Hello, Welcome to the NIST 800-171 learning path. My name is Dave Harun I'm your instructor for this class and this is Course 2, understanding and implementing the 110 NIST 800-171 requirements. As you know, there are 14 requirements families. In this video, we'll take a look at requirement family 3.13, system and communication protection. This is all about measures to protect CUI from exposure and it has 16 requirements are first requirement is 3.13.1: Monitor, control, and protect communications, i.e. information transmitted or received by organizational systems at the external boundaries and key internal boundaries of organizational systems. This is a basic requirement in this context. Boundaries are things like routers, firewalls, VPNs, et cetera. You need to ensure that you monitor, control, and protect communications at these boundaries and you can check out this special publication, 800-41 per firewall guidance in this special publication, 800-125B for guidance and security and virtualization technologies. 3.13.2 is employer architectural designs, software development techniques, the systems engineering principles that promote effective information security within organizational systems. This is a basic requirement. You want to make sure that you're applying concepts and principles to build and deploy trustworthy, secure, and resilient systems, which will obviously be less susceptible to attack it. It really boils down to designing systems with security from the beginning, building security and by design and thinking about hardening. These concepts and principles should be applied to new systems as well as legacy systems wherever possible and you can check out in this special publication, 800-61 for guidance on system security engineering. You might also check out things like the CIS benchmark. The next requirement is 3.13.3: Separate user functionality from systems management functionality. This is a derived requirement. It's about ensuring that users can access administrative functionality. We want to separate administrative functionality from user functionality and this points out this could be implemented through physical or logical means. 3.13.4 is prevent unauthorized and unintended information transfer via shared systems resources. This is a derived requirement and this says "This requirement prevents information produced by the actions of prior users or roles, or the actions of processes acting on behalf of prior users or roles from being available to any current users or roles, or current processes acting on behalf of current users or roles that obtain information to shared resources after those resources have been released back to the system". This really boils down to, you wouldn't want a user to have access to the previous users information session and be able to access the EUI. This covers encrypted data, but does not cover information remainings covert channels or systems with single users. 3.13.5 is implement subnetworks for publicly accessible components that are physically or logically separated from internal networks. Another derived requirement, it really boils down to building DMZs to protect your trusted network from the public network and making sure that you've got that level of protection built-in and you can check out in this special publication 800-41 for guidance on firewalls and firewall policy to help you build your DMZ. 3.13.6: Deny network communications traffic by default, and allow network communication traffic by exception, i.e, deny all permit by exception. This is another derived requirement. It's really about building firewall rules to ensure that you're denying everything except that which is explicitly permitted for all inbound and outbound traffic at your boundaries. In other words, use whitelist. 3.13.7. Prevent remote devices from simultaneously establishing non-remote connections with organizational systems and communicating via some other connection to resources in an external network, that is split tunneling. This is a derived requirement and essentially they're saying split tunneling could allow an attack that would lead to the exfiltration as CUI. They tell you you need to disable split tunneling on devices that would support it. For example, someone comes in, plugs to your local network and then uses something like a hotspot and a phone to establish a connection to an external network, which could then lead to the exfiltration of CUI. You want to stop that? They say span remote devices and block connectivity. If the device supports split tunneling, 3.13.8 is implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission and less otherwise protected by alternative physical safeguards. This essentially says you need to use encryption for data in transit. You want to make sure that you're using FIPS approved encryption. 3.13.0.9:Terminate network connections associated with communications sessions at the end of the sessions or after define the period of inactivity. This is a drive requirement and really boils down to ensuring that for internal and external communications. When a user session is over, that connection is terminated and after a defined period of inactivity, you wouldn't want someone to be able to hijack that session and exfiltrate CUI so you want to make sure those connections are terminated. 3.13, 0.10: Establish and manage cryptographic keys for cryptography employed and organizational systems. This is really about key management. It's defined requirements. You need to make sure that you have key management based on applicable federal laws, policies, directives, regulations, and executive orders and you can check out in this special publication, 800-56 A 800-57-1. For guidance on key establishment and management. 3.13.11 is employee FIPS validated cryptography when used to protect the confidentiality of CUI. This is a driver requirement and really gets to the fact that the government wants to ensure that you're using the appropriate cryptography to protect CUI something like AES-256 for example. 3.13.12: Prohibit remote activation of collaborative computing devices and provide an indication of devices and use to users present at the device. This really boils down to in our modern world, having all devices like notebooks, smart boards, et cetera, that have cameras, smart TVs, that have cameras and microphones built in and you want to ensure that those can't be remotely activated so that someone can surreptitiously access that camera or microphone without your knowledge, which could lead to the exfiltration of CUI and ensuring that there is some indication on these devices when they are in use. A light that shows up that tells you that the webcam is on that thing. They do point out the dedicated video conferencing systems that require one party to connect to another party are excluded. You've got 3.13.13: Control and monitor the use of mobile code. This is a drive requirement list says, "Mobile code technologies include Java, javascript, ActiveX, PostScript, PDF, Flash, and VB script". You need to understand what would fall into that bucket. They say create policies and procedures to control or prevent the introduction of dangerous mobile code and consider blocking mobile code not digitally signed by a trusted source. 3.13.14: Control and monitor the use of Voice Over Internet Protocol technologies or VoIP technologies. This is a drive requirement. They pointed out that VoIP systems are vulnerable to the same attacks on any IP based system. You need to ensure that you're protecting your VoIP based systems that could ultimately lead to the exfiltration of CUI and that you can see in this special publication 800-58 for guidance on VoIP system. You've got 3.13.15: Protect the authenticity of communication sessions. This is a drive requirement. You want to protect communications sessions at the session level, you need to validate the identity of all parties as well as the validity of information transmitted and you can check out this special publication, 800-77, 800-95 and 800-113, for guidance on secure communications. You have this 3.13.16 : Protect the confidentiality of CUI at rest. This is a drive requirements. It's about securing data at rest with strong encryption whenever possible, AES-256 for example and they mentioned alternative controls may be acceptable when encryption is not a possibility, but encryption is definitely your best choice. That gets us through all the controls in this control family. Thanks for watching, and I will see you in the next video.
