Abstract: Policy Number: 50000.025/ CMMC AC.1.001 |
|
Policy Statement
Jackson State University’s (“JSU” or “University”) Division of Information Technology’s (“DIT”) intention for publishing a System Access Policy for CUI data is to identify how the University will protect access to systems collecting creating , storing and process CUI data.
Purpose
NIST SP 800-171 focuses on protecting the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems and organizations and recommends specific security requirements to achieve that objective. The requirements recommended for use in SP 800-171 are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the CUI regulation (32 CFR Part 2002, Controlled Unclassified Information).
Scope
This policy applies to all organization workforce members and all systems, network, and applications that process, store or transmit CUI. This policy also applies to all vendors, partners, researchers and contractors.
Responsibilities
The Chief Information Security Officer is responsible for ensuring the implementation of this policy.
Definitions
-
- Information system – a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
- Information resources – JSU laptops, desktops, printers, scanners, servers, network devices, paper documents, and mobile devices such as smartphones
Policy
All environments involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls. Jackson State University and its employees, vendors, and contractors will implement the following CUI access control requirements for systems with CUI data:
- CUI System Access Control
- 1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
- 1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- 1.3 Control the flow of CUI in accordance with approved authorizations.
- 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
- 1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
- 1.6 Use non-privileged accounts or roles when accessing non-security functions
- 1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
- 1.8 Limit unsuccessful logon attempts.
- 1.9 Provide privacy and security notices consistent with applicable CUI rules.
- 1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
- 1.11 Terminate (automatically) a user session after a defined condition.
- 1.12 Monitor and control remote access sessions.
- 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
- 1.14 Route remote access via managed access control points.
- 1.15 Authorize remote execution of privileged commands and remote access to security-
- 1.16 relevant information
- 1.17 Authorize wireless access prior to allowing such connections
- 1.18 Protect wireless access using authentication and encryption
- 1.19 Control connection of mobile devices
- 1.20 Encrypt CUI on mobile devices and mobile computing platforms
- 1.21 Verify and control/limit connections to and use of external systems
- 1.22 Limit use of portable storage devices on external systems
- 1.23 Control CUI posted or processed on publicly accessible systems
Sanctions/Compliance
Failure to comply with this or any other security policy will result in disciplinary actions as per the Sanction Policy. Legal actions also may be taken for violations of applicable regulations and laws.
Related Standards, Policies, and Processes
Account Management
- User registration and de-registration
- User access provisioning
- Management of privileged access rights
- Review of user access rights
- Removal or adjustment of access rights
Access Enforcement
- Teleworking
- Access to networks and network services
- Information access restriction
- Use of privileged utility programs