Purpose

This document describes what CUI is and the requirements for the implementation and maintenance of CUI endpoints.

Scope

Anyone with CUI on COC endpoints or on COC networks.

What is CUI?

CUI, short for controlled unclassified information, is information that is not classified but is sensitive in nature and should not be disseminated to the public. CUI is only applicable to data linked to federal government projects, which means they provide the data, the data is provided to them, or the data is collected on their behalf. If this is not the case, then regulated data is classified as GT sensitive and must follow the data regulation controls pertaining to the type of data, such as HIPAA, FERPA, PCI-DSS, etc. To achieve this, any endpoint working with CUI is required to follow the latest revision of NIST 800-171r3. Questions on whether the data is CUI should be directed here.

Examples Of CUI are:

  • SSN- Social Security numbers
  • FERPA, including student grades
  • credit card information
  • Medical information
  • PII- personal identifiable information- information that allows the ability to identify someone.
  • Data that, when assembled, can become PII
  • Intellectual property
  • Security information on personnel, buildings, systems, etc
  • Technical drawings and blueprints
  • Confidential business information
  • Personnel records
  • Sensitive but unclassified information- could apply to national security, defense, or warfare

 

Unit IT Requirements

CUI is tightly controlled and requires a system security plan to define how the controls are used and applied to the CUI information. and deviation is a violation that risks GT's reputation and could result in revenue loss from lawsuits and loss of contracts.

  • An SSP: system security plan.
  • All endpoints must have all the GT required endpoint tools unless otherwise approved in the SSP, accompanied by a detailed risk analysis
  • The unit IT requires the location and wall jack where the endpoint will be physically connected, as the CUI network is not connected to all network switches by default.
  • Admin access is restricted to the unit IT to prevent circumvention of controls, such as turning on WIFI or disabling tools
  • A list of project-approved URLs or IP addresses must be given to allow access, as the CUI network blocks inbound and outbound access by default.
  • If an endpoint is ordered and or being configured by the unit IT, please ensure they are aware it is for CUI.
  • The unit IT will provide CUI labels.
  • Vulnerabilities and security events reported by the endpoint tools must be addressed ASAP.
  • Endpoints will be isolated from the network by the unit IT for security incidents, such as suspected breaches or data theft.
  • Endpoints without physical connections will require a dock, dongle, etc that allows MAC passthrough so only the endpoint can get to the CUI network

  • Policy Exceptions Requests are not permitted for CUI

     

 

CUI Requirements

This is a list of what is required for CUI as per NIST 800- 171r3. A link is provided in the related link sections for more details on these controls. This list is summarized for a quick reference and breaks down into more defined controls that are covered by GT SSP and established control methods. Any questions can be directed to the unit IT, and they have a security professional on staff to assist you.

  1. CUI training.
  2. FIPS-validated cryptography in transit and at rest: examples are SFTP, SSH, Bitlocker, FileVault, LUKS, and LUKS2 (preferred over LUKS).
  3. Least privilege access: The unit IT has admin rights, and users have non-admin rights unless required, which should be limited.
  4. Access control using GT Identity Access Management.
  5. Information flow enforcement: controls where the data can go, including between machines, LANs, and outside GT networks.
  6. Separation of Duties: Different people do different functions to protect from abuse: An example is users doing the work, PI overseeing, the unit IT performing network security, and GT looking at endpoint tools and other security controls at the OIT level.
  7. Enforce a limit of unsuccessful login attempts: Examples are Fail2Ban and GPOs set in Active Directory.
  8. The system uses notifications: Banners displaying messages and warnings at login.
  9. Device lock: Inactivity locks devices, such as a screen lock, requiring the user to log back in to unlock.
  10. Session termination: Remote sessions are terminated after a period of inactivity.
  11. Remote Access is controlled and monitored.
  12. Wireless restrictive: COC CUI network is connected via a Wired interface only. Items with CUI must not connect to other networks.
  13. Access control and encryption for mobile devices. Currently, they can not connect to the CUI network due to no wireless connectivity options.
  14. No use of external systems unless authorized and meeting all controls.
  15. Event logging: GT requires logging to their servers.
  16. Time Stamps: System internal clocks provide timestamps.
  17. Baseline configurations: include system, system components, connectivity, operation, and communications.
  18. Documented configuration settings and approved deviations from them.
  19. Configuration change control: refers to tracking, reviewing, approving, or disapproving, and logging changes to the system.
  20. Document and enforce physical and logical access restrictions and changes to them.
  21. Least functionality: mission-critical only capabilities.
  22. Software installation denies all and allows by exception.
  23. Inventory of endpoints.
  24. Multifactor Authentication.
  25. Incident handling: incident response for security events and incidents.
  26. Media Protection: Labeling SD CUI physical control and storage, restricted access to it, proper sanitation, encryption, protection in transport, restrictions of use on types of media, such as cages for endpoints, USB ports disabled, assigning accountability for devices.
  27. Personnel security: screening, update access on termination or transfer.
  28. Physical access authorization: Maintain access control list and roles, as well as monitoring.
  29. Establish any alternative controls and security for those sites, used for contingency.
  30. Risk assessments: include risk response to findings from assessments, monitoring, audits, etc., and POAM(Plan of action and Milestones) as needed.
  31. Vulnerability scanning and monitoring.
  32. Continuous monitoring.
  33. Network boundary protection, including denial by default for inbound and outbound.
  34. Crypto key establishment and management.
  35. Collaborative computing devices and applications: prohibit remote activation except through authorization and provide an indication of use for users physically present. Examples are cameras, recording, whiteboards, etc.
  36. Mobile code use needs to be defined: examples are code from remote systems, Java applets, JavaScript, HTML5, etc.
  37. Flaw remediations: this includes correcting flaws in systems, firmware, software security updates, and vulnerabilities.
  38. Monitor for security alerts, advisories, and directives from GT and external sources.
  39. Define information management and retention.
  40. System security plan: GT provides one.
  41. Supply chain risk management, as well as a plan to replace unsupported components.
  42. Manage external system services planning: must follow the  CUI rules we follow.
  43. Malware protection and remediation.

Related Links

NIST SP 800-171r3 https://doi.org/10.6028/NIST.SP.800-171r3
GT System Security Planshttps://cui.gatech.edu/gt-standard-system-security-plan
GT Security Standardshttps://security.gatech.edu/information-security-procedures-standards-and-forms
GT Cybersecurity Policieshttps://policylibrary.gatech.edu/information-technology/cyber-security-policy
CUI Traininghttps://cui.gatech.edu/cui_training/