Purpose
This document describes what CUI is and the TSO needs for the implementation and maintenance of CUI endpoints.
Scope
Anyone with CUI on COC endpoints or on COC networks.
What is CUI?
CUI, short for controlled unclassified information, is information that is not classified but is sensitive in nature and should not be disseminated to the public. CUI is only applicable to data linked to federal government projects, which means they provide the data, the data is provided to them, or the data is collected on their behalf. If this is not the case, then regulated data is classified as GT sensitive and must follow the data regulation controls pertaining to the type of data, such as HIPAA, FERPA, PCI-DSS, etc. To achieve this, any endpoint working with CUI is required to follow the latest revision of NIST 800-171. Questions on whether the data is CUI should be directed to tsosec@cc.gatech.edu .
Examples Of CUI are:
SSN- Social Security numbers
FERPA, including student grades
credit card information
Medical information
PII- personal identifiable information- information that allows the ability to identify someone.
Data that, when assembled, can become PII
Intellectual property
Security information on personnel, buildings, systems, etc
Technical drawings and blueprints
Confidential business information
Personnel records
Sensitive but unclassified information- could apply to national security, defense, or warfare
TSO Requirements
CUI is tightly controlled and requires a system security plan to define how the controls are used and applied to the CUI information. and deviation is a violation that risks GT's reputation and could result in revenue loss from lawsuits and loss of contracts. By following the below, excessive trips or delays can be avoided.
- All endpoints must have all the GT required tooling unless otherwise approved in the SSP, accompanied by a detailed risk analysis
- The CUI subnet is not connected to all network switches by default, so TSO requires the location and wall jack where the endpoint will be physically connected.
- Admin access is restricted to TSO on COC endpoints to prevent circumvention of controls, such as turning on WIFI or disabling tools
- The CUI network blocks inbound and outbound access by default. A list of project-approved URLs or IP addresses must be given to open access.
- If an endpoint is ordered and or being configured by TSO , please ensure they are aware it is for CUI.
- Existing devices must be marked with required CUI labels so TSO can take the required precautions.
- Vulnerabilities and security events reported by tooling, GT Cybersecurity, or TSO must be taken care of asap.
- Security Incidents, such as suspected breaches or data theft, will isolate the endpoint from the network first approach.
- Endpoints without physical connections will require a dock, dongle, etc that allows MAC passthrough so only the endpoint can get to the CUI network
- There are no PERs, as the system security plan is the document that defines the controls
- DFARS projects automatically stem SSPs, but other projects do not. COC still requires an SSP
CUI Requirements
This is a list of what is required for CUI as per NIST 800- 171r3. A link is provided in the related link sections for more details on these controls. This list is summarized for a quick reference and breaks down into more defined controls that are covered by GT SSP and established control methods. Any questions can be directed to TSO, and they have a security professional on staff to assist you.
- FIPS-validated cryptography in transit and at rest: examples are SFTP, SSH, Bitlocker, FileVault, LUKS, and LUKS2 (preferred over LUKS)
- CUI Training: GT required training to cover this.
- Least privilege access: TSO has admin rights, and users have non-admin rights unless required, which should be limited.
- Access control is limited to authorized users only. We use the GT account management processes
- Information flow enforcement: controls where the data can go, including between machines, LANs, and outside GT networks
- Separation of Duties: Different people do different functions to protect from abuse. EX users doing the work, PI overseeing, TSO performing network security, and GT looking at endpoint tools and other security controls at the OIT level
- Enforce a limit of unsuccessful login attempts: Examples are Fail2Ban and GPOs set in Active Directory
- System uses notifications: Banners displaying messages and warnings at login
- Device lock: inactivity locks devices such as screen locks, requiring the user to log back in to unlock
- Session termination: Remote sessions are terminated after a time of inactivity
- Remote Access is controlled and monitored
- Wireless restrictive: COC CUI network is connected via a Wired interface only. Items with CUI must not connect to other networks.
- Access control and encryption for mobile devices. Currently, they can not connect to the CUI network due to no wireless connectivity options.
- No use of External systems unless authorized and meeting all controls
- Event logging: GT requires logging to their servers, which is set up for Cui.
- Time Stamps: System internal clocks provide timestamps
- Baseline configurations: include system, system components, connectivity, operation, and communications
- Documented configuration settings and approved deviations from them.
- Configuration change control: refers to tracking, reviewing, approving, or disapproving, and logging changes to the system
- Document and enforce Physical and logical access restrictions and changes to them
- Least functionality: mission-critical only capabilities
- Software installation denies all and allows by exception
- Inventory of endpoints
- Multifactor Authentication
- Incident handling: incident response for security events and incidents
- Media Protection: Labeling SD Cui, physical control and storage, restricted access to it, proper sanitation, encryption, protection in transport, restrictions of use on types of media, such as cages for endpoints, USB ports disabled, assigning accountability for devices.
- Personnel Security: screening, update access on termination or transfer.
- Physical Access authorization: Maintain access control list and roles, as well as monitoring.
- Establish any alternative controls and security for those sites: used for contingency
- Risk assessments: include risk response to findings from assessments, monitoring, audits, etc., and POAM(Plan of action and Milestones) as needed.
- Vulnerability scanning and monitoring
- Continuous monitoring
- Network boundary protection including denial by default for inbound and outbound
- Crypto key establishment and management
- Collaborative Computing Devices and Applications : prohibit remote activation except through authorization and provide an indication of use for users physically present. : Examples are cameras, recording, whiteboards, etc.
- Mobile code use needs to be defined: examples are code from remote systems, Java applets, JavaScript, HTML5, etc.
- Flaw remediations: this includes correcting flaws in systems, firmware, software security updates, and vulnerabilities.
- Monitor for Security alerts, advisories, and directives from GT and external sources
- Define information management and retention
- System Security Plan: GT provides one.
- Supply chain risk management, as well as a plan to replace unsupported components
- Manage external system services planning: must follow the Cui rules we follow
- Malware Protection and remediation.
Related Links
NIST SP 800-171r3 | https://doi.org/10.6028/NIST.SP.800-171r3 |
GT System Security Plans | https://cui.gatech.edu/gt-standard-system-security-plan |
GT Security Standards | https://security.gatech.edu/information-security-procedures-standards-and-forms |
GT Cybersecurity Policies | https://policylibrary.gatech.edu/information-technology/cyber-security-policy |
Cui Training | https://cui.gatech.edu/cui_training/ |