Facility security management requires access control systems to manage who can enter or use resources in physical or digital environments. These are requirements for both cybersecurity and export compliance programs.
Security Requirements for NIST SP 800-171
NIST SP 800-171 provides guidelines for protecting Controlled Unclassified Information (CUI) in non-federal systems and organizations. It is used by federal contractors and subcontractors such as service providers and defense contractors.
NIST 800-171 access control refers to the security requirements that organizations must implement to limit access to Controlled Unclassified Information (CUI) to authorized users only. This includes defining user roles, setting permissions, and ensuring that access is granted based on necessity to protect sensitive data.
NIST SP 800-171 clauses that address access control are:
- 3.1.1 – Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems)
- 3.1.2 – Limit system access to the types of transactions and functions that authorized users are permitted to execute.
- 3.1.3 – Control the flow of CUI in accordance with approved authorizations.
- 3.1.4 – Separate the duties of individuals to reduce the risk of malevolent activity without collusion..
- 3.1.5 – Employ the principle of least privilege, including for specific security functions and privileged accounts.
- 3.1.6 – Use non-privileged accounts or roles when accessing non-security functions.
- 3.1.7 – Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
Organizations can implement these requirements through various strategies:
- Role-Based Access Control (RBAC): Define user roles and permissions to ensure only authorized personnel can access specific data.
- Multi-Factor Authentication (MFA): Require multiple forms of verification for users accessing CUI, especially for privileged accounts and remote access.
- Contextual Access Policies: Set restrictions based on factors like time, device, and location to enhance security.
U.S. Export Compliance Security Requirements
Exporters in the United State must ensure that items, articles, technology, and technical data are not accessed by foreign persons. This refers to both physical access and access to pertinent data.
As defined in the International Traffic in Arms Regulations (ITAR) technical data is information which is pertinent for the design, development, production, manufacture, assembly, operation, repair, testing, maintenance, or modification of defense articles. It can also refer to classified information, software for use on defense articles, or information covered by an invention secrecy order. This information must be secured from access of foreign persons to protect US national security and foreign policy objectives.
As defined by the Export Administration Regulations (EAR) technology refers to “Information necessary for the “development,” “production,” “use,” operation, installation, maintenance, repair, overhaul, or refurbishing (or other terms specified in ECCNs on the CCL that control “technology”) of an item”.
Technology Control Plans
A Technology Control Plan (TCP) is a document required for managing and safeguarding export-controlled information, technology, or items in compliance with U.S. federal regulations.
A TCP should identify persons who have authorized access to controlled items and technology within the facility. It must detail procedures for screening visitors, employees, customers, and vendors against all embargoed/sanctioned countries and activities, all proscribed destinations, and all end-user and persons prohibitions. It should include a site specific physical security plan that addresses how items are to be stored and secured from unauthorized access. Additionally, it should detail how export controlled items are to be returned or destroyed when no longer needed.
CVG Strategy Signs, Badges, and Visitor Logs for Facility Security Management
Visitor Badges and Visitor Sign-in Registers
Visitor badges provide a visual identification of visitors to your facility and give notice to personnel of requirements for access restriction and ensure that visitors are accompanied at all times by credentialed personnel. Visitor Sign-In Registers provide a logging mechanism for visitors granted access to premises and notifies visitors upon signing in of security requirements.
Facility Security Signs
Facility Security Signs inform visitors and remind personnel of defined controlled areas where export regulated articles, Controlled Unclassified Information (CUI), or sensitive information are present. These signs are an integral part of a comprehensive facility security management program. CVG Strategy’s Signs & Badges Store has a variety of signs, badges, and visitor logs to help your organization meet its physical and environmental security requirements. These offerings provide solutions for both export compliance and cybersecurity.
CVG Strategy Test Plan Templates
CVG Strategy also offers a wide array of EZ-Test Plan Templates for product test and evaluation that meet the requirements of MIL-STD-810, MIL-STD-461, MIL-STD-1275, MIL-STD-704, and others. Each environmental test plan is compliant with MIL-STD-810 Task 405. EMI/EMC test plans are compliant with MIL-STD-461 per DI-EMCS-80201.