Handling Controlled Unclassified Information (CUI) requires proper system and network configuration to ensure the confidentiality, integrity, and availability of the information. CUI refers to unclassified information that requires safeguarding or dissemination controls under laws, regulations, or government-wide policies.
This review will examine the key aspects of the system and network configuration needed to appropriately manage CUI. CUI includes information like personally identifiable information (PII), financial data, proprietary business information, law enforcement sensitive data, and other categories that need to be protected even though they are not classified.
There are various laws and regulations like HIPAA, FISMA, and agency-specific policies that dictate CUI safeguarding requirements. Having the proper network architecture, access controls, encryption, and other security measures in place is crucial for ensuring CUI is not exposed, stolen, or compromised. The consequences of mishandling CUI could include privacy violations, identity theft, regulatory fines, loss of public trust, and legal liability.
What specific steps should be taken to secure CUI servers and workstations?
CUI servers and workstations should be hardened to industry standards. This includes disabling unnecessary services, applying system updates, using antimalware software, and following secure configuration baselines.
Specific hardening standards like CIS Benchmarks, NSA Guides, and NIST 800-53 should be followed to lock down CUI systems appropriately. Services like FTP, Telnet, and SMB should be disabled if not required.
System updates and patches need to be applied quickly within the timeline set by the vulnerability severity, such as within 48 hours for critical vulnerabilities. Antimalware software should be installed on all systems and regular scans should be scheduled at least weekly.
For privileged access, admin rights should be limited to essential personnel based on the principle of least privilege. Multi-factor authentication should be used for any admin accounts that access CUI systems remotely to prevent compromised credentials. Workstations should automatically lock after 15 minutes or less of inactivity to prevent access if a machine is left unattended.
How should the network be designed and secured for CUI?
The network perimeter should be protected by a next-generation firewall. Default login credentials on network devices like routers and switches should be changed at installation and whenever personnel with knowledge of the passwords leave the organization.
Wireless access to CUI should use WPA2 encryption at a minimum, but WPA3 or other advanced protocols are preferable. The network should be segregated into VLANs or subnets based on data and system sensitivity, with restricted access between zones. Access control lists should be implemented to restrict traffic between network segments to only necessary ports and protocols.
Regular vulnerability scanning should be done every month, along with annual penetration testing to validate security controls and find weaknesses. Next-gen firewall features like application awareness, intrusion prevention, and sandboxing can help detect and block threats trying to infiltrate the network perimeter.
What access controls should be in place for securing CUI systems and data?
Role-based access control should be implemented to restrict user access to only the CUI required for their role. The principle of least privilege should be followed such that users are not granted permissions they do not need to perform their duties. Privileged accounts like system and network administration should be strictly limited.
User accounts and their levels of access should be reviewed quarterly or whenever duties change to ensure appropriate privileges. Remote access to CUI should use virtual private networks (VPN) with multi-factor authentication to validate identity.
For authentication to CUI systems, long and complex passwords over 14 characters or passphrases over 20 characters should be required and changed every 60-90 days. Multi-factor authentication should also be used for remote system logins when possible.
What encryption methods should be used to protect CUI data?
CUI data should be encrypted both at rest and in transit to prevent interception or theft of information. Full disk encryption using algorithms like AES 256-bit is recommended for hard drives and removable media like USB drives or CDs containing CUI data.
For data in transit, VPNs and protocols like TLS 1.2 or higher, SSH, and SFTP should be used. Encryption keys should be securely generated and regularly rotated at least annually. Approved key lengths are 2048-bit for asymmetric RSA encryption and 256-bit for symmetric AES encryption.
Proper key management procedures must be in place to securely store and access keys as needed for encryption and decryption. This includes securely storing keys in hardware security modules or similar features to prevent keys from being exposed.
What DLP controls should be used to secure CUI data?
Data loss prevention controls should be implemented to detect and prevent potential unauthorized disclosure of CUI through exfiltration, insider threats, or human error. Technical controls like completely disabling USB ports, restricting CD/DVD writing capabilities, and blocking unapproved cloud storage services can prevent data from leaving the network.
Email attachments containing CUI should be restricted to less than 10MB in size and filtered for sensitive data. Web traffic should be proxied and filtered to block access to personal email, file-sharing sites, and other non-business sites from CUI systems.
DLP rules should be created to scan email, web traffic, and endpoint activity for patterns indicating CUI disclosure, alerting security staff of potential breaches. Rights management features can be used to control the viewing, editing, printing, and sharing of CUI files.
What physical security is required around CUI systems?
CUI servers, computers, and other systems should be located in secured areas with controlled physical access limited to only those employees needing routine access. Server rooms and telecom closets housing network infrastructure should have multilayer access controls like smart cards or biometric readers.
Security cameras should be installed to monitor entry/exit points, restricted areas, and other critical infrastructure, with footage retained for at least 90 days. Access logs for restricted areas should be kept for auditing purposes. Racks and cabling should be neatly organized and inventoried. Environmental controls like UPS backup power, fire suppression, and climate monitoring should be in place.
Protecting the confidentiality and integrity of CUI requires implementing layered technical controls around system and network security. Proper hardening, access restrictions, encryption, DLP, and physical protections are essential when handling sensitive government information and high-value data.
Following best practice guidelines, continuously monitoring systems, and validating security through audits and testing help establish and maintain the secure network environment necessary for appropriately safeguarding CUI.