Identifying a Certified Third Party Assessing Organization (C3PAO): Difference between revisions
Created page with "'''SPA Categorization''' Some assessors believe that a Security Protection Asset (SPA) includes any systems components that are used in an organizations SSP for supporting evidence. Other assessors only identify an SPA a systems that provide protection to components as stated in the NIST 800-171 publication. Ask your C3PAO if they expect systems mentioned in the SSP for the purpose of providing evidence to meeting an assessment objective an example of an SPA? D..." |
Added section on work from home [Please Review] |
||
| Line 6: | Line 6: | ||
NIST 800-171 states that “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components”. | NIST 800-171 states that “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components”. | ||
'''Browser used to Access CUI''' | '''Browser used to Access CUI''' | ||
| Line 16: | Line 17: | ||
If you are using a browser to access CUI ask your assessor if they would fail the organization. | If you are using a browser to access CUI ask your assessor if they would fail the organization. | ||
'''CUI at Alternate Worksites (Work From Home)''' | |||
When CUI is physically at alternate work sites (Here we'll focus on work from home/WFH), the CUI needs to be physically protected. The physical protections may include locked filing cabinets, safes, locked briefcases. Some organizations even allow WFH users to print to corporate-issued printers in their home. At some level, the physical security of your home is providing safeguarding for that CUI. | |||
Some assessors will assess the WFH environment remotely, relying on policy/training, user interview, or maybe even demonstration on camera by a WFH user. Other assessors will require a visit on site to a representative WFH environment. Still other assessors won't even assess you if you have CUI at home. | |||
If you allow physical CUI at your user's homes, ask your assessor how they plan to assess your WFH environment, or if they will assess it at all. | |||
Revision as of 02:41, 1 March 2025
SPA Categorization
Some assessors believe that a Security Protection Asset (SPA) includes any systems components that are used in an organizations SSP for supporting evidence. Other assessors only identify an SPA a systems that provide protection to components as stated in the NIST 800-171 publication.
Ask your C3PAO if they expect systems mentioned in the SSP for the purpose of providing evidence to meeting an assessment objective an example of an SPA? Do they believe an SPA has to provide a security function such as a SIEM or EDR? This will impact the level of effort to provide evidence for an assessment.
NIST 800-171 states that “The requirements apply to all components of nonfederal systems and organizations that process, store, and/or transmit CUI, or that provide protection for such components”.
Browser used to Access CUI
Many organizations are accessing and modifying CUI documents through a web browser but have restricted the ability to download and print. Some DOD components also use the browser for accessing Government information. One example is the Navy using Flank Speed.
However, when opening a document in a browser it does process information on the endpoint. If that endpoint is not part of the organization information system and controlled then it could be a finding.
Some assessors will fail an organization if they are using a browser on an asset that is not controlled others will not. As an alternative there are solutions such as VDI or technologies that provide a pixel representation of a browser that would pass assessment.
If you are using a browser to access CUI ask your assessor if they would fail the organization.
CUI at Alternate Worksites (Work From Home)
When CUI is physically at alternate work sites (Here we'll focus on work from home/WFH), the CUI needs to be physically protected. The physical protections may include locked filing cabinets, safes, locked briefcases. Some organizations even allow WFH users to print to corporate-issued printers in their home. At some level, the physical security of your home is providing safeguarding for that CUI.
Some assessors will assess the WFH environment remotely, relying on policy/training, user interview, or maybe even demonstration on camera by a WFH user. Other assessors will require a visit on site to a representative WFH environment. Still other assessors won't even assess you if you have CUI at home.
If you allow physical CUI at your user's homes, ask your assessor how they plan to assess your WFH environment, or if they will assess it at all.