3.13.16 has a weight of -1 points

(System and Communication Protection Family) 16/16

Protect the confidentiality of CUI at rest.

Example of Sysytem Security Plan (SSP):

 

  1. Protection of CUI at Rest:
  2. Our organization has implemented measures to protect the confidentiality of Controlled Unclassified Information (CUI) when it is at rest.
  3. Information at rest refers to data that is stored on storage devices as specific components of systems, and our focus is on safeguarding the state of the information.
  4. Use of Cryptographic Mechanisms:
  5. We employ cryptographic mechanisms to achieve confidentiality protections for CUI at rest.
  6. This involves encrypting sensitive data stored on storage devices to prevent unauthorized access and ensure that the information remains secure even if the storage media is compromised.
  7. File Share Scanning:
  8. We use file share scanning to detect and address potential security risks associated with shared files containing CUI.
  9. This helps us identify and mitigate any unauthorized access attempts or potential vulnerabilities in shared file repositories.
  10. Secure Off-line Storage:
  11. When adequate protection of CUI at rest cannot be achieved through online storage, we utilize secure off-line storage as an alternative measure.
  12. This ensures that sensitive information remains protected even when it is not actively accessible through the network.
  13. Continuous Monitoring for Malicious Code at Rest:
  14. We continuously monitor and scan data at rest for the presence of malicious code that could compromise the confidentiality of CUI.
  15. This proactive approach helps us detect and respond to any potential threats or unauthorized changes to stored information.
  16. Reference to [NIST CRYPTO]:
  17. Our protection measures are guided by the relevant cryptographic standards and guidelines provided by NIST, particularly [NIST CRYPTO].
  18. We align our practices with industry best practices for cryptographic protection of data at rest.
  19. Access Controls and Authentication:
  20. Access controls and authentication mechanisms are enforced to ensure that only authorized personnel can access CUI stored at rest.
  21. Role-based access controls and strong authentication help prevent unauthorized access to sensitive information.
  22. Regular Review and Update:
  23. Our protection measures for CUI at rest are subject to regular review and updates to address emerging threats and vulnerabilities.
  24. We ensure that our security measures stay current and effective.

Example of Plan of Action and Milestones ( POA & M):

Missing

RELEVANT INFORMATION:

Information at rest refers to the state of information when it is not in process or in transit and is located on storage devices as specific components of systems. The focus of protection at rest is not on the type of storage device or the frequency of access but rather the state of the information. Organizations can use different mechanisms to achieve confidentiality protections, including the use of cryptographic mechanisms and file share scanning. Organizations may also use other controls including secure off-line storage in lieu of online storage when adequate protection of information at rest cannot otherwise be achieved or continuous monitoring to identify malicious code at rest. See [NIST CRYPTO].

Resources to consider:

Security Policy Document:

This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

Asset Inventory and Access Control Sheet:

Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

User Account Management Log:

Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

Password and Multi-Factor Authentication Policy:

Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

Process and Script Accountability Log:

Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

Device Access Control and VPN Policy:

Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

Access Control Review and Monitoring Schedule:

Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

User Training and Awareness Materials:

Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.