Comply with NIST – protect Controlled Unclassified Information
Locklizard document security enables you to easily comply with NIST and DFAR contract requirements for protection of CUI (Controlled Unclassified Information).
Control document access, ensure information becomes inaccessible both automatically and on demand, control document use (e.g. stop printing or lock use to specific locations), log document use and enforce information security controls regardless of where documents reside.
Understanding NIST SP 800-171, DFAR contract requirements & Protection of CUI
Back in June 2015 the National Institute of Standards and Technology (NIST) published SP 800-171, for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The catchy acronym CUI is used to describe the information.
The intent of the standard is to ensure that:
- Statutory and regulatory requirements for the protection of CUI are consistent wherever CUI exists
- Safeguards are consistent in both federal and non-federal information systems and organizations
- The confidentiality impact value for CUI is no lower than moderate
They define fourteen ‘families’ of security requirements for protecting CUI in nonfederal information systems and organizations. Non-federal organizations can implement a variety of potential security solutions either directly or through the use of managed services.
This standard became mandatory as of 31 December 2017 for all defense suppliers that receive a contract or subcontract subject to the new requirements. What this means is that it becomes a part of the DFAR contract requirement that suppliers will have to meet.
There are provisions that allow organizations to self-certify compliance rather than introducing a formal certification regime. But there is a sting in the tail that in the event of non-compliance being discovered, apart from contract termination there may be actions for criminal fraud and breach of contract.
Distributing documents securely: protecting controlled unclassified information
If you distribute CUI information using PDF documents then you are within the scope of NIST 800-171 compliance and you should consider if you need to:
- Actively protect the CUI information distributed as PDF documents to sub-contractors and/or authorized third parties
- Limit access to only authorized users thereby controlling information posted or processed on publicly accessible information systems
- Limit the location(s) from which documents are viewed – i.e. a specific country or location within a country (i.e. lock documents to an organization’s office location)
Ensure information becomes inaccessible
- Switch off authorized access in real-time by revoking user access on-the-fly
- Revoke documents after they have been distributed
- Ensure information expires automatically when it no longer should be viewed – either at a fixed date, after a number of days from first use, or a number of uses (views and / or prints)
Control the availability of documents
- Stop use on specific types of device (e.g. mobile devices that can be easily shared)
- Prevent printing or limit the number of prints
- Stop users taking screen shots by preventing use of screen grabbers
- Stop users from distributing uncontrolled copies
Log document use
- Audit document use so you can see when your documents have been viewed and printed
- See when documents were made available and for what time period
- See what location documents were accessed from
Enforce information security
- Encrypt documents in transit and at rest
- Protect documents on your local computer – unprotected files are always under your control
- Ensure that authorized users cannot edit/modify content or save it in an unprotected format
- Include dynamic watermarking to identify the authorized recipient
- No insecure plug-ins, flash, or passwords to compromise security