FY 2018 ISOO Annual Report Release

The Information Security Oversight Office (ISOO) released its Fiscal Year (FY) 2018 Annual Report to the President today and posted it here.  In his Letter to the President, ISOO Director Mark A. Bradley highlighted the challenges the Government faces in trying to safeguard and manage petabytes of electronic data using antiquated systems meant for paper. He also stressed the need for the Government to modernize its information security and information management policies, and to adopt a technology and investment strategy to accomplish it.

The report featured both an update on ISOO’s efforts to implement recommendations from its FY 2017 Annual Report to the President and a high-level assessment of the various programs in ISOO’s portfolio, including the Controlled Unclassified Information (CUI) Program.  The first page of the FY 2018 report is dedicated to an evaluation of agency CUI implementation efforts and ISOO’s work supporting implementation. The report noted that agencies have made significant progress since last year, but work remains to be done.

Specifically, many agencies still have not submitted CUI budget estimates to the Office of Management and Budget (OMB). To aid agencies, ISOO worked with OMB to modify section 31.15 of Circular A-11, Preparation, Submission, and Execution of the Budget. This guidance now includes details meant to inform what agencies need to include in submitting their CUI implementation budget estimates: hiring staff to implement and manage the program; developing and deploying automated marking tools; and creating training programs for agency staff. ISOO also worked with the Departments of Homeland Security and Defense, the National Aeronautical and Space Administration, and the General Services Administration to draft standard safeguarding requirements for inclusion in a Federal Acquisition Regulation (FAR). ISOO and its partners hope to finalize these requirements in FY 2019 so it is ready for use by agencies.

We hope you take time to read both the Director’s Letter to the President as well as the full report.

Protecting Controlled Unclassified Information: Comment on Draft NIST SP 800-171 Rev. 2 and Draft NIST SP 800-171B (comment period ends July 19, 2019)

https://csrc.nist.gov/News/2019/draft-sp-800-171-rev-2-and-sp-800-171b

NIST is seeking comments on Draft NIST Special Publication (SP) 800-171 Revision 2Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19, 2019. See the publication details for SP 800-171 Rev. 2 and SP 800-171B for document files and instructions on submitting comments.

Details

Draft NIST SP 800-171 Revision 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Revision 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.

Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher-than-usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

Director’s Corner

by Mark Bradley, Director, ISOO

The Wall Street Journal reported in its April 29, 2019, edition that American intelligence chiefs now believe that Chinese espionage is the most significant long-term threat facing the country. This threat encompasses traditional spy craft, which is aimed at stealing government secrets, and the theft of intellectual property and research from corporations and universities. China’s effort is being aided and abetted by oceans of stolen personal data, such as the heist in 2015 of more than 20 million files from the Office of Personnel Management. Counterintelligence experts believe that such grand scale thefts help Chinese intelligence officers pinpoint who may be the most vulnerable to recruitment.

The Information Security Oversight Office is the Executive Agent of the government’s Controlled Unclassified Information program. This program’s primary aim is to enhance the government’s protection of sensitive but unclassified information.

Register for the CUI Symposium Hosted by The Department of Veteran Affairs

VA symposium

The Department of Veteran Affairs will host a CUI Symposium on November 8, 2018, 2:30 -4:00 pm at 810 Vermont Avenue NW, Washington DC 20420, in the G.V. “Sonny” Montgomery Veterans Auditorium, Room 230.

Panel members from DOI, IRS and CUI Executive Agent will also share their CUI Deployment knowledge and experiences.

To register go to: 

https://www.eventbrite.com/e/va-cui-symposium-tickets-51290317721

Controlled Unclassified Information Security Requirements Workshop

On October 18, the National Institute of Standards and Technology (NIST), in coordination with the Department of Defense (DoD) and the CUI Executive Agent, will host an informational workshop providing an overview of Controlled Unclassified Information (CUI), the Defense Acquisition Regulations System (DFARS) Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. This workshop will also feature panels of Federal Government representatives discussing expectations for evaluating evidence and implementing the CUI Security Requirements and industry representatives sharing best practices and lessons learned.

Industry Day

December 10, 2018
9:00 a.m. – 3:00 p.m.
McGowan Theater
National Archives Museum
701 Constitution Avenue, NW
Washington, DC 20408

This day is an opportunity for Executive branch entities or other stakeholders (i.e., Nonfederal organizations) to view and learn about products and services that have been developed for the CUI Program. This event is free to all presenters, vendors, and attendees.

If you are interested in attending this event please RSVP to CUI@NARA.GOV

If you are interested in a booth or in presenting, please submit this  form to CUI@NARA.GOV NLT October 12, 2018. Booth and presentation timeslots will be assigned on a first come first serve basis. Submissions will be approved by October 19, 2018.

• 12 booths (each includes a 6 foot table) will be offered to display and present products and services related to the CUI Program.

• 6 time slots (each 30 minutes) will be offered to address products and services related to the CUI Program.

CUI Symposium Hosted by The Department of Veteran Affairs

The Department of Veteran Affairs will host a CUI Symposium on November 8, 2018, 2:30 -4:00 pm at 810 Vermont Avenue NW, Washington DC 20420, in the G.V. “Sonny” Montgomery Veterans Auditorium, Room 230.

Panel members from DOI, IRS and CUI Executive Agent will also share their CUI Deployment knowledge and experiences.

Registration is scheduled to open in early October.  Please contact Dr. Dorothelia Byrd with questions @ Dorothelia.Byrd@va.gov

CUI Updated Training Videos

ISOO has developed seven new training modules. These videos offer the most up-to-date information about the CUI Program.

Agencies (and stakeholders) may wish to use these videos to supplement their CUI Program training. However, it is important to note that ISOO does not track completion of these modules, so if your organization wishes to require viewing of these videos as part of your CUI training program, you must download and run them from organization’s training platform.  MP4 versions will be made available for download from the CUI Registry in the coming weeks.

NIST Special Publications Update

Two major NIST publications are about to be finalized on June 14: NIST Special Publication (SP) 800-171A, “Assessing Security Requirements for Controlled Unclassified Information”; and an update to the NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The draft 171A text may be found on the NIST site: https://csrc.nist.gov/publications/detail/sp/800-171a/draft.  The 800-171A is intended to help organizations develop assessment plans and conduct assessments of the security requirements in NIST SP 800-171, which defines the requirements for protecting CUI on non-Federal systems consistent with the CUI Federal regulation (32 CFR 2002.14h2).