Security requirements for protecting the confidentiality of CUI in nonfederal information systems and organizations have a well-defined structure that consists of: (i) a basic security requirements section; and (ii) a derived security requirements section. The basic security requirements are obtained from FIPS Publication 200, which provides the high-level and fundamental security requirements for federal information and information systems. The derived security requirements, which supplement the basic security requirements, are taken from the security controls in NIST Special Publication 800-53. Starting with the FIPS Publication 200 security requirements and the security controls in the moderate baseline (i.e., the minimum level of protection required for CUI in federal information systems and organizations), the requirements and controls are tailored to eliminate requirements, controls, or parts of controls that are:

•Uniquely federal (i.e., primarily the responsibility of the federal government);

•Not directly related to protecting the confidentiality of CUI; or

•Expected to be routinely satisfied by nonfederal organizations without specification.16

Appendix E provides a complete listing of security controls that support the CUI derived security requirements and those controls that have been eliminated from the NIST Special Publication 800-53 moderate baseline based on the CUI tailoring criteria described above.

The combination of the basic and derived security requirements captures the intent of FIPS Publication 200 and NIST Special Publication 800-53, with respect to the protection of the confidentiality of CUI in nonfederal information systems and organizations. Appendix D provides informal mappings of the CUI security requirements to the relevant security controls in NIST Special Publication 800-53 and ISO/IEC 27001. The mappings are included to promote a better understanding of the CUI security requirements and are not intended to impose additional requirements on nonfederal organizations.

The following example taken from the Configuration Management family illustrates the structure of a typical CUI security requirement:

Basic Security Requirements:

✓Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.

✓Establish and enforce security configuration settings for information technology products employed in organizational information systems.

✓Derived Security Requirements:

✓Track, review, approve/disapprove, and audit changes to information systems. - Analyze the security impact of changes prior to implementation.

✓Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.

✓Employ the principle of least functionality by configuring the information system to provide only essential capabilities.

✓Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.

✓Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.

✓Control and monitor user-installed software.

For ease of use, the security requirements are organized into fourteen families. Each family contains the requirements related to the general security topic of the family. The families are closely aligned with the minimum security requirements for federal information and information systems described in FIPS Publication 200. The contingency planning, system and services acquisition, and planning requirements are not included within the scope of this publication due to the aforementioned tailoring criteria.17

---