Sherlock Cloud has been broadened to include a CUI-compliant environment. This expansion was in response to the federal government’s release of NIST 800-171 - Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. As the NIST 800-171 requirements are modeled after the NIST 800-53 requirements, and the Sherlock team has extensive experience working with the NIST 800-53 requirements, it was able to seamlessly build a comprehensive CUI platform.
NIST 800-171 requires non-federal entities that receive non-classified information (i.e., CUI) from the federal government to implement a variety of security protections when processing, storing, transmitting, and using CUI in non-federal information systems. The security requirements outlined in NIST 800-171 are based off of the NIST 800-53 Moderate baseline security families and controls and FIPS 200. Compliance with NIST 800-171 requires specialized knowledge and experience due to its grounding in NIST 800-53. Notably, NIST 800-171 applies to CUI when other laws or regulations are not applicable for protection (e.g., FISMA).
Only information that is in scope for CUI controls via NIST 800-171 is that which (1) the federal government/agency has designated as CUI and (2) is contractually agreed upon between the federal agency and institution; the contract must reference (a) the data specifically identified as CUI and received from the federal government/agency and (b) that the institution must follow the terms of NIST 800-171. NARA has defined what information qualifies as CUI in the CUI Registry (i.e., 22 top-level categories of data, with subcategories covering everything from electronic fund transfers to source selection in the procurement process).
NIST 800-171 was promulgated to ensure that:
• Certain types of federal information need to be protected when processed, stored, and used in non-federal information systems
• Sensitive federal information remains confidential when stored in nonfederal information systems and organizations.
• Statutory and regulatory requirements for protecting CUI are consistent, regardless of whether the data resides in federal or nonfederal information systems
The effect NIST SP 800-171 has on these nonfederal organizations can be significant, especially if they currently do not practice basic fundamental security and controls. It is incumbent on these organizations to familiarize themselves with NIST SP 800-171, FIPS 200 and NIST SP 800-53 before they agree to handle CUI on behalf of the U.S. government.
Example Sherlock Cloud controls that apply to CUI
• System Maintenance
• Central log collection and review of system logs
• Intrusion Detection Systems (IDS) monitoring, analysis and reporting
• Strong Authentication: using two-factor, one-time tokens
• Protection of data-at-rest through encryption (FIPS 140-2)
• Full back-up and archive, including off-site copy
• Hardened system configurations (STIG and CIS)
• Use of Jump-boxes to isolate systems and limit system exposure
• Encrypted tunnels for all data-in-transit outside of private network (SSH, RDP, SSL)
• Web Proxies and filters to limit web access
• Host-based firewalls
• Malicious software protection (Anti-Virus/malware SW)