If your organization handles data from or for the U.S. federal government, your responsibilities to protect that data don’t end with FIPS 140-2 compliance. Organizations that handle, process, receive or transmit a relatively new classification of sensitive data, “Controlled Unclassified Information”, or CUI, must also comply with the data protection requirements laid out in NIST SP 800-171 Rev. 2 (otherwise known as “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”).
This article will show you how Cerberus FTP Server can help ensure NIST SP 800-171 compliance during your data transfers.
What is NIST SP 800-171 R2 Compliance?
NIST SP 800-171 R2 compliance requires any individual or organization handling CUI to process that information according to a number of detailed data handling and access security requirements while also maintaining good information security practices throughout the organization.
What is Controlled Unclassified Information?
NIST’s definition of CUI encompasses any data considered sensitive due to its protection from broad public dissemination by existing laws and regulations. This information classification is quite broad and covers diverse categories ranging from federal taxpayer information to critical infrastructure security overviews to nuclear safeguard data. You can find the complete list of Controlled Unclassified Information at this link.
Information governed by CUI regulations has various levels of sensitivity and release, which can affect access permissions in file transfer scenarios.
What Organizations Must Comply with NIST SP 800-171 R2?
At a high level, any organization doing business with or transferring information to the U.S. Department of Defense (DoD), General Services Administration (GSA), National Aeronautics and Space Agency (NASA) and several other federal and state agencies must do so in a way that meets the NIST 800-171 requirements.
The compliance requirements can extend to non-federal systems as well. However, NIST notes that 800-171 compliance only applies to systems outside the federal government when a government agency’s purchasing agreement requires that the external system processes, stores, provides security protection for, or transmits CUI.
What are the NIST SP 800-171 r2 Requirements?
According to publication NIST SP 800-171 r2, organizations required to transact CUI must meet the data transfer security requirements below. Cerberus FTP Server’s fine-grained security settings support these requirements and we’ve provided a data transfer compliance checklist below.:
Access Protection
- Limit system access to authorized users, processes and devices and require authentication of all connections.
- Cerberus offers several ways to limit data access, including Active Directory security group integration, LDAP integration and fine-grained administrative privilege controls.
- Control CUI data flow such that it is only released according to authorized approval.
- The Folder Monitor feature can support event-driven file retention policies, while Cerberus’s directory mapping and security group features can ensure that users only access data approved for release.
- Employ strong account security practices that give the fewest data privileges possible and use MFA for more privileged accounts.
- Cerberus’s User Manager enables administrators to control account directory and file access based on fine-grained security settings that trim automatically based on the connection type.
- Use strict account access procedures, including limiting failed logins, locking idle sessions, automatic session termination, strict password policies and monitoring of remote sessions.
- Cerberus FTP Server provides a wholly managed password policy toolkit for administrators.
- Use black- and white-lists to allow only approved system access while maintaining encryption and authorization protection at each system boundary.
- Cerberus FTP Server’s IP Allow and Deny list feature can be configured to support this requirement.
Data Encryption
- Employ FIPS-validated cryptography to protect all data during access and transfer.
- Cerberus FTP Server is FIPS 140-2 validated
Device Access
- Control mobile and wireless connections such that only authorized devices can access CUI and that CUI is encrypted on these platforms.
- Limit connections and processing on external systems, including portable storage and publicly accessible systems.
Cerberus’s Server Manager provides fine-grained connection security to ensure only approved devices and recipients can interact with your data.
Logging and Auditing
- Maintain logs of all transfers and account access that can be audited or serve alerts in case of log failure.
Cerberus FTP Server’s auditing and logging tools support detailed reports of all client and administrator activity by user name, date, file access and more.
Security Scanning
- Conduct periodic vulnerability and security scanning.
Cerberus’s Enterprise Plus Edition includes built-in automated network scanning to provide an up-to-the-minute picture of your network environment and ensure compliance with this requirement.
Conclusion
Cerberus FTP Server is an ideal file transfer solution for government contractors working with CUI. Defense manufacturers, government software providers and vendors supporting sensitive data will find our software lightweight, easy to implement and headache-free when selecting a file server for NIST SP 800-171 R2 compliance.