Question: Which Of The Following Is Not A Correct Way To Protect CUI?
Quick answer: CUI may be stored on any password-protected system. CUI may be stored only on authorized systems or approved devices.
This question is a part of Cyber Awareness Challenge 2022 Answers.
Broad Description
Sensitive information may be stored on any password-protected system is true.
The benefits of a password manager outweigh the risk of stolen but robustly-encrypted passwords.
“Using a password manager is not a violation of 3.5.10 (IA.2.081); they are an accepted means of cryptographically protecting passwords, assuming the password manager employs NIST-validated cryptography per NIST SP 800-171 requirement 3.13.11. Originally 3.5.10 was worded as ‘“Store and transmit only encrypted representation of passwords.” That caused some confusion (as some thought they had to traditionally encrypt passwords rather than hash the passwords), so in Revision 1, 3.5.10 was changed to “Store and transmit only cryptographically-protected passwords” — so hashes were now addressed. When NIST added the ‘Discussion’ to each requirement in Revision 2, the explanation for 3.5.10 was a little terse “Cryptographically-protected passwords use salted one-way cryptographic hashes of passwords” when what it meant is that when hashing, add a salt. The wording in the ‘Discussion’ for the related control (IA-5(1)) in 800-53r5 is “Cryptographically protected passwords include salted one-way cryptographic hashes of passwords” which doesn’t imply that cryptographic hashes are the only way to cryptographically protect passwords.”
So you can use a password manager as part of your covered system.
Storing CUI (Controlled Unclassified Information) on any password-protected system is not an appropriate way to protect it. CUI should be stored only on authorized systems or approved devices that meet the necessary security requirements. To protect CUI, organizations should follow guidelines and practices such as:
- Access controls: Implement role-based access controls to limit access to CUI based on a need-to-know basis.
- Data classification: Ensure that CUI is appropriately labeled and classified according to established guidelines.
- Secure storage: Store CUI on secure, authorized systems or devices that meet required security standards.
- Data encryption: Encrypt CUI both in transit and at rest using strong encryption algorithms.
- Security training and awareness: Educate employees about proper handling, storage, and disposal of CUI through regular training and awareness programs.
- Incident response planning: Develop and maintain an incident response plan to effectively address security breaches involving CUI.
- Regular security audits: Conduct periodic security audits to identify potential weaknesses and ensure compliance with established procedures for handling CUI.
- Monitor and log access: Keep records of who accesses CUI and monitor for any suspicious activity or unauthorized access.
- Secure communication channels: Use secure communication protocols and encrypted channels when transmitting CUI.
By adhering to these guidelines and ensuring that CUI is stored only on authorized systems or approved devices, organizations can better protect sensitive information from unauthorized access or disclosure.
