Classified data has always been treated with significant security precautions. Restricted access, Suite A encryption (yes, even the cryptographic algorithms themselves are classified), and a slew of other protections. Federal agencies are accustomed to safeguards on unclassified data as well, relying heavily on FIPS 140-2 validated encryption (which deploys Suite B algorithms, available to the public).
The establishment of NIST SP 800-171, first by executive order back in 2010, responded to the concept that this level of data protection should be expanded to include nonfederal systems, by nonfederal organizations, as long as it pertains to government business. This is Controlled Unclassified Information (CUI), and it applies to virtually all information that relates to, is the property of, or will become the property of U.S. federal. It was described to me as anything that relates to government but cannot be found on a public .gov domain. That struck me as a very logical way to determine what has been pre-approved as readily available public info. Be careful though. That would classify proposals and contracts under NIST 800-171, which puts the onus on every government contractor, from the huge conglomerates building warships right on down to the sole proprietor trying to win a bid to set mousetraps in a federal courthouse as a subcontractor. It’s got broad reach and big teeth, and the requirements are not to be taken lightly.
It’s also approaching very quickly. Yes, it was first on the radar in 2010, but December 31, 2017 will not just ring in the New Year. It is also the deadline for compliance with NIST 800-171. If you’re still scrambling for clarity, you should gather yourself, take a deep breath, and begin preparing your POA&M (Plan of Action and Milestones) instead. You have run out of time to effectively complete the compliance documentation process before the end of the calendar year, but writing the POA&M is achievable, with the execution of the plan viable for Q1 2018.
Why would I recommend pulling the plug on a final Hail Mary effort in the last month of the year? Well, other than the obvious toll it would take on your holiday plans, NIST 800-171 identifies 14 different families of security requirements. This is no walk in the park. Encryption is specified in four of those families: (1) Access Control, (5) Identification and Authentication, (8) Media Protection, and (13) System and Communications Protection. The final mention of cryptography in these 14 families is extremely blunt, in fact, about the level of encryption that is required.
3.13.11 – Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
So everywhere in the previous mentions of cryptography is expected to be FIPS 140-2 validated. Not compliant, but actually validated and posted to NIST’s CMVP website. SafeLogic’s RapidCert process should carry some strong weight in your POA&M if you do indeed go that way. It would demonstrate a focus on timeline as well as meeting the strict benchmark head-on.
NIST 800-171 relies, as most of NIST’s newer special publications do, upon the security framework dictated by SP 800-53, which spells out more specifically the baseline measures that are expected of affected entities. Everybody loves a good mapping table, so here are the cryptographic-relevant entries for 800-171, as mapped to 800-53:
3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
AC-17(2) Remote Access Protection of Confidentiality / Integrity Using Encryption
|3.1.17 Protect wireless access using authentication and encryption.||AC-18(1) Wireless Access Authentication and Encryption|
3.1.19 Encrypt CUI on mobile devices.
|AC-19(5) Access Control for Mobile Devices Full Device / Container Based Encryption
|3.8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
|MP-5(4) Media Transport Cryptographic Protection
|3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.||SC-8 Transmission Confidentiality and Integrity
SC-8(1) Transmission Confidentiality and Integrity Cryptographic or Alternate Physical Protection
|3.13.10 Establish and manage cryptographic keys for cryptography employed in the information system.||SC-12 Cryptographic Key Establishment and Management
|3.13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.||SC-13 Cryptographic Protection|
Even with a strong POA&M, time will be of the essence in 2018. FIPS 140-2 validation is a major effort if handled in-house, so consider offloading it to SafeLogic. We will complete the validation with zero man-hours required from your team and we will accelerate the timeline, guaranteeing completion during that vital first quarter of 2018. Let’s get that RapidCert started!