3.13.8 has a weight of -3 points

(System and Communication Protection Family) 8/16

Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards. 

Example of Sysytem Security Plan (SSP):

    Protection of CUI During Transmission

    1. Policy Statement: The organization shall implement cryptographic mechanisms to prevent unauthorized disclosure of Controlled Unclassified Information (CUI) during transmission, except when protected by alternative physical safeguards.
    2. Purpose: This policy ensures the confidentiality of CUI while it is being transmitted over internal and external networks and various system components.
    3. Scope: The policy applies to all organizational systems, servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines involved in transmitting CUI.
    4. Implementation: The organization shall employ cryptographic mechanisms to safeguard the confidentiality of CUI during transmission over networks. The cryptographic techniques used must meet the required security standards.
    5. Exception: If obtaining the necessary safeguards and assurances for cryptographic protection from commercial telecommunication service providers is infeasible or impractical, the organization may consider implementing alternative physical safeguards, such as a Protected Distribution System (PDS) to ensure confidentiality during transmission.
    6. Risk Assessment: Before adopting alternative physical safeguards, the organization must conduct a risk assessment to determine the effectiveness of such measures in protecting the confidentiality of CUI.
    7. Compensating Safeguards: If alternative physical safeguards are employed, the organization must ensure that they provide an equivalent level of protection as cryptographic mechanisms. Any gaps in security must be addressed through compensating safeguards.
    8. Compliance: Strict adherence to this policy is essential to prevent unauthorized disclosure of CUI during transmission.
    9. Continuous Monitoring: Regularly monitor the implementation and effectiveness of cryptographic mechanisms or alternative physical safeguards to ensure ongoing protection of CUI during transmission.
    10. Review and Updates: The policy shall be reviewed periodically and updated as needed to address emerging threats and technological advancements.
    11. Training and Awareness: All personnel involved in handling CUI and transmitting data must receive appropriate training and awareness programs to understand the importance of safeguarding CUI during transmission.
    12. Documentation: Maintain documentation of the cryptographic mechanisms used, alternative physical safeguards implemented, and risk assessment reports for audit and compliance purposes.
    13. Communication: Communicate the policy and its requirements to all relevant stakeholders to foster understanding and compliance.

    Example of Plan of Action and Milestones ( POA & M):

    Milestone 1: Policy Development and Communication

    Develop a comprehensive “CUI Transmission Cryptographic Policy” that clearly outlines the purpose, scope, implementation, and exceptions of the policy. Communicate the policy to all personnel involved in handling CUI and relevant stakeholders. [Target Date]

    Milestone 2: Identification of Systems and Devices

    Identify all organizational systems, servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines involved in transmitting CUI. Ensure that these systems and devices are included in the scope of the policy. [Target Date]

    Milestone 3: Cryptographic Mechanism Implementation

    Implement cryptographic mechanisms to safeguard the confidentiality of CUI during transmission over internal and external networks. Ensure that the cryptographic techniques used meet the required security standards. [Target Date]

    Milestone 4: Evaluation of Commercial Telecommunication Service Providers

    Evaluate the feasibility and practicality of obtaining cryptographic protection from commercial telecommunication service providers. If infeasible or impractical, proceed to Milestone 5. Otherwise, continue with cryptographic mechanism implementation. [Target Date]

    Milestone 5: Risk Assessment for Alternative Physical Safeguards

    Conduct a risk assessment to determine the effectiveness of alternative physical safeguards, such as a Protected Distribution System (PDS), in protecting the confidentiality of CUI during transmission. Assess whether such safeguards provide an equivalent level of protection as cryptographic mechanisms. [Target Date]

    Milestone 6: Compensating Safeguards Implementation

    If alternative physical safeguards are employed, ensure that any gaps in security are addressed through compensating safeguards. These safeguards must provide an equivalent level of protection as cryptographic mechanisms. [Target Date]

    Milestone 7: Compliance and Monitoring

    Monitor the implementation and effectiveness of cryptographic mechanisms or alternative physical safeguards regularly to ensure ongoing protection of CUI during transmission. Assess compliance with the policy requirements and take corrective actions if needed. [Target Date]

    Milestone 8: Policy Review and Updates

    Periodically review the “CUI Transmission Cryptographic Policy” to address emerging threats and technological advancements. Update the policy as needed to remain effective in safeguarding CUI during transmission. [Target Date]

    Milestone 9: Training and Awareness

    Conduct training and awareness programs for all personnel involved in handling CUI and transmitting data. Ensure that they understand the importance of safeguarding CUI during transmission and are aware of the policy requirements. [Target Date]

    Milestone 10: Documentation and Reporting

    Maintain documentation of the cryptographic mechanisms used, alternative physical safeguards implemented, risk assessment reports, and any compensating safeguards employed. The documentation should be available for audit and compliance purposes. [Target Date]

    Milestone 11: Stakeholder Communication

    Regularly communicate the policy and its requirements to all relevant stakeholders within the organization. Foster understanding and compliance with the policy across all departments and teams. [Target Date]

    RELEVANT INFORMATION:

    This requirement applies to internal and external networks and any system components that can transmit information including servers, notebook computers, desktop computers, mobile devices, printers, copiers, scanners, and facsimile machines. Communication paths outside the physical protection of controlled boundaries are susceptible to both interception and modification. Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services (i.e., services which can be highly specialized to individual customer needs), may find it difficult to obtain the necessary assurances regarding the implementation of the controls for transmission confidentiality. In such situations, organizations determine what types of confidentiality services are available in commercial telecommunication service packages. If it is infeasible or impractical to obtain the necessary safeguards and assurances of the effectiveness of the safeguards through appropriate contracting vehicles, organizations implement compensating safeguards or explicitly accept the additional risk. An example of an alternative physical safeguard is a protected distribution system (PDS) where the distribution medium is protected against electronic or physical intercept, thereby ensuring the confidentiality of the information being transmitted. See [NIST CRYPTO].



    Resources to consider:

    Security Policy Document:

    This comprehensive document outlines the organization’s security policies and procedures, including information system access controls and the specific measures implemented, such as password protection, multi-factor authentication, and device access controls. It should also cover consequences of unauthorized access and the importance of user training and awareness.

    Asset Inventory and Access Control Sheet:

    Create a spreadsheet that lists all information system resources in your organization, such as laptops, desktops, servers, network devices, printers, scanners, mobile devices, and paper documents. Alongside each resource, include information about authorized users, access rights, and any access restrictions.

    User Account Management Log:

    Maintain a log to track user account creation, modification, and removal. Include details like the date of account creation, purpose, and the individual responsible for approving the account.

    Password and Multi-Factor Authentication Policy:

    Combine the password policy and multi-factor authentication policy into a single document. Outline the organization’s password requirements, including complexity, length, expiration, and regular password change, as well as the implementation of multi-factor authentication for an extra layer of security.

    Process and Script Accountability Log:

    Maintain a log that associates automated scripts and processes with the specific authorized user who initiated them. This ensures accountability and prevents the use of generic accounts for critical processes.

    Device Access Control and VPN Policy:

    Merge the device access control and VPN configuration documents into a single policy. Detail the measures for controlling device access, authentication mechanisms, and VPN configuration, including which devices are allowed to connect and the authentication methods used.

    Access Control Review and Monitoring Schedule:

    Create a schedule for periodic reviews of access controls, including the process for adding, modifying, or revoking access rights based on personnel changes or business needs. Also, document the monitoring mechanisms implemented to track access to the information system, including logs and reports of access attempts and unusual activities.

    User Training and Awareness Materials:

    Prepare training materials and conduct regular sessions for authorized users. Document the topics covered, the date of the training, and the attendees.