

(Access Control Family) 3/22

Does your company Control the flow of CUI in accordance with approved authorizations?

Video:

Example of Sysytem Security Plan (SSP):

 

System Security Plan (SSP): Control 3.1.3 – Control the Flow of CUI

Control: 3.1.3 – Control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations.

Purpose: The primary goal of this control is to guarantee that the flow of CUI within our organization is systematic, structured, and, above all, secure. To maintain the security and integrity of the CUI we handle, we have taken the necessary measures aligned with the Department of Defense’s compliance standards.

Implementation:

  1. CUI Identification and Classification:

    • We have determined and classified the types of CUI our company handles based on NIST Special Publication 800-171 and other relevant guidelines.
    • Appropriate labels or markings are applied to clearly define the sensitivity and handling requirements for each type of CUI.

  2. Access Authorizations:

    • We have established and documented the approved authorizations for accessing and handling different CUI categories.
    • This encompasses specific user roles, job responsibilities, or clearance levels.

  3. Access Control Mechanisms:

    • Measures include the utilization of role-based access control (RBAC), user authentication mechanisms, and encryption.
    • Microsoft Intune is our chosen platform to manage access to our CMMC environment, ensuring devices connecting are compliant with Intune’s policies.
    • Further, our CMMC workstations deter unauthorized copying from the SharePoint environment via security policies on the Edge browser.

  4. Flow of CUI:

    • Our organization’s policy details CUI’s flow, considering the source, destination, involved parties, and devices that will store or transmit CUI.
    • Copy restrictions are in place on public systems, preventing copy-paste or save functions on the Edge browser.

  5. Protection Measures:

    • CUI, both in transit and at rest, is protected using strong encryption measures and secure key management practices.
    • Mechanisms are in place to monitor and audit the flow of CUI across our systems and networks, with routine reviews of logs to ensure compliance.

  6. Periodic Reviews:

    • We regularly reassess approved authorizations to ensure alignment with regulatory demands and contractual obligations.

  7. Training and Awareness:

    • Our employees undergo training on CUI handling, ensuring they’re well-informed on authorizations, access control measures, and flow procedures.

Example of Plan of Action and Milestones ( POA & M):

Plan of Actions & Milestones (POA&M) for Control 3.1.3

Control: 3.1.3 – Control the flow of Controlled Unclassified Information (CUI) in accordance with approved authorizations.

Actions Needed:

  1. CUI Identification and Classification:

    • Action: Review and update the list of CUI types handled by the organization quarterly.
    • Milestone: Complete the first review by [specified date].

  2. Access Authorizations:

    • Action: Evaluate current user roles and job responsibilities to ensure proper CUI access.
    • Milestone: Reassessment of all user roles by [specified date].

  3. Access Control Mechanisms:

    • Action: Regularly update and patch Microsoft Intune.
    • Action: Ensure all CMMC workstations have updated security policies.
    • Milestone: Policy update completion by [specified date].

  4. Flow of CUI:

    • Action: Perform periodic audits to validate adherence to CUI flow policy.
    • Milestone: First audit to be completed by [specified date].

  5. Protection Measures:

    • Action: Review and update encryption algorithms and key management practices.
    • Milestone: First review scheduled for [specified date].
    • Action: Conduct regular audits on the flow of CUI across systems and networks.
    • Milestone: Initial audit by [specified date], then quarterly.

  6. Periodic Reviews:

    • Action: Establish a biannual review process to reassess approved authorizations.
    • Milestone: First review by [specified date].

  7. Training and Awareness:

    • Action: Update training materials to reflect any changes in CUI handling procedures.
    • Milestone: Training material update by [specified date].
    • Action: Conduct annual refresher training for all employees.
    • Milestone: Next training session on [specified date].

Responsible Parties:

  1. CUI Classification: [Assigned Department/Person]
  2. Access Authorizations: [Assigned Department/Person]
  3. Access Control: [Assigned Department/Person]
  4. Flow of CUI: [Assigned Department/Person]
  5. Protection Measures: [Assigned Department/Person]
  6. Periodic Reviews: [Assigned Department/Person]
  7. Training and Awareness: [Assigned Department/Person]

Resource Requirements:

  • [Specific hardware/software required]
  • [Estimated budget for actions]

Example of Policy for Control of CUI:

Policy for Control of the Flow of Controlled Unclassified Information (CUI)

Policy No: [Policy Number] Effective Date: [Insert Date] Review Date: [Insert Date]

Purpose: The purpose of this policy is to define the standards and guidelines for controlling the flow of Controlled Unclassified Information (CUI) within [Organization Name], ensuring that such flow is systematic, structured, and secure, and in accordance with regulatory standards and requirements.

Scope: This policy applies to all [Organization Name] employees, contractors, and third parties who handle, access, store, or transmit CUI on behalf of [Organization Name].

Policy:

  1. Identification and Classification of CUI:

    • All CUI must be identified and classified as per NIST Special Publication 800-171 and any other applicable regulations or standards.
    • CUI must be appropriately labeled or marked to indicate its sensitivity level and handling requirements.

  2. Access Authorizations:

    • Access to CUI must be based on defined and documented authorizations, taking into consideration user roles, job responsibilities, or clearance levels.
    • Unauthorized access to CUI is strictly prohibited.

  3. Access Control Mechanisms:

    • Role-Based Access Control (RBAC), user authentication mechanisms, and encryption must be utilized to enforce authorized access to CUI.
    • External platforms, such as Microsoft Intune, may be employed to manage and monitor access, ensuring compliance with their respective policies.
    • Unauthorized copying, transfer, or sharing of CUI from designated environments is prohibited.

  4. Control and Management of CUI Flow:

    • The flow of CUI within [Organization Name] must adhere to established guidelines considering the source, destination, involved parties, and devices that will store or transmit CUI.
    • Restrictions must be in place on systems to prevent unauthorized actions like copying, pasting, or saving CUI.

  5. Protection Measures:

    • All CUI, during transmission and storage, must be protected using strong encryption methods and adhering to secure key management practices.
    • Regular monitoring and audits of CUI flow must be conducted to ensure compliance with this policy and regulatory standards.

  6. Training and Awareness:

    • Employees must undergo periodic training on the handling, control, and protection of CUI. This training will include information on access authorizations, control mechanisms, and dissemination processes.
    • All new hires must be trained on this policy as part of their onboarding process.

Review and Amendments: This policy will be reviewed annually or as deemed necessary due to changes in regulatory standards or organizational processes.

Compliance: Any violation of this policy may result in disciplinary action, up to and including termination of employment or contractual relations.

Policy Approval: [Signature of Authorized Personnel] [Date]

Please adjust specifics like the policy number, effective date, review date, organization name, and other details as per your organization’s requirements. This template serves as a starting point and might need additional customization based on unique organizational needs.

Steps for Identification and Classification of CUI:

Steps for Identification and Classification:

a. Discovering CUI:

  • Start with a comprehensive inventory of the company’s data assets.
  • Review contracts, grants, and agreements with federal agencies to pinpoint potential CUI.
  • Collaborate with federal partners to understand data they provide or data that’s generated during the course of an agreement which might be considered CUI.

b. Categorize the Information:

  • Use the CUI Registry, an online resource provided by the National Archives, to understand the different categories and subcategories of CUI.
  • Classify the CUI based on its nature and sensitivity. For instance, “privacy data” or “proprietary business information” could be categories of CUI your company handles.

c. Apply NIST 800-171 Standards:

  • NIST 800-171 provides 14 families of security requirements that are applicable for the protection of CUI. These families range from “Access Control” to “System and Information Integrity.”
  • For classification, focus on the “Security Assessment” family, which ensures that the security controls are assessed for effectiveness and produce desired outcomes.
  • Implement the “Identification and Authentication” controls to ensure that only approved users can access the CUI based on its classification.

d. Mark and Label CUI:

  • Once categorized, label the data clearly to indicate it’s CUI and, if possible, its specific category or subcategory.
  • This ensures that all employees understand the nature of the information and handle it with appropriate care.

e. Review and Update Regularly:

  • As business operations evolve, the nature and amount of CUI a company handles can change. It’s vital to review and update classifications regularly, ensuring continuous compliance with NIST 800-171.

How to prevent CUI from being copied:

  1. User Education & Policies:

    • Educate employees about the risks and reasons behind such restrictions.
    • Create a clear and enforceable company policy regarding data handling.

  2. Disable Copy-Paste Functions:

    • Windows: You can use Group Policy to disable clipboard redirection in remote desktop sessions.
    • Mac: There’s no direct native way, but third-party applications or scripts can be used.

  3. Prevent Screenshots:

    • Windows: Again, Group Policy or third-party solutions can be used.
    • Mac: Mac doesn’t have a built-in way to prevent screenshots across the whole system. You’d need third-party software.

  4. Data Loss Prevention (DLP) Solutions: Many DLP tools offer features that prevent copying of specific data or restrict where it can be pasted. Examples include Symantec DLP, Digital Guardian, and McAfee Total Protection for DLP.

  5. Restrict Application Installations: Prevent the installation of screenshot tools or other utilities that could be used to bypass these restrictions.

  6. Monitoring: Utilize monitoring software that alerts or logs unauthorized actions. While this doesn’t prevent the action, it can serve as a deterrent if employees know they’re being monitored.

  7. Disable External Drives & Cloud Storage: Prevent data from being exported to external storage devices or cloud platforms.

  8. Use Rights Management Services (RMS): Tools like Microsoft’s Azure Information Protection allow you to control and enforce policies on classified documents, including preventing copying or printing.

RELEVANT INFORMATION:

Information flow control regulates where information can travel within a system and between systems (versus who can access the information) and without explicit regard to subsequent accesses to that information. Flow control restrictions include the following: keeping export-controlled information from being transmitted in the clear to the Internet; blocking outside traffic that claims to be from within the organization; restricting requests to the Internet that are not from the internal web proxy server; and limiting information transfers between organizations based on data structures and content. Organizations commonly use information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations (e.g., networks, individuals, and devices) within systems and between interconnected systems. Flow control is based on characteristics of the information or the information path. Enforcement occurs in boundary protection devices (e.g., gateways, routers, guards, encrypted tunnels, firewalls) that employ rule sets or establish configuration settings that restrict system services, provide a packet-filtering capability based on header information, or message-filtering capability based on message content (e.g., implementing keyword searches or using document characteristics). Organizations also consider the trustworthiness of filtering and inspection mechanisms (i.e., hardware, firmware, and software components) that are critical to information flow enforcement. Transferring information between systems representing different security domains with different security policies introduces risk that such transfers violate one or more domain security policies. In such situations, information owners or stewards provide guidance at designated policy enforcement points between interconnected systems. Organizations consider mandating specific architectural solutions when required to enforce specific security policies. Enforcement includes: prohibiting information transfers between interconnected systems (i.e., allowing access only); employing hardware mechanisms to enforce one-way information flows; and implementing trustworthy regrading mechanisms to reassign security attributes and security labels.

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.