Identify Controlled Unclassified Information (CUI) that is collected, processed, stored or transmitted
2
Determine and document the types of systems and components that process, store, or transmit CUI
3
Assess the current state of security controls
4
Implement new security controls as needed to meet NIST 800-171 requirements
5
Evaluation of system security plan implementation
6
Establish personnel security requirements
7
Identify, analyze & monitor operational risks
8
Approval: Operational Risks Analysis
9
Develop and execute incident response plan
10
Implement mobile device management solutions
11
Develop and enforce cryptography methods
12
Establish maintenance procedures for system integrity
13
Review user access and permissions
14
Ensure configuration management is in place
15
Develop and document System Security Plan (SSP)
16
Conduct a self-assessment of system security plan effectiveness
17
Approval: System Security Plan
18
Correct any identified deficiencies
19
Submit SSP and self-assessment to DoD CIO for review
Identify Controlled Unclassified Information (CUI) that is collected, processed, stored or transmitted
This task aims to identify any Controlled Unclassified Information (CUI) that is collected, processed, stored, or transmitted within the organization. It plays a crucial role in ensuring compliance with NIST 800-171 standards. By identifying CUI, the organization can implement appropriate security controls to protect sensitive information. The desired result is a comprehensive understanding of the types of CUI handled by the organization. The task may require conducting surveys, interviews, or reviewing existing documentation. Challenges may include incomplete or outdated records, difficulty identifying CUI in non-standard formats, or inconsistent data classification. Resources required for this task include data classification guidelines, data inventories, and access to relevant personnel, departments, and systems.
Determine and document the types of systems and components that process, store, or transmit CUI
This task involves determining and documenting the types of systems and components within the organization that process, store, or transmit Controlled Unclassified Information (CUI). The information gathered will aid in the implementation of appropriate security controls to protect CUI as per NIST 800-171 requirements. The task's successful completion will provide a clear understanding of the organization's IT infrastructure and its relation to CUI handling. This task may require collaboration with IT teams, system administrators, and data owners. Potential challenges include identifying and documenting systems and components that were previously unknown or overlooked. The task requires access to system documentation, network diagrams, and collaboration with relevant IT departments.
1
System A
2
System B
3
Component C
4
Component D
5
Component E
Assess the current state of security controls
This task involves assessing the current state of security controls implemented in the organization. The assessment aims to evaluate the effectiveness of existing security measures for protecting Controlled Unclassified Information (CUI) as per NIST 800-171 requirements. The task's completion will provide insights into any existing vulnerabilities or shortcomings in the security controls. The assessment may involve reviewing security policies and procedures, performing vulnerability scans, conducting security audits, or analyzing incident reports. Challenges may include identifying and prioritizing security control gaps, assessing the impact on CUI protection, or reconciling discrepancies between security policies and actual implementation. Resources required for this task include security assessment tools, vulnerability scanners, security incident reports, security policies, and procedures.
1
Access Control Policies
2
Antivirus Software
3
Firewall Configuration
4
Intrusion Detection Systems
5
Data Backup Procedures
Implement new security controls as needed to meet NIST 800-171 requirements
This task involves implementing new security controls as necessary to meet the requirements of NIST 800-171. The task's successful completion will contribute to enhancing the protection of Controlled Unclassified Information (CUI) within the organization. The implementation may involve deploying new hardware or software solutions, modifying existing configurations, or establishing new processes. It is essential to align the implemented controls with NIST guidelines and industry best practices. Challenges may include resource constraints, resistance to change, or system compatibility issues. Resources required for this task include security control implementation guidelines, hardware or software solutions, change management processes, and access to relevant IT teams.
1
Network Intrusion Prevention System
2
Data Loss Prevention Solution
3
Security Awareness Training Program
4
Encryption Solution
5
Endpoint Protection Software
Evaluation of system security plan implementation
This task involves evaluating the implementation of the System Security Plan (SSP) within the organization. The evaluation aims to ensure that the SSP aligns with NIST 800-171 requirements and effectively addresses the protection of Controlled Unclassified Information (CUI). Through this evaluation, gaps or deficiencies in the SSP can be identified and rectified. The task's successful completion will provide assurance that the organization's security measures adequately protect CUI. The evaluation may involve reviewing the SSP documentation, analyzing security controls implementation, conducting interviews with key personnel, or performing testing of security measures. Challenges may include discrepancies between the documented SSP and its implementation or misinterpretation of NIST 800-171 requirements. Resources required for this task include the SSP documentation, NIST 800-171 guidelines, security control testing tools, and access to key personnel and systems.
1
Security Policies
2
Risk Assessment
3
Incident Response Procedures
4
Access Control Mechanisms
5
Configuration Management Processes
Establish personnel security requirements
This task involves establishing personnel security requirements as per NIST 800-171 guidelines. It aims to ensure that personnel who handle Controlled Unclassified Information (CUI) are trustworthy, properly vetted, and equipped with the necessary knowledge to protect sensitive information. The task's successful completion will contribute to reducing the risk of insider threats and unauthorized access to CUI. The establishment of personnel security requirements may involve defining background check procedures, security awareness training programs, and access control policies. Challenges may include communicating and implementing these requirements across the organization, ensuring compliance, and handling sensitive personnel information. Resources required for this task include personnel security guidelines, training materials, background check processes, and access to HR or security departments.
Identify, analyze & monitor operational risks
This task involves identifying, analyzing, and monitoring operational risks associated with the handling of Controlled Unclassified Information (CUI). It aims to proactively identify vulnerabilities or potential threats that may impact the protection of CUI. The task's successful completion will enable the organization to mitigate risks through appropriate security controls and incident response procedures. The identification and analysis of operational risks may involve conducting risk assessments, reviewing incident reports, analyzing internal or external threats, or identifying vulnerabilities in existing processes. Challenges may include assessing risks comprehensively, prioritizing mitigation efforts, or formulating preventive measures effectively. Resources required for this task include risk assessment tools, incident reports, threat intelligence, and personnel with expertise in risk management.
Approval: Operational Risks Analysis
Will be submitted for approval:
Identify, analyze & monitor operational risks
Will be submitted
Develop and execute incident response plan
This task involves developing and executing an Incident Response Plan (IRP) to effectively respond to security incidents involving Controlled Unclassified Information (CUI). The IRP defines the organization's strategy, roles, and procedures for responding to and recovering from security incidents. The successful completion of this task will ensure that the organization can promptly identify, contain, and mitigate the impact of security incidents on CUI. The development and execution of the IRP may involve creating incident response playbooks, establishing incident reporting and escalation procedures, training personnel, and conducting regular drills. Challenges may include aligning the IRP with NIST 800-171 requirements, ensuring timely incident response, and regularly updating the plan. Resources required for this task include incident response frameworks, incident response playbooks, incident reporting and escalation processes, and cooperation with relevant IT and security teams.
Implement mobile device management solutions
This task involves implementing Mobile Device Management (MDM) solutions to manage and secure mobile devices that handle Controlled Unclassified Information (CUI). MDM solutions enable organizations to enforce security policies, remotely manage devices, and protect sensitive information from unauthorized access or loss. The successful implementation of MDM solutions will help ensure compliance with NIST 800-171 requirements for protecting CUI on mobile devices. The implementation of MDM solutions may involve selecting and configuring MDM software, enforcing device encryption, defining access control policies, and educating users on secure mobile device usage. Challenges may include compatibility issues with different device platforms, user acceptance, and balancing security requirements with user productivity. Resources required for this task include MDM software, device management policies, and collaboration with IT and security teams.
1
MDM Solution A
2
MDM Solution B
3
MDM Solution C
4
MDM Solution D
5
MDM Solution E
Develop and enforce cryptography methods
This task involves developing and enforcing cryptography methods for protecting information transmitted or stored in a controlled unclassified environment. It aims to ensure that information remains confidential, maintains integrity, and is protected against unauthorized access. The successful completion of this task will contribute to meeting NIST 800-171 requirements for protecting Controlled Unclassified Information (CUI). The development and enforcement of cryptography methods may involve selecting encryption algorithms, defining key management procedures, establishing encryption standards, and educating personnel on cryptographic practices. Challenges may include the complexity of cryptographic algorithms, ensuring compatibility across systems, and maintaining key management procedures securely. Resources required for this task include cryptographic guidelines, encryption software, key management systems, and collaboration with IT and security teams.
1
AES
2
RSA
3
Triple DES
4
Blowfish
5
SHA-256
Establish maintenance procedures for system integrity
This task involves establishing maintenance procedures to ensure the integrity and availability of the systems handling Controlled Unclassified Information (CUI). It aims to prevent unauthorized modifications, disruptions, or degradation of system performance that may impact the protection of CUI. The completion of this task will contribute to meeting NIST 800-171 requirements regarding system integrity. Establishing maintenance procedures may involve defining patch management processes, scheduling and performing system updates, conducting regular system backups, and monitoring system performance. Challenges may include balancing maintenance activities with system availability, ensuring timely patching, and managing system updates across different environments. Resources required for this task include maintenance guidelines, patch management tools, backup systems, and cooperation with relevant IT and security teams.
1
Patch Management
2
System Backup
3
Change Management
4
Performance Monitoring
5
System Update Scheduling
Review user access and permissions
This task involves reviewing and managing user access and permissions to Controlled Unclassified Information (CUI) within the organization. It aims to ensure that access privileges align with job roles, business requirements, and the principle of least privilege. The successful completion of this task will help prevent unauthorized access to CUI and meet NIST 800-171 requirements. The review of user access and permissions may involve conducting access control audits, removing unnecessary access, granting appropriate permissions, and enhancing user authentication mechanisms. Challenges may include maintaining an up-to-date access control list, managing user permissions across multiple systems, and ensuring compliance with access control policies. Resources required for this task include access control policies, access management tools, user access audit reports, and collaboration with HR and IT teams.
Ensure configuration management is in place
This task involves ensuring that effective configuration management processes are in place for systems handling Controlled Unclassified Information (CUI). It aims to maintain the security and integrity of systems by controlling changes, identifying vulnerabilities, and assessing the impact of changes on CUI protection. The successful completion of this task will contribute to meeting NIST 800-171 requirements for configuration management. Ensuring configuration management may involve defining change management processes, conducting configuration audits, tracking system changes, and documenting baseline configurations. Challenges may include managing changes across different systems, minimizing downtime during configuration changes, or addressing conflicting configuration requirements. Resources required for this task include configuration management guidelines, change management tools, configuration audit reports, and cooperation with relevant IT teams.
1
Network Devices
2
Servers
3
Workstations
4
Firewalls
5
Databases
Develop and document System Security Plan (SSP)
This task involves developing and documenting the System Security Plan (SSP) as per NIST 800-171 requirements. The SSP provides an overview of the security controls implemented to protect Controlled Unclassified Information (CUI) within the organization. The successful completion of this task will ensure compliance with NIST standards and provide a reference document for assessing security measures. Developing and documenting the SSP may involve identifying applicable security controls, describing control implementation details, mapping controls to CUI handling processes, and collaborating with relevant personnel. Challenges may include interpreting NIST 800-171 requirements accurately, documenting security controls effectively, and maintaining the SSP up to date. Resources required for this task include NIST 800-171 guidelines, SSP templates, collaboration with IT and security teams, and access to relevant system documentation.
Conduct a self-assessment of system security plan effectiveness
This task involves conducting a self-assessment to evaluate the overall effectiveness of the implemented System Security Plan (SSP). The self-assessment aims to identify any gaps or deficiencies in the security controls implemented to protect Controlled Unclassified Information (CUI). The successful completion of this task will provide valuable insights for improving the SSP's effectiveness and ensuring compliance with NIST 800-171 requirements. The self-assessment may involve reviewing security control implementation, analyzing security incident reports, or conducting vulnerability assessments. Challenges may include bias in self-assessment, accurately assessing control effectiveness, or addressing identified deficiencies. Resources required for this task include the SSP documentation, security incident reports, vulnerability assessment tools, and collaboration with relevant IT and security teams.
1
Fully Implemented
2
Partially Implemented
3
Not Implemented
4
Not Applicable
5
Unsure
Approval: System Security Plan
Will be submitted for approval:
Develop and document System Security Plan (SSP)
Will be submitted
Conduct a self-assessment of system security plan effectiveness
Will be submitted
Correct any identified deficiencies
This task involves addressing and correcting any deficiencies identified during the self-assessment of the System Security Plan (SSP). It aims to improve the overall effectiveness of the security controls implemented to protect Controlled Unclassified Information (CUI) as per NIST 800-171 requirements. The successful completion of this task will contribute to strengthening the organization's security posture and ensuring compliance with standards. Correcting deficiencies may involve updating security control implementation, enhancing incident response procedures, or modifying access control mechanisms. Challenges may include resource constraints, prioritizing corrective actions, or coordinating changes across different systems and processes. Resources required for this task include the self-assessment report, collaboration with IT and security teams, and access to system documentation.
1
Security Control A
2
Security Control B
3
Security Control C
4
Security Control D
5
Security Control E
Submit SSP and self-assessment to DoD CIO for review
This task involves preparing and submitting the developed System Security Plan (SSP) along with the self-assessment report for review by the Department of Defense Chief Information Officer (DoD CIO). The SSP and self-assessment provide an overview of the security controls implemented to protect Controlled Unclassified Information (CUI) within the organization and the effectiveness of these controls. The successful completion of this task will initiate the review process by the DoD CIO, which is necessary for demonstrating compliance with NIST 800-171 requirements. The preparation and submission may involve organizing the SSP and self-assessment documents, preparing a cover letter, and adhering to the submission guidelines provided by the DoD CIO. Challenges may include meeting specific submission requirements, organizing the documents effectively, or addressing any outstanding deficiencies before submission. Resources required for this task include the developed SSP, self-assessment report, submission guidelines from the DoD CIO, and collaboration with relevant personnel.