Complying with NIST SP 800-171

1. Complying with NIST SP 800-171 EDUCAUSE Security Professionals Conference 2018 Jason Pufahl, CISO April 12, 2018

2. DFARS Clause The Department of Defense established DFARS 252.204-7012 which specifies that any research containing Controlled Unclassified Information (CUI) be protected using NIST 800-171 security controls. The DFARS Clause 252.204-7012 mandates that we: • Provide adequate IT security • Implement all 109 NIST 800-171 controls • Comply by 12-31-2017 • Report areas of non-compliance to DoD within 30 days after contract award

3. NIST 800-171 – What is it? • Controlled Unclassified Information (CUI) is data that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations and government-wide policies but is not classified. • NIST 800-171 security controls applies to CUI shared by or through the federal government with a nonfederal entity. • As a higher educational institution, UConn is a nonfederal entity. • If there is no specific law that addresses how the CUI data shared by the federal government must be protected, NIST 800-171 security controls must be adhered to by UConn. • Required compliance due to research contract DFARS 252.225-7012 clause.

4. NIST 800-171 Controls NIST 800-171 has 14 families of security requirements comprising of 109 controls Basic: Ultimate Goal Derived: Ways to accomplish the goal

5. Access Control Awareness & Training Audit & Accountability Configuration Management Identification & Authentication System & Information Integrity Incident Response • Key Infrastructure Elements • Mobility and Supportability • Fully Virtualized • NetApp Storage • Centralized Security Controls • Data Collection and Review • Firewalls • Malware Detection • Consistency • Operating System Management • Documentation Binder System & Communications Protection Maintenance Security Assessment Risk Assessment Physical Protection Personnel Security Media Protection

6. Where to start?

7. Debate • GovCloud NIST • 800-171 Certification • Logging • Vectra • Firewalls • Familiarity Microsoft Azure Local Data Center

9. Controls Workbook Map each control to technology or process (x 109!)

10. Controls Workbook

11. Roles and Responsibilities Shared: 21 Controls implemented and managed through a combined effort of all groups. System Owner/PI: 13 Controls implemented and managed by the PI or research group. 19% 109 Technical & Operational Controls 12% System Admin: 11 Controls that require some work or interaction by SA to use or implement. 10% ITS and CISO: 64 Controls that are covered based on the current status of UConn’s infrastructure and policies and/or are monitored by CISO. 59%

12. Export Control Workflow

13. NIST BINDER Two Types of Binders: 1) Common Control Provider 2) Program Specific

14. Training Online NIST 800-171 training developed by ITS and hosted in collaboration with UConn Human Resources. • Required by all ITS infrastructure support staff, PI and support staff • Email Reminders • Reports • Audit Trail

15. Principal Investigator (PI) • New Project? Complete Intake Form • CRM Administrator interviews PI to discuss specific project needs • Create secured research infrastructure (SRI) for project • CRM Administrator meets with PI to review: • Secured Research Infrastructure (SRI) PI Checklist Summary and • UConn NIST SP 800-171 Security Control Requirements • 3 Month Review • One-Year Review

16. Unfinished Business • File Transfer Process • Application Whitelisting • Binder Revisions

17. Resources • Website: https://security.uconn.edu/secured-research-infrastructure/ • PI Intake Form • SRI PI Checklist Summary • UConn NIST 800-171 Security Control Requirements

18. Thank You! Contact: Jason Pufahl, UCONN CISO Jason.Pufahl@uconn.edu 860-486-3743