FY 2018 ISOO Annual Report Release

The Information Security Oversight Office (ISOO) released its Fiscal Year (FY) 2018 Annual Report to the President today and posted it here.  In his Letter to the President, ISOO Director Mark A. Bradley highlighted the challenges the Government faces in trying to safeguard and manage petabytes of electronic data using antiquated systems meant for paper. He also stressed the need for the Government to modernize its information security and information management policies, and to adopt a technology and investment strategy to accomplish it.

The report featured both an update on ISOO’s efforts to implement recommendations from its FY 2017 Annual Report to the President and a high-level assessment of the various programs in ISOO’s portfolio, including the Controlled Unclassified Information (CUI) Program.  The first page of the FY 2018 report is dedicated to an evaluation of agency CUI implementation efforts and ISOO’s work supporting implementation. The report noted that agencies have made significant progress since last year, but work remains to be done.

Specifically, many agencies still have not submitted CUI budget estimates to the Office of Management and Budget (OMB). To aid agencies, ISOO worked with OMB to modify section 31.15 of Circular A-11, Preparation, Submission, and Execution of the Budget. This guidance now includes details meant to inform what agencies need to include in submitting their CUI implementation budget estimates: hiring staff to implement and manage the program; developing and deploying automated marking tools; and creating training programs for agency staff. ISOO also worked with the Departments of Homeland Security and Defense, the National Aeronautical and Space Administration, and the General Services Administration to draft standard safeguarding requirements for inclusion in a Federal Acquisition Regulation (FAR). ISOO and its partners hope to finalize these requirements in FY 2019 so it is ready for use by agencies.

We hope you take time to read both the Director’s Letter to the President as well as the full report.

CUI Program Update to Stakeholders

 

The next CUI Program update to Stakeholders will be held on

               November 13 from 1-3.

The following information that will be discussed:

Topics include:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • The status and plans for a CUI Federal Acquisition Regulation Rule;
  • CUI Training session that will be held on August 29 from 1-3;
  • Time for Questions and Answers.

Hosted by: Devin Casey and Charlene Wallace

The phone in information will be posted in the upcoming weeks.

Protecting Controlled Unclassified Information: Comment on Draft NIST SP 800-171 Rev. 2 and Draft NIST SP 800-171B (comment period ends July 19, 2019)

https://csrc.nist.gov/News/2019/draft-sp-800-171-rev-2-and-sp-800-171b

NIST is seeking comments on Draft NIST Special Publication (SP) 800-171 Revision 2Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19, 2019. See the publication details for SP 800-171 Rev. 2 and SP 800-171B for document files and instructions on submitting comments.

Details

Draft NIST SP 800-171 Revision 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Revision 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.

Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher-than-usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.

CUI Program Update for Stakeholders

The webinar is April 17, 2019,  (1-3 EDT).

Topics include:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • The status and plans for a CUI Federal Acquisition Regulation Rule;
  • CUI Industry Day; and,
  • Time for Questions and Answers.

Hosted by: Devin Casey/Charlene Wallace/Joseph Taylor

Participant Instructions

The conference begins at 1:00 PM Eastern Time on April 17, 2019; you may join the conference 10 minutes prior.
Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0506395##
Need an international dial-in number?

Step 2: Join the conference on your computer.

Entry Link: http://ems8.intellor.com/login/812719

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance? Call the AT&T Help Desk at 1-888-796-6118 or 1-847-562-7015.

CUI Coversheet and Labels

sf combimed

There’s a completely new look on the horizon for the identification of CUI products.  One part involves the individual document(s); the other involves all the other media forms.  Also, the color for the new forms is purple, and thus it will be instantly distinguishable from all other forms!

The CUI coversheets themselves  have been reduced to one, and while that one is reminiscent of the Optional Forms (OF) 901, OF 902 and OF 903, and OF 903, it has evolved into the Standard Form (SF) 901.  It can be downloaded from either the ISOO or General Services Administration (GSA) website.  It is still a fillable form and is provided at no cost (see ISOO Notice 2019-01).  You may continue to use the old forms until existing supplies have been depleted, however they can no longer be downloaded.  The SF 901 is available for download immediately, and as before, once it is affixed to the top of the document(s), it remains attached until the document(s) no longer requires protection, is properly secured, and/or is decontrolled or destroyed.

coversheet image

The new SF 902 is is a standard size label, much like the ones authorized for classified media, and is used to identify and protect electronic media and other media that contain CUI.  It is used instead of the SF 901 for media other than documents.  If your agency determines, as part of its risk management strategy, that a standard size label is required, the SF 902 will be used.  It must be affixed to the medium containing CUI in a manner that would not adversely affect operation of the equipment in which the medium is used, and once it has been applied, it cannot be removed.  This form is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Also it will be not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of six 2-1/8 X 1-1/4″ labels), and its cost is to be approximately $25.00 per pad.

sf902big

The new SF 903 is a thumb drive size label  The SF 903 is used to identify and protect electronic media that contains CUI.  If your agency determines, as part of its risk management strategy, that a thumb drive size label is required, the SF 903 will be used.  The SF 903 is affixed to a thumb drive containing CUI in a manner that would not adversely affect either operation of the drive or operation of the medium in which it is inserted, and as with the SF 902, once it has been applied, it cannot be removed.  This form also is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Similar to the SF 902,  this form will not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of twelve 2-1/8 X 5/8″ labels), and its cost is to be approximately $25.00 per pad.

sf903big

Please direct any questions regarding this post to: CUI@nara.gov

14 Nov 2018 (1-3 EDT) CUI Program Update to Stakeholders​​ (Webinar link and call-in ​information)

The webinar is tomorrow, 14 Nov 2018 (1-3 EDT).

Topics include:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • The status and plans for a CUI Federal Acquisition Regulation Rule;
  • CUI Industry Day Agenda; and,
  • Time for Questions and Answers.

Hosted by: Devin Casey

Participant Instructions

Step 1: Dial into the conference (you may join the conference up to 10 minutes prior.)

Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0317561##
Need an international dial-in number?

Step 2: Join the conference on your computer.

Entry Link: http://ems8.intellor.com/login/809667

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance? Call the AT&T Help Desk at 1-888-796-6118 or 1-847-562-7015.

 

CUI Updated Training Videos

ISOO has developed seven new training modules. These videos offer the most up-to-date information about the CUI Program.

Agencies (and stakeholders) may wish to use these videos to supplement their CUI Program training. However, it is important to note that ISOO does not track completion of these modules, so if your organization wishes to require viewing of these videos as part of your CUI training program, you must download and run them from organization’s training platform.  MP4 versions will be made available for download from the CUI Registry in the coming weeks.

NIST Special Publications Update

Two major NIST publications are about to be finalized on June 14: NIST Special Publication (SP) 800-171A, “Assessing Security Requirements for Controlled Unclassified Information”; and an update to the NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The draft 171A text may be found on the NIST site: https://csrc.nist.gov/publications/detail/sp/800-171a/draft.  The 800-171A is intended to help organizations develop assessment plans and conduct assessments of the security requirements in NIST SP 800-171, which defines the requirements for protecting CUI on non-Federal systems consistent with the CUI Federal regulation (32 CFR 2002.14h2).

​CUI Program Update to Stakeholders​​ (Slides and the Next Update)

Thank you to all those who joined us for the 15 May 2018 webinar! As promised here are the slides from that presentation which covered:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • A review of all existing notices, policies, training and resources currently available from the CUI Registry;
  • The status and plans for a CUI Federal Acquisition Regulation rule; and
  • Questions and Answers.

Q&As from the webinar will be posted soon.

The next Update to Stakeholders will be 15 August 2018 (1-3 pm EST).