NIST SP 800-171 - ZENworks Full Disk Encryption - FIPS 140-2 option...

Idea ID 2783942

NIST SP 800-171 - ZENworks Full Disk Encryption - FIPS 140-2 option...

0 Votes
There's a requirement for any United States Government entity or contractor working with "Controlled Unclassified Information" to maintain and protect that data using NIST SP 800-171 at minimum. This includes encryption requirements that must meet or exceed FIPS 140-2. USG has been slowly educating USG Contracting Officers, prime contractors and subcontractors about the new requirements, and thus where there are new contracts (especially for the US DoD) there are new FARS/DFARS mandates. As we end 2018, Most DoD contracts now include DoD DFARS 252.204-7012 (OCT 2016). The DoD has already started supplier "NIST SP 800-171 audits" to see how compliance really is coming along.

So where this FIPS 140-2 encryption requirement used to be only inside USG or prime DoD, you will find it is creeping out into Universities, second/third tier contracting agencies, etc. Wherever CUI data is stored or moved, we need proof of FIPS 140-2 validated encryption - not just best industry practice encryption. The Windows 10 pro/enterprise clients do offer some help here with FIPS options, but we would like to manage it in ZENworks just as we would ZENWorks Full Disk Encryption if possible...

References for those USA based entities or foreign entities who contract with the USG;

Search for your favorite companies and product modules here (some of our favorites have not renewed for quite some time. Hmmm...);
NIST FIPS 140-2, Cryptographic Module Validation Program - Validated Modules Search
https://csrc.nist.gov/projects/cryptographic-module-validation-program/module-validation-lists

National Archives, Controlled Unclassified Information (CUI) Category List
https://www.archives.gov/cui/registry/category-list

FAR 52.204-21: Basic Safeguarding of Covered Contractor Information Systems.
https://www.acquisition.gov/sites/default/files/current/far/html/52_200_206.html#wp1155195

DoD DFARS 252.204-7012 (OCT 2016) Safeguarding Covered Defense Information and Cyber Incident Reporting.
https://www.acq.osd.mil/dpap/dars/dfars/html/current/252204.htm#252.204-7012

DoD DPAP (NOV 2018) Guidance for Assessing Compliance and Enhancing Protections Required by DFARS Clause 252.204-7012, Safeguarding Covered Defense Information and Cyber Incident Reporting.
https://www.acq.osd.mil/dpap/pdi/cyber/guidance_for_assessing_compliance_and_enhancing_protections.html

NIST SP 800-171 Rev. 1, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final

NIST SP 800-171A Rev. 1, Assessing Security Requirements for Controlled Unclassified Information
https://csrc.nist.gov/publications/detail/sp/800-171a/final

NIST Handbook 162 November 2017, NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 Security Requirements in Response to DFARS Cybersecurity Requirements
https://www.nist.gov/publications/nist-mep-cybersecurity-self-assessment-handbook-assessing-nist-sp-800-171-security
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.