The National Institute of Standards and Technology (NIST) has published a document for protecting Controlled Unclassified Information (CUI) when it resides on sub-contactor networks or other non-federal systems.
Given the developments at the Office of Personnel Management (OPM), such guidance is ironic – especially since many of the NIST suggestions went missing over there.
As they tell it, the NIST guidelines published last week were written for:
"...federal agencies with recommended requirements for protecting the confidentiality of CUI: (i) when the CUI is resident in nonfederal information systems and organizations; (ii) when the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies; and (iii) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry."
The publication covers what one would expect when a number of people are cross-accessing information at scale, including the principle of least privilege, access control, ID and authentication, awareness training, configuration management, incident response, patch management, media protection, and physical security.
Again, this would be comically ironic if the situation wasn't already so sad.
During the fallout form the OPM breach earlier this month, the world learned that IT operations and security at the OPM have been lacking since 2007.
Despite reports from the Inspector General pointing out all of the flaws, nothing has changed over the years. If anything, the amount of data collected grew and security got worse.
The result of these cascade failures was the largest government breach in history that impacts millions of people. In fact, the breach is so large and touches so many areas that Katherine Archuleta, who is the Director of the OPM, would only discuss the scale and scope of the breach in a classified hearing.
When asked why the data wasn't encrypted, she said it wasn't feasible to implement encryption on systems that were too old. If only the OPM had listened to the Inspector General, or had access to the NIST publication ahead of time...
One more thing, it's suspected that actors out of China are responsible for the OPM incident – ironically the OPM used contractors in foreign countries. A story from Ars Technica cites one source stating that a contracted administrator was working from – you guessed it – China.