3.10.6 has a weight of -1 points

(Physical Protection Family) 6/6

Enforce safeguarding measures for CUI at alternate work sites.

Video

Example of Sysytem Security Plan (SSP):

    System Security Plan: Safeguarding CUI at Alternate Work Sites and During Transit

    Policy Statement:
    Our company is unwavering in its commitment to the integrity, confidentiality, and availability of Controlled Unclassified Information (CUI) regardless of its location, be it at an alternate work site, in transit, or at home.

    Implementation Details:

    1. Identification of Alternate Work Sites:
    We have mapped out all alternate work sites, including private residences, temporary setups at partner facilities, or transit locations, where CUI is accessed or managed.

    2. Risk Assessment for Each Site:
    We conduct a comprehensive risk assessment for every alternate work site to address the unique challenges and risks pertinent to different environments.

    3. Safeguarding Measures Enforced:

    • Blueprints at Construction Sites:

      • We ensure secure storage in lockable containers when not in active use.
      • Access is strictly confined to authorized personnel.
      • Electronic versions are accessed strictly through our encrypted devices.
    • Traveling Employees with CUI:

      • Documents are always securely stored in our approved locked containers/bags.
      • All electronic data is encrypted and necessitates multi-factor authentication for access.
      • Our employees are well-trained to circumvent accessing CUI in public settings.
    • Home-Based Safeguards:

      • We mandate a dedicated and secure network connection for all work-related activities. Secondary backup connections are established where feasible.
      • All CUI data transmissions utilize our encrypted channels.
      • Our devices accessing CUI receive regular software and security updates.
      • We’ve disseminated guidelines to ensure physical security at homes, which include lockable storage solutions and privacy protocols.
      • Our clear desk policy and screen-locking procedures are non-negotiable, minimizing any exposure risks.

    4. Training and Awareness Programs:
    Our continual training modules focus on safeguarding CUI and underscore unique scenarios such as home-based work, traveling with CUI materials, and challenges at construction sites.

    5. Continuous Monitoring:
    We actively monitor for compliance and promptly detect any anomalies, irrespective of the work site.

    6. Teleworking Protocols:
    By adopting the guidelines from [SP 800-46] and [SP 800-114], we ensure that our teleworking protocols address the multifaceted challenges of various environments.

    7. Incident Response:
    Our tailored response plans are ever-ready to tackle potential security breaches at any location, ensuring immediate action and mitigation.

    8. Physical Security Protocols:
    Our guidelines span a variety of setups, from ensuring the sanctity of CUI at homes to its security at construction sites.

    9. Clear Desk & Screen Protocols:
    We actively enforce best practices to curtail exposure risks, no matter the working environment.

    10. Regular Policy Reviews:
    We periodically revisit our SSP, adjusting for evolving scenarios and integrating new best practices.

     

    Example of Plan of Action and Milestones ( POA & M):

    Plan of Actions & Milestones (POA&M) for Safeguarding CUI at Alternate Work Sites and During Transit

    Objective: Ensure the uncompromised safety of Controlled Unclassified Information (CUI) across various work sites and transit scenarios.


    1. Home Security Assessment
    Milestone: Conduct security checks at homes of employees working with CUI.
    Actions:

    • Identify and prioritize homes based on frequency of CUI access.
    • Schedule security assessments with third-party vendors or internal security teams.
    • Generate a report on findings and recommendations.
      Completion Date: [Date]

    2. Encryption Network Checks
    Milestone: Ensure the consistent and effective use of encrypted network connections.
    Actions:

    • Schedule routine network scans for detecting non-encrypted data transmissions.
    • Offer refresher training sessions on the importance of encryption.
    • Implement alerts for unencrypted data transfers.
      Completion Date: [Date]

    3. Distribute Lockable Containers for CUI Storage
    Milestone: Ensure every employee working with physical CUI materials has access to a lockable storage container.
    Actions:

    • Audit current availability and use of lockable containers among employees.
    • Procure additional containers based on need.
    • Distribute to employees along with training on its proper use.
      Completion Date: [Date]

    4. Continuous Training & Awareness
    Milestone: Ensure all employees are well-versed in safeguarding CUI.
    Actions:

    • Schedule quarterly training sessions on various scenarios.
    • Monitor and assess employee compliance post-training.
    • Address and rectify any knowledge gaps identified.
      Completion Date: [Date]

    5. Review & Update Teleworking Protocols
    Milestone: Regularly update teleworking guidelines based on new threats or best practices.
    Actions:

    • Conduct an annual review of teleworking guidelines.
    • Incorporate feedback from employees and industry best practices.
    • Redistribute updated guidelines to all teleworking employees.
      Completion Date: [Date]

    6. Periodic SSP Reviews
    Milestone: Ensure SSP remains updated and relevant.
    Actions:

    • Schedule bi-annual reviews of the SSP.
    • Adjust and update based on evolving scenarios and threats.
    • Communicate any changes to all relevant stakeholders.
      Completion Date: [Date]

    Tracking & Monitoring: Regular updates will be provided to senior leadership on the progress of each milestone, challenges encountered, and strategies employed to overcome them.

     

    RELEVANT INFORMATION:

    Alternate work sites may include government facilities or the private residences of employees. Organizations may define different security requirements for specific alternate work sites or types of sites depending on the work-related activities conducted at those sites. [SP 800-46] and [SP 800-114] provide guidance on enterprise and user security when teleworking.



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.