Page | 1

Information System Security Plan (ISSP) For Moderate Impact

Control on Non-Federal Information Systems

Insert Version

Approved By: _____________________________________________ Approval Date: __________

Insert Approver Title

Approved By: _____________________________________________ Approval Date: __________

Insert Approver Title

Approved By: _____________________________________________ Approval Date: __________

Insert Approver Title

This is an INSERT NAME OF ORGANISATION internal document. It shall be used and disclosed

externally for evaluation purposes only. Disclosure of this document outside the Government

for any purpose is strictly forbidden.

Page | 2

Table of Contents

Purpose: ........................................................................................................................................................ 3

Instructions: .................................................................................................................................................. 3

Additional Resources: ................................................................................................................................... 3

List of Exhibits and Addendums: ................................................................................................................... 4

Revision History: ........................................................................................................................................... 5

Executive Summary ....................................................................................................................................... 6

System Inventory: ......................................................................................................................................... 6

Security Categorization: ................................................................................................................................ 7

Scope Evaluation for NIST 800-171: .............................................................................................................. 8

Segmentation Considerations ................................................................................................................... 8

Compliance Lifecycle ................................................................................................................................. 9

Scoping Categories .................................................................................................................................. 10

General System Description: ....................................................................................................................... 12

System Environment: .................................................................................................................................. 12

System interconnections/information sharing: .......................................................................................... 12

NIST 800-171 Minimum Controls:............................................................................................................... 13

Global/SFC Valve Compliance App:............................................................................................................. 27

The instruction for using the app are the following: .............................................................................. 28

Troubleshooting and Frequently Ask Questions: .................................................................................... 29

Applicable Laws and Regulations: ............................................................................................................... 29

Acronyms and Definitions: .......................................................................................................................... 30

Terms Defined: ............................................................................................................................................ 34

Page | 3

Purpose:

The Purpose of an information system security plan is to outline the management,

operational, and technical safeguards and countermeasures needed for an information system.

This guide aids in the creation of organization security plan for NIST 800-171 and help outline its

implementation processes.

Instructions:

The organization shall complete this NIST 800-171 information systems security plan

before December 31, 2017 in order to retain all contracts involved with CUI. The ISSP describes

the process and procedures that the contractor will need to ensure the appropriate security or

IT resources that are developed, processed, or used under this contract.

This guide can be used as a template for an organization information systems security

plan. Each section describes the methods that should be used in order to identify or implement

the NIST 800-171 security controls. The first 7 sections of this guide are used to help identify,

track, understand, and collect information on the organization information system. The sections

are: System Identification, General system description, Security categorization, System

inventory, Scope evaluation, System environment, and Interconnections/information sharing.

Contractors should be aware of any other IT certifications like Sarbanes-Oxley (SOX) or

HIPPA. Controls from those documents may apply to NIST 800-171. If so, these controls can be

used as a reference for completing the information systems security plan.

Please note: The purpose, all instructions, and additional resources sections should not be

included in the actual ISSP form. These are used as references to aid the contractor in

completing its information systems security contract requirements.

Any text underlined in the ISSP should either be removed or replaced and all tables and

templates should be completed.

Additional Resources:

Protecting Controlled Unclassified Information on Non-federal Information Systems and

Organizations NIST Special Publication 800-171r1

Assessing Security and Privacy Controls in Federal Information Systems and Organizations NIST

Special Publication 800-53r4

Page | 4

Guide for Developing Security Plans for Federal Information System, NIST Special Publication

800-18

List of Exhibits and Addendums:

A list of Exhibits and Addendums is a helpful way to organize your files that are not in the plan itself. Like

a list of the company’s inventory of devices.

Examples of Exhibits and Addendums:

List of Exhibits

Form Revision Title

Cl-001 ----- Yearly Audit Plan

Cl-002 ----- Vender Letter

Cl-003 ----- Employee computer Operation and Security Policy

Page | 5

List of Addendums

Addendum Revision Title

A ----- System Inventory List

B ----- System Identification

C ----- Controls and Common Control Methods

D ----- Prioritization chart

Revision History:

A revision history help to know whether the plan is up to date with new add-ons.

Example of a Revision History Table:

Date Author Version Change Reference

DD/MM/YYYY Company name here 1.0 Drafted Document

DD/MM/YYYY Company name here

DD/MM/YYYY Company name here

Page | 6

Executive Summary

The objective of system security planning is to improve protection of information

system resources. All federal systems have some level of sensitivity and require protection as

part of good management practice. The protection of a system must be documented in a

system security plan. The completion of system security plans is a requirement of the Office of

Management and Budget (OMB) Circular A-130, “Management of Federal Information

Resources,” Appendix III, “Security of Federal Automated Information Resources,” and” Title III

of the E-Government Act, entitled the Federal Information Security Management Act (FISMA).

The purpose of the system security plan is to provide an overview of the security

requirements of the system and describe the controls in place or planned for meeting those

requirements. The system security plan also delineates responsibilities and expected behavior

of all individuals who access the system. The system security plan should be viewed as

documentation of the structured Process of planning adequate, cost-effective security

protection for a system. It should reflect input from various managers with responsibilities

concerning the system, including information owners, the system owner, and the senior agency

information security officer (SAISO). Additional information may be included in the basic plan

and the structure and format organized according to agency needs, so long as the major

sections described in this document are adequately covered and readily identifiable.

In order for the plans to adequately reflect the protection of the resources, a senior

management official must authorize a system to operate. The authorization of a system to

process information, granted by a management official, provides an important quality control.

By authorizing processing in a system, the manager accepts its associated risk.

Management authorization should be based on an assessment of management,

operational, and technical controls. Since the system security plan establishes and documents

the security controls, it should form the basis for the authorization, supplemented by the

assessment report and the plan of actions and milestones. In addition, a periodic review of

controls should also contribute to future authorizations. Re-authorization should occur

whenever there is a significant change in processing, but at least every three years.

System Inventory:

This section is for Identifying all the different systems and devices located within the

contractor’s/organization’s information system. To aid in this, create a system inventory and a

systems identification addendums.

Page | 7

The reason for creating a systems inventory is that will aid in the later process of

identifying where CUI is located and which devices have access to it. This will help in the later

section Scope Evaluation. There are different way to create the inventory list, Addendum A is a

template that was create to help show the information that should be identify in the list.

After creating the system inventory, look at the different systems and identify the

following: (1) the name of the system, (2) whether it is a major application or general support

system, (3) system information type: Management and Support or Mission-Based. This can be

created in different ways. There is a template located in Addendum B.

Security Categorization:

In this section conduct an FIPS 199 systems Assessment Security Categorization as it

relates to the impact levels for Confidentiality, Integrity, and Availability. Below is a general

potential impact chart for Confidentiality, Integrity, and Availability.

POTENTIAL IMPACT

Security Objective LOW MODERATE HIGH

Confidentiality

Preserve authorized

restrictions on

information access and

disclosure, including

means for protecting

personal privacy and

proprietary.

The unauthorized

disclosure of information

could be expected to

have a limited adverse

effect on organizational

assets, or individuals.

The unauthorized

disclosure of information

could be expected to

have a serious adverse

effect on organizational

assets, or individuals.

The unauthorized

disclosure of information

could be expected to

have a severe or

catastrophic adverse

effect on organizational

assets, or individuals.

Integrity

Guarding against

improper information

modification or

destruction, and includes

ensuring information

nonrepudiation and

authenticity.

The unauthorized

modification or

destruction of

information could be

expected to have a

limited adverse effect on

organizational

operations,

organizational assets, or

individuals.

The unauthorized

modification or

destruction of

information could be

expected to have a

serious adverse effect on

organizational

operations,

organizational assets, or

individuals.

The unauthorized

modification or

destruction of

information could be

expected to have a

severe or catastrophic

adverse effect on

organizational

operations,

Page | 8

organizational assets, or

individuals.

Availability

Ensuring timely and

reliable access to and use

of information.

The disruption of access

to or use of information

or an information system

could be expected to

have a limited adverse

effect on organizational

operations,

organizational assets, or

individuals.

The disruption of access

to or use of information

or an information system

could be expected to

have a serious adverse

effect on organizational

operations,

organizational assets, or

individuals.

The disruption of access

to or use of information

or an information system

could be expected to

have a severe or

catastrophic adverse

effect on organizational

operations,

organizational assets, or

individuals.

Scope Evaluation for NIST 800-171:

NIST 800-171 is focused on protecting the CUI environment, which is where sensitive data (in

regards to US national security) is stored, processes or transmitted.

Segmentation Considerations

Network segmentation should be viewed as a process to isolate system components that store,

process, or transmit CUI from systems that do not. Adequate network segmentation may reduce the

scope of the CUI environment and overall reduce the scope of a NIST 800-171 audit.

To eliminate ambiguity surrounding the term “segmentation” in terms of NIST 800-171 scoping, this

document will use one of the two following terms:

• Isolation – this is achieved when network traffic between two system components is not

permitted.

• Controlled Access – This is achieved when access between system components is restricted to

defined parameters.

o Controlled access is more common than isolation.

o Restrictions may include logical access control, traffic type (e.g., port, protocol or

service), the direction from which the connection is initiated (e.g., inbound, outbound),

etc.

Mechanisms providing the isolation or controlled access functionality may either logical or

physical. Examples of mechanisms include network and host-based firewalls, virtual routing and

switching appliances, and access control lists.

Page | 9

Compliance Lifecycle

The table below outlines the key milestones in achieving and maintaining compliance with

NIST 800-171 requirements.

Confirm the Accuracy of

the Assessment Scope

Document the company’s business processes and data workflows for known

and potential instances where CUI is stored, processed, or transmitted.

After gaining a complete understanding of all people, process, and technology-

related interactions with CUI, identify and document all locations and flows of

CUI across the organization.

Evaluate the Business Need

for Each Location and Flow

of CUI

For each instance identified above, evaluate the business need to handle CUI:

• If CUI is not needed, stop collecting it and securely delete what has

been collected.

• If CUI is required, consider migrating or consolidating it elsewhere in

the CUI environment to reduce scope, improve control, and mitigate

risk.

Use the Decision Tree to

Categorize Systems

Use the Summary of Categories chart to determine whether each system

component is in the scope of assessment, and assign it a specific scoping

sub-category.

Note: The result of categorizing each system component helps identify the

relevant risks to the CUI environment. Completing this step can be used in

support of NIST 800-171 requirement 3.11 (e.g., periodically assess the risk to

organizational operations).

Consider the risk implications of the scoping conclusions and identify potential

opportunities to further reduce assessment scope (e.g., re-architecting

business processes, data flows, and/or the control environment).

Page | 10

Evaluate Scoping

Conclusions and Consider

Further Reducing the Scope

of Assessment

Evaluate each in-scope system component against all NIST 800-171

requirements for applicability and necessity, based on the risk to CUI and the

overall control environment.

Architect, design, implement and document the controls required to

adequately mitigate the identified risk to CUI.

Assess the controls for design and operating effectiveness, at the level of both

the system components and the environment.

Scoping Categories

When it comes down to it, the CUI environment encompasses the people, processes and technology

that stores, processes or transmits CUI.

• Store – When CUI is inactive or at rest (e.g., located on electronic media, system component

memory, paper).

• Process – When CUI is actively being used by a system component (e.g., entered, edited,

manipulated, printed, viewed).

• Transmit – When CUI is being transferred from one location to another (e.g., data in motion).

NIST categorizes system components as being either in or out of the scope fir NIST 800-171, so there

is no official guidance at a more granular-level. This document defines three categories of system

components and highlights the different types of risks associated with each category. This approach

makes it more evident which system components are the most important to protect, based on the types

of risk posed to CUI.

Every system component within the companies computing environment can be categorized into one and

only one of the following:

• Category 1 (High) – System components that process, store or transmit CUI or are not isolated

or restricted through controlled access from other category 1 system components.

• Category 2 (Medium) – System components that have controlled access to a category 1 system

component.

• Category 3 (Low) – System components that are isolated from all category 1 system

components.

Categorizing each system component into one of these categories achieves several key results:

• Identifies all system components that are within the scope of NIST 800-171 compliance;

• Aids in documenting risks to CUI as each system component within the environment is analyzed;

Page | 11

• As category 2 system components are further sub-categorized, helps clarify risks to CUI; and

• Enables the objective evaluation of CUI controls for applicability and necessity.

Summary of Categories

Category Description Method of

Segmentation

CUI?

Vector of

Attack?

In scope for

NIST 800-171?

1a

Devices that store, process or transmit CUI.

N/A

YES

YES

YES

1b

Devices that do not store, process or transmit CUI,

but, are “infected by” Category 1a devices due to

the absence of controlled access or isolation.

N/A

NO

YES

YES

2a

System components which, through controlled

access, provide security services (e.g.,

authentication) to a Category 1 device.

Controlled

Access

NO

YES

YES

2b

System components which, through controlled

access, can initiate an inbound connection to a

Category 1 device.

Controlled

Access

NO

YES

YES

2c

System components which, through controlled

access, can only receive a connection from a

Category 1 device (i.e., cannot initiate a

connection).

Controlled

Access

NO

YES

YES

2d

System components which, through indirect and

controlled access, have the ability to administer

Category 1 devices.

Controlled

Access

NO

YES

YES

3

Systems that do not store, process or transmit CUI.

All network traffic between Category 3 and

Category 1 devices is restricted (isolation).

Isolated

NO

NO

NO

Page | 12

General System Description:

In this section provide a general description of the system the CUI is on. Make sure to

outline what scope the system plays in conducting work for the overall contract and detail the

major functions from the information system. In the next section provide an overview of the

system architecture including hardware and software. Also provide an outline of what types of

data is collected and stored on the system components and identify which organization entity

controls the data.

System Environment:

This is where you would include a system architecture diagram portraying all major functions

within the system. Provide a detailed description of each major function.

For example, description could include:

• Physical location

• Vendors for commercial software

• Groups/entities who have access to major functions

• Operating systems

• Make and Model

• Licensed software for major functions

• Anti-viruses

• Firewalls

• DMZ

• Elements such as:

o Web, database and application servers

o Email services such as Microsoft exchange servers

o Web-based applications and major application components such as web services or

infrastructure products such as software frameworks

o User workstations and workstation software and specialized configurations

o Scientific instruments and medical devices

o Laboratory information systems

Be sure to identify the organization that hosts and manages each major function.

System interconnections/information sharing:

This is where you will outline the major connections to the system, how information is shared,

stored and backed up, and what types of information is transmitted.

Page | 13

For example, detail any connections that occur through public facing web-applications, internal

intranet connections and remote connections to the system. Outline the security measures that are in

place to protect information such as a remote VPN, HTTPS and user agreements.

NIST 800-171 Minimum Controls:

This section is for explain NIST 800-171 and the required controls for contractors. This is the

most important part of this guide because this is what the contractor/organization is required by the

DoD to have implement. Please read through NIST 800-171r1 for more information. This guide works

with the NIST 800-171 Tracking program that we have developed. This program provides an easy and

simple way to track and show the contracts statues in meeting these NIST 800-171 control requirement.

There are a total of 109 basic and derived controls, these controls were developed from NIST

800-53. These controls only need to be implemented on the systems and devices that CUI is stored,

transfer, collect, and process. As was stated above in the scope evaluation section.

There are two other addendums that are important to this section; Controls and Common

Control Methods, and the prioritization sheet. Addendum C Controls and Common Control Methods list

the control description, supplementary guidance from NIST 800-53, and a common control information.

The supplementary guidance is meant to aid in understanding what can be implemented to ensure that

the controls are in place.

Please note: The tracker program focuses on provide the important information about the control and

giving a common control method to become compliant with NIST 800-171. There are sections that will

link to both NIST 800-171 and the supplementary guidance from NIST 800-53. There is a section for

comments so the contractor can specify how they meet that control and they can add any supporting

documentation showing that they meet the control like policies, audit reports etc. The contractor can

indicate their status on each control whether they are compliant, partial compliant, not compliant. If the

contractor is non-compliant there is a section for the contractor to indicate what the revision is going to

be to meet the compliance.

The second addendum is for creating prioritization chart. After using out tracking program and

identifying where the contractor is complaint and not complain on their system. The chart is used to

map out their next step in implementing the controls that are not in place.

Page | 14

NIST Special Publication

800-171

CONTROL NAME CONTROL DESCRIPTION CONTROL NUMBER

3.1 ACCESS CONTROL

Basic Requirements

Account Management Limit information system access to

authorized users, processes acting on

behalf of authorized users, or devices

(including other information systems).

AC 3.1.1

Access Enforcement Limit information system access to the

types of transactions and functions

that authorized users are permitted to

execute.

AC 3.1.2

Derived Requirements

Information Flow Enforcement Control the flow of CUI in accordance

with approved authorizations. AC 3.1.3

Separation of Duties Separate the duties of individuals to

reduce the risk of malevolent activity

without collusion.

AC 3.1.4

Least Privilege Employ the principle of least privilege,

including for specific security functions

and privileged accounts.

AC 3.1.5

Minimizing Admin Usage Use non-privileged accounts or roles

when accessing non-security functions. AC 3.1.6

Non-Privileged User Auditing Prevent non-privileged users from

executing privileged functions and

audit the execution of such functions.

AC 3.1.7

Page | 15

Unsuccessful Logon Attempts Limit unsuccessful logon attempts. AC 3.1.8

System Use Notification Provide privacy and security notices

consistent with applicable CUI rules. AC 3.1.9

Session Lock Use session lock with pattern-hiding

displays to prevent access/viewing of

data after period of inactivity.

AC 3.1.10

Session Termination Terminate (automatically) a user

session after a defined condition. AC 3.1.11

Remote Access Sessions Monitor and control remote access

sessions. AC 3.1.12

Remote Access Cryptography Employ cryptographic mechanisms to

protect the confidentiality of remote

access sessions.

AC 3.1.13

Remote Access Control Points Route remote access via managed

access control points. AC 3.1.14

Remote Access Permissions Authorize remote execution of

privileged commands and remote

access to security-relevant

information.

AC 3.1.15

Wireless Access Authorize wireless access prior to

allowing such connections. AC 3.1.16

Wireless Cryptography Protect wireless access using

authentication and encryption. AC 3.1.17

Access Control for Mobile

Devices

Control connection of mobile devices. AC 3.1.18

Mobile Devices Cryptography Encrypt CUI on mobile devices. AC 3.1.19

Page | 16

Use of External Information

Systems

Verify and control/limit connections to

and use of external information

systems.

AC 3.1.20

Use of External Storage Devices Limit use of organizational portable

storage devices on external

information systems.

AC 3.1.21

Publically Accessible Content Control information posted or

processed on publicly accessible

information systems.

AC 3.1.22

3.2 AWARENESS AND TRAINING

Basic Requirements

Security Awareness Training Ensure that managers, systems

administrators, and users of

organizational information systems are

made aware of the security risks

associated with their activities and of

the applicable policies, standards, and

procedures related to the security of

organizational information systems.

AT 3.2.1

Role-Based Security Training Ensure that organizational personnel

are adequately trained to carry out

their assigned information security-

related duties and responsibilities.

AT 3.2.2

Derived Requirements

Insider Threat Training Provide security awareness training on

recognizing and reporting potential

indicators of insider threat.

AT 3.2.3

3.3 AUDIT AND ACCOUNTABILITY

Basic Requirements

Page | 17

Audit Events Create, protect, and retain information

system audit records to the extent

needed to enable the monitoring,

analysis, investigation, and reporting of

unlawful, unauthorized, or

inappropriate information system

activity.

AU 3.3.1

Audit Generation Ensure that the actions of individual

information system users can be

uniquely traced to those users so they

can be held accountable for their

actions.

AU 3.3.2

Derived Requirements

Audit Accountability Review and update audited events. AU 3.3.3

Response to Audit Processing

Failure

Alert in the event of an audit process

failure. AU 3.3.4

Audit Review, Analysis, and

Reporting

Use automated mechanisms to

integrate and correlate audit review,

analysis, and reporting processes for

investigation and response to

indications of inappropriate,

suspicious, or unusual activity.

AU 3.3.5

Audit Redaction and Report

Generation

Provide audit reduction and report

generation to support on-demand

analysis and reporting.

AU 3.3.6

Time Stamps Provide an information system

capability that compares and

synchronizes internal system clocks

with an authoritative source to

generate time stamps for audit

records.

AU 3.3.7

Protection of Audit Information Protect audit information and audit

tools from unauthorized access,

modification, and deletion.

AU 3.3.8

Page | 18

Audit Information Access Limit management of audit

functionality to a subset of privileged

users.

AU 3.3.9

3.4 CONFIGURATION MANAGMENT

Basic Requirements

Baseline Configuration Establish and maintain baseline

configurations and inventories of

organizational information systems

(including hardware, software,

firmware, and documentation)

throughout the respective system

development life cycles.

CM 3.4.1

Configuration Settings Establish and enforce security

configuration settings for information

technology products employed in

organizational information systems.

CM 3.4.2

Derived Requirements

Configuration Change Control Establish and enforce security

configuration settings for information

technology products employed in

organizational information systems.

CM 3.4.3

Security Impact Analysis Analyze the security impact of changes

prior to implementation. CM 3.4.4

Access Restrictions for Change Define, document, approve, and

enforce physical and logical access

restrictions associated with changes to

the information system.

CM 3.4.5

Least Functionality Employ the principle of least

functionality by configuring the

information system to provide only

essential capabilities.

CM 3.4.6

Page | 19

Use of Non-essential items Restrict, disable, and prevent the use

of nonessential programs, functions,

ports, protocols, and services.

CM 3.4.7

Blacklist Apply deny-by-exception (blacklist)

policy to prevent the use of

unauthorized software or deny-all,

permit-by-exception (whitelisting)

policy to allow the execution of

authorized software.

CM 3.4.8

User-Installed Software Control and monitor user-installed

software. CM 3.4.9

3.5 IDENTIFICATION AND AUTHENTICATION

Basic Requirements

Identification and

Authentication

Identify information system users,

processes acting on behalf of users, or

devices.

IA 3.5.1

Authenticator Management Authenticate (or verify) the identities

of those users, processes, or devices,

as a prerequisite to allowing access to

organizational information systems.

IA 3.5.2

Derived Requirements

Multifactor Authentication

Access

Use multifactor authentication for local

and network access to privileged

accounts and for network access to

non-privileged accounts.

IA 3.5.3

Identifier Management Employ replay-resistant authentication

mechanisms for network access to

privileged and non-privileged accounts.

IA 3.5.4

Reuse of Identifiers Prevent reuse of identifiers for a

defined period. IA 3.5.5

Page | 20

Disable Identifiers Disable identifiers after a defined

period of inactivity. IA 3.5.6

Password Complexity Enforce a minimum password

complexity and change of characters

when new passwords are created.

IA 3.5.7

Password Reuse Prohibit password reuse for a specified

number of generations. IA 3.5.8

Temporary Passwords Allow temporary password use for

system logons with an immediate

change to a permanent password.

IA 3.5.9

Password Protection Store and transmit only encrypted

representation of passwords. IA 3.5.10

Authenticator Feedback Obscure feedback of authentication

information. IA 3.5.11

3.6 INCIDENT RESPONSE

Basic Requirements

Incident Response Training Establish an operational incident-

handling capability for organizational

information systems that includes

adequate preparation, detection,

analysis, containment, recovery, and

user response activities.

IR 3.6.1

Incident Handling Track, document, and report incidents

to appropriate officials and/or

authorities both internal and external

to the organization.

IR 3.6.2

Derived Requirements

Incident Response Testing Test the organizational incident

response capability. IR 3.6.3

Page | 21

3.7 MAINTENANCE

Basic Requirements

Controlled Maintenance Perform maintenance on

organizational information systems. MA 3.7.1

Maintenance Tools Provide effective controls on the tools,

techniques, mechanisms, and

personnel used to conduct system

maintenance.

MA 3.7.2

Derived Requirements

Off-site Maintenance Ensure equipment removed for off-site

maintenance is sanitized of any CUI. MA 3.7.3

Maintenance Media Testing Check media containing diagnostic and

test programs for malicious code

before the media are used in the

information system.

MA 3.7.4

Nonlocal Maintenance Require multifactor authentication to

establish nonlocal maintenance

sessions via external network

connections and terminate such

connections when nonlocal

maintenance is complete.

MA 3.7.5

Maintenance Personnel Supervise the maintenance activities of

maintenance personnel without

required access authorization.

MA 3.7.6

3.8 MEDIA PROTECTION

Basic Requirements

Media Access Protect (i.e., physically control and

securely store) information system MP 3.8.1

Page | 22

media containing CUI, both paper and

digital.

Media Storage Limit access to CUI on information

system media to authorized users. MP 3.8.2

Media Sanitization Sanitize or destroy information system

media containing CUI before disposal

or release for reuse.

MP 3.8.3

Derived Requirements

Media Marking Mark media with necessary

CUI markings and distribution

limitations.

MP 3.8.4

Media Transport Control access to media containing CUI

and maintain accountability for media

during transport outside of controlled

areas.

MP 3.8.5

Media Transport Cryptography Implement cryptographic mechanisms

to protect the confidentiality of

information stored on digital media

during transport outside of controlled

areas unless otherwise protected by

alternative physical safeguards.

MP 3.8.6

Media Use Control the use of removable media on

information system components. MP 3.8.7

Portable Storage Use Prohibit the use of portable storage

devices when such devices have no

identifiable owner.

MP 3.8.8

Information System Backup Protect the confidentiality of backup

CUI at storage locations. MP 3.8.9

3.9 PERSONNEL SECURITY

Basic Requirements

Page | 23

Personnel Screening Screen individuals prior to authorizing

access to information systems

containing CUI.

PS 3.9.1

Personnel Termination/Transfer Ensure that CUI and information

systems containing CUI are protected

during and after personnel actions

such as terminations and transfers.

PS 3.9.2

3.10 PHYSICAL SECURITY

Basic Requirements

Physical Access Authorizations Limit physical access to organizational

information systems, equipment, and

the respective operating environments

to authorized individuals.

PE 3.10.1

Monitoring Physical Access Protect and monitor the physical

facility and support infrastructure for

those information systems.

PE 3.10.2

Derived Requirements

Physical Access Control Escort visitors and monitor visitor

activity. PE 3.10.3

Physical Access Logs Maintain audit logs of physical access. PE 3.10.4

Physical Access Devices Control and manage physical access

devices. PE 3.10.5

Alternate Work Site Enforce safeguarding measures for CUI

at alternate work sites (e.g., telework

sites).

PE 3.10.6

3.11 RISK ASSESSMENT

Basic Requirements

Page | 24

Risk Assessment Periodically assess the risk to

organizational operations (including

mission, functions, image, or

reputation), organizational assets, and

individuals, resulting from the

operation of organizational

information systems and the

associated processing, storage, or

transmission of CUI.

RA 3.11.1

Derived Requirements

Vulnerability Scanning Scan for vulnerabilities in the

information system and applications

periodically and when new

vulnerabilities affecting the system are

identified.

RA 3.11.2

Vulnerability Remediation Plan Remediate vulnerabilities in

accordance with assessments of risk. RA 3.11.3

3.12 SECURITY ASSESSMENT

Basic Requirements

Security Assessments Periodically assess the security controls

in organizational information systems

to determine if the controls are

effective in their application.

CA 3.12.1

Plan of Action and Milestones Develop and implement plans of action

designed to correct deficiencies and

reduce or eliminate vulnerabilities in

organizational information systems.

CA 3.12.2

Continuous Monitoring Monitor information system security

controls on an ongoing basis to ensure

the continued effectiveness of the

controls.

CA 3.12.3

3.13 SYSTEMS AND COMMUNICATION PROTECTION

Page | 25

Basic Requirements

Boundary Protection Monitor, control, and protect

organizational communications (i.e.,

information transmitted or received by

organizational information systems) at

the external boundaries and key

internal boundaries of the information

systems.

SC 3.13.1

Security Engineering Principles Employ architectural designs, software

development techniques, and systems

engineering principles that promote

effective information security within

organizational information systems.

SC 3.13.2

Derived Requirements

Functionality Separation Separate user functionality from

information system management

functionality (e.g., privileged user

functions).

SC 3.13.3

Information in Shared

Resources

Prevent unauthorized and unintended

information transfer via shared system

resources.

SC 3.13.4

Public Access Network

separation

Implement subnetworks for publicly

accessible system

Components that are physically or

logically separated from internal

networks.

SC 3.13.5

Deny-by-Exception Deny network communications traffic

by default and allow network

communications traffic by exception

(i.e., deny all, permit by exception).

SC 3.13.6

Disable Split Tunneling Prevent remote devices from

simultaneously establishing non-

remote connections with the

information system and

SC 3.13.7

Page | 26

communicating via some other

connection to resources in external

networks.

Transmission and

Confidentiality and Integrity

Implement cryptographic mechanisms

to prevent unauthorized disclosure of

CUI during transmission unless

otherwise protected by alternative

physical safeguards.

SC 3.13.8

Network Disconnect Terminate network connections

associated with communications

sessions at the end of the sessions or

after a defined period of inactivity.

SC 3.13.9

Cryptographic Key

Establishment and

Management

Establish and manage cryptographic

keys for cryptography employed in the

information system.

SC 3.13.10

Cryptographic Protection Employ FIPS-validated cryptography

when used to protect the

confidentiality of CUI.

SC 3.13.11

Collaborative Computing

Devices

Prohibit remote activation of

collaborative computing devices and

provide indication of devices in use to

users present at the device.

SC 3.13.12

Mobile Code Control and monitor the use of mobile

code. SC 3.13.13

Voice over Internet Protocol Control and monitor the use of Voice

over Internet Protocol (VoIP)

technologies.

SC 3.13.14

Session Authenticity Protect the authenticity of

communications sessions. SC 3.13.15

Protection of Information at

Rest

Protect the confidentiality of CUI at

rest. SC 3.13.16

3.14 SYSTEM AND INFORMATION INTEGRETY

Page | 27

Basic Requirements

Flaw Remediation Plan Identify, report, and correct

information and information system

flaws in a timely manner.

SI 3.14.1

Flaw Remediation Protection Provide protection from malicious code

at appropriate locations within

organizational information systems.

SI 3.14.2

Security Alerts, Advisories, and

Directives

Monitor information system security

alerts and advisories and take

appropriate actions in response.

SI 3.14.3

Derived Requirements

Malicious Code Protection Update malicious code protection

mechanisms when new releases are

available.

SI 3.14.4

Malicious Code Scanning Perform periodic scans of the

information system and real-time scans

of files from external sources as files

are downloaded, opened, or executed.

SI 3.14.5

Information System Monitoring Monitor the information

system, including inbound

And outbound communications traffic,

to detect attacks and indicators of

potential attacks.

SI 3.14.6

Information System Monitoring Identify unauthorized use of the

information system. SI 3.14.7

Global/SFC Valve Compliance Application:

All of the information above can be very confusing and NIST 800-171 can be vague as to what

the requirements are for each control. To aid in meeting these requirements Global/SFC Valve has

Page | 28

created a helpful NIS Compliance Application. This application provides the user with the control

description, a control recommendation with a possible suggested action link, and guidance from NIST

800-53.

The instruction for using the application are the following:

First when the application opens, the user sees the Dashboard window and the two sections

that are in the Dashboard window are the Total Control Status, which contains a table indicating the

user’s total number on Compliant, Partially Compliant, Non-Compliant, and Unknown controls. The

second section displays progress bars, which contain 14 control families and a total control progress bar

displaying the overall percentage that the user is compliant with.

After examining the Dashboard, the user should look at the index on the left displaying all of the

control families. Click on any of the families to reveal the list of controls in each family. Each control

window contains the following sections: Control Recommendation, Supplementary Guidance NIST 800-

53, NIST 800-53 Mapping, Status, Compliance, Remedial Action, and Supporting Documents.

The first 3 sections are meant to provide the user with information on how to meet the

compliance. The control Recommendation contains information on what the user should do in order to

meet the control. The Supplementary Guidance section contains information from NIST 800-53

document that the NIST 800-171 was developed from. The supplementary guidance provides additional

information that helps to explain what the control is or should be and it contains references to other

controls that are related. The NIST 800-53 Mapping gives the user links to the document, but instead of

having the user navigate the long document the links with take the user to the page that the

supplementary guidance was from.

The last four sections are meant for the user to track their compliance status, explain how they

meet the compliance, or explain if non-compliant what their will do to meet the compliance, and

identify and store any supporting documents to prove compliance. In the status section the user choose

1 of the following options: Compliant, Partially Compliant, Non-Compliant, or Does Not Apply. The Does

Not Apply options is for when the subcontractor doesn’t need to meet the control due to there being

some other protection in place that protects as the control requires. An example would be the control

for Voice over Internet Protocol, another method to protect this control would be to not use Voice over

Internet Protocol in the subcontractor’s network. The flags that can be seen next to the status section

and the flags next to each control name in the index are connected. This helps the user track their

compliance statue with each control without having to open every control window. The Compliance

sections is for identify and describing how the compliance has been meet. The remedial Action sections

is for describing the remedial plan to become compliant. The final Supporting Documents section is for

the user to store any document that prove the contractor has meet the control. The final Supporting

Documents sections is for uploading and storing any documents that can be used to prove the

subcontractor is compliance with that control.

Page | 29

Application Disclaimer:

This is a freeware application that was created using the open source tool Electron. We a Global

will do our best to improve any issues that occur as more people begin to use the application. With this

in mind understand that there could be bugs/issue that occur while using our application. You should

always keep backup files in case we either, update our application and send a revised version out, or if

you need to download the application again.

If you have any questions or feedback please send them to either jvalenti@globalsfc.com or

slichtenfels@globalsfc.com. We will do our best to get back to you as soon as possible.

Troubleshooting and Frequently Ask Questions:

• Question: Is there a save button that I have to click to save my text in the 2 text box

sections?

o Answer: No your text is saved automatically every 3 seconds after you finish

typing.

• Question: I uploaded a file to the supporting document sections and I don’t see if it was

uploaded?

o Answer: This can happen from time to time, before you try again to upload the

file, click the view tab in the top left corner and click refresh or ctrl + r to refresh

the application. Navigate back to that control window and check the supporting

documents section, the file should be there.

• Question: How could be create a backup of our information that we entered in to the

application?

o Answer: To find your information, open the file explore and navigate to the app

folder where you saved it to.

1. Open up the Global SFC NIST Compliance Application folder then,

2. Open the resources folder, then the open the app folder then,

3. Open the assets folder then look for the data and documents folders.

4. When you find them highlight both and right click, click copy.

5. Then save those to files somewhere secure and now you will have a

backup

• Note: You will need to create a new backup file after you change

something in the app.

Applicable Laws and Regulations:

This is where you would put all the laws and regulations used to make your security plan. Here

are examples:

• Organization Security Policies

• Organization Governances

• Federal Information Security management Act (FISM) of 2002

Page | 30

• OEM Circular No. A-130, Appendix lll

• Federal Information Processing Standard Publication (FIPS) 199

• Federal Information Processing Standard Publication (FIPS) 200

• NIST Special Publication 800-171 Protecting Controlled Unclassified Information in Nonfederal

Information Systems and Organizations

• NIST Special Publication 800-18 Rev. 1 – Guide for Developing Security Plans for Federal

Information Security Systems

• NIST Special Publication 800-30 Rev. 1- Risk Management Guide for Information Systems

• NIST Special Publication 800-34 Rev. 1 – Contingency Planning Guide for Information Technology

Systems

• NIST Special Publication 800-37 Rev. 1 – Guide for Applying Framework for Federal Information

Systems

• NIST Special Publication 800-53 Rev. 3 – Recommended Security Controls for Federal

Information Systems

• NIST Special Publication 800-60 Rev. 1 Volume I and II – Guide for Mapping Types of Information

and Information Systems to Security Categories

Acronyms and Definitions:

Acronyms Definitions

ATO Authority to operate

C&A Certification and accreditation

CA Certification authority

CAST Certification and accreditation support tool

CD Compact disk

CNSI Chief of Naval Operations

CNO (NOON) Director, naval nuclear propulsion program

CO Commanding officer

Page | 31

CO/OIC Commanding officer/officer in charge

CRD Confidential restricted data

DAA Designed accrediting authority

DCS Director of cybersecurity

DIACAP DoD information assurance certification and

accreditation process

DoD Department of Defense

DOE Department of Energy

DOE-UNCI Department of Energy Unclassified controlled

Nuclear information

DON Department of Navy

DVD Digital video disk

EO Executive order

FIPS Federal information protection standard

IA Information assurance

IAM Information assurance manager

Page | 32

IATS Information Assurance tracking system

IT Information technology

ITAR International traffic in arms regulations

NAVICP Naval inventory control point

NAVSEASYSCOM Naval sea systems command

NIST National institute of standards and

technology

NNPI Navy nuclear propulsion information

NNPICO Navy nuclear propulsion information control

officer

NNPP Naval nuclear propulsion program

NAVNETWARCOM Naval network warfare command

NOFORN Not releasable to foreign nationals

NOTAL Not to all

NSA National security agency

NSI National security information

Page | 33

NTK Need-to-know

ODAA Operational designated accrediting authority

OSH Occupational safety and health

PIT Platform information technology

PM Project manager

PROM Programmable read-only memory

RD Restricted data

RDT&E Research, design, test, and evaluation

SECNAV Secretary of the navy

SM System manager

SMIC Special material identification code

SNSI SECRET national security information

SPAWARSYSCOM Space and naval warfare systems command

SRD SECRET restricted data

SUPSHIP Supervisor of shipbuilding

Page | 34

UCNI UNCLASSIFIED controlled nuclear information

U-NNPI UNCLASSIFIED naval nuclear propulsion

information

USB University serial bus

VTC Video telephone conference

Terms Defined:

Terms Defined

Accreditation The formal declaration by the DAA that an information system is approved to

operate in a particular security mode using a prescribed set of safeguards as an

acceptable level of risk.

Authorizing Official A senior official or executive with the authority to formally assume responsibility

for operating an information system at an acceptable level of risk to organizational

operations.

Certification The comprehensive evaluation of the technical and non-technical security features

of an information system and determining the degree to which the information

system. meets its specified security requirements

DOE unclassified

controlled nuclear

information (DOE-

UCNI)

DOE-UCNI involves information protected under section 148 of the Atomic Energy

Act. One part of DOE-UCNI includes information pertaining to the reactor plants of

naval nuclear propulsion plants. Documents containing unclassified DOE reactor

plant information may be marked with a DOE-UCNI warning statement when they

are sent to Navy activities. The protection requirements are the same as those for

U-NNPI. Therefore, documents marked as DOE- UCNI will be protected as U-NNPI.

Dual citizens Individuals who are dual citizens (hold both a U.S. citizenship and the citizenship of

some other country). Such individuals are subject to special restrictions.

Page | 35

Foreign interest Any foreign government, agency of a foreign government, or representative of a

foreign government; any form of business enterprise or entity organized under the

laws of any country other than the United States or its possessions; and any foreign

national. Firms organized under U.S. laws, regardless of potential foreign

ownership, can receive contracts requiring access to U-NNPI if the firm formally

agrees to protect the information.

Foreign national For the purposes of this instruction, a foreign national is any person not a U.S.

citizen. Non-U.S. citizens permanently residing in the United States are considered

foreign nationals.

General Support

Systems

An interconnected set of information resources under the same direct

management control that shares common functionality.

Information system A discrete set of information resources organized for the collection, storage,

processing, maintenance, use, sharing, dissemination, disposition, display, or

transmission of information.

Information System

Owner

The senior official responsible for the overall procurement, development,

integration, modification, or operation and maintenance of the information system.

Information

technology (IT)

Any equipment or interconnected system or subsystem of equipment used in the

automatic acquisition, storage, manipulation, management, movement, control,

display, switching, interchange, transmission, or reception of data or information.

This includes computers, ancillary equipment, software, firmware and similar

procedures, services (including support services), and related resources.

Information Owner The agency official with statutory or operational authority for specified information

and responsibility form establishing the controls for its generation, collection,

processing, dissemination, and disposal.

Mission-based Information systems that are employed directly to provide services to citizens and

clients.

Naval nuclear

propulsion information

(NNPI)

All classified or unclassified information concerning the design, arrangement,

development, manufacture, testing, operation, administration, training,

maintenance, and repair of the propulsion plants of naval nuclear-powered ships

and prototypes, including the associated shipboard and shore-based nuclear

support facilities.

Page | 36

Need-to-know (NTK) An official determination that a proposed recipient's access to information is

necessary in the performance of official or contractual duties of employment.

NNPI control officer

(NNPICO)

The individual who is both familiar with NNPI and its protection requirement and

designated by an activity that routinely deals with NNPI. Each activity shall ensure

that the NNPICO is technically qualified, or that a technically qualified person shall

be available for consultation. The NNPICO’s primary responsibility shall be to

ensure that only site personnel with an NTK are granted and allowed to retain

access to NNPI.

NNPI workspace An area designated by the Government where NNPI may be processed.

NNPP activity Organizations that have an officially assigned or contracted function that involves

the research, design, construction, testing, operation, maintenance, or disposal of

naval nuclear propulsion plants.

Representative of

foreign interest

For the purposes of this instruction, a representative of a foreign interest is any

person, regardless of citizenship, functioning (in an individual capacity or on behalf

of any corporation, person, or government entity) as an official, representative,

agent, or employee of a foreign interest. One exception is that U.S. citizens

appointed by their U.S. employer to act as a representative in the management of a

foreign subsidiary of a U.S. corporation will not be considered representatives of a

foreign interest.

Restricted data (RD) A special type of classified information as defined in section 11(w) of Public Law 83-

703 (The Atomic Energy Act of 1954, as amended), as “. . . all data concerning (1)

design, manufacture, or utilization of atomic weapons; (2) the production of special

nuclear material; or (3) the use of special nuclear material in the production of

energy, but shall not include data declassified or removed from the Restricted Data

category pursuant to Section 142.”