NIST SP 800-171 and Document Security
Understanding NIST SP 800-171
Back in June 2015 the National Institute of Standards and Technology (NIST) published SP 800-171, for Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. The catchy acronym CUI is used to describe the information.
The intent of the standard is to ensure that:
- Statutory and regulatory requirements for the protection of CUI are consistent wherever CUI exists
- Safeguards are consistent in both federal and non-federal information systems and organizations
- The confidentiality impact value for CUI is no lower than moderate
They define fourteen ‘families’ of security requirements for protecting CUI in nonfederal information systems and organizations. Non-federal organizations can implement a variety of potential security solutions either directly or through the use of managed services.
This standard becomes mandatory as of 31 December 2017 for all defense suppliers that receive a contract or subcontract subject to the new requirements. What this means is that it becomes a part of the DFAR contract requirement that suppliers will have to meet.
There are provisions that allow organizations to self-certify compliance rather than introducing a formal certification regime. But there is a sting in the tail that in the event of non-compliance being discovered, apart from contract termination there may be actions for criminal fraud and breach of contract.
Distributing documents securely
If you distribute CUI information using PDF documents then you are within the scope of NIST 800-171 compliance and you should consider if you need to:
- Actively protect the CUI information distributed as PDF documents to sub-contractors and/or authorized third parties
- Limit access to only authorized users thereby controlling information posted or processed on publicly accessible information systems
- Limit the location(s) from which documents are viewed – i.e. a specific country or location within a country (i.e. lock documents to an organization’s office location)
Ensure information becomes inaccessible
- Switch off authorized access in real-time by revoking user access on-the-fly
- Revoke documents after they have been distributed
- Ensure information expires automatically when it no longer should be viewed – either at a fixed date, after a number of days from first use, or a number of uses (views and / or prints)
Control the availability of documents
- Stop use on specific types of device (e.g. mobile devices that can be easily shared)
- Prevent printing or limit the number of prints
- Stop users taking screen shots by preventing use of screen grabbers
- Stop users from distributing uncontrolled copies
Log document use
- Audit document use so you can see when your documents have been viewed and printed
- See when documents were made available and for what time period
- See what location documents were accessed from
Enforce information security
- Encrypt documents in transit and at rest
- Protect documents on your local computer – unprotected files are always under your control
- Ensure that authorized users cannot edit/modify content or save it in an unprotected format
- No insecure plug-ins, flash, or passwords to compromise security