The protection of Controlled Unclassified Information (CUI) resident in nonfederal systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully conduct its essential missions and functions of protecting the confidentiality of CUI.
The Cybersecurity Maturity Model Certification (CMMC) Is required to safeguard sensitive national security information. The Department of Defense (DoD) launched CMMC 2.0, a comprehensive framework to protect the defense industrial base from increasingly frequent and complex cyberattacks.
NIST SP 800-171 provides a list of control categories recommended for security controls to protect the confidentiality of CUI and comply with CMMC.
The control categories include:
Access Control; Awareness and Training; Audit and Accountability; Configuration Management; Identification and Authentication; Maintenance; Media Protection; Physical and Environmental Protection; Personnel Security; System and Communications Protection; System and Information Integrity.
In this broad range of controls, to protect Controlled Technical Information such as engineering designs in CAD, only a few are directly relevant.
The control categories relevant to CAD design documents containing CUI include:
Each category has control subcategories that are specific to a type of CUI or processes.
Relevant Security Controls in NIST SP 800-171 and 800-53 for protecting the confidentiality of CUI in CAD with HALOCAD
3.1 ACCESS CONTROL Basic Security Requirements
3.1.1 Limit system access to authorized users, processes acting on behalf of authorized users, and devices (including other systems).
HALOCAD provides advanced access control not included as standard by the CAD vendors. Users are required to authenticate in the Microsoft Purview active directory, which employs zero-trust protection, and can revoke or reassign access. Devices are restricted to only those with the HaloCAD add-on.
3.1.2 Limit system access to the types of transactions and functions that authorized users are permitted to execute.
HALOCAD can restrict or grant selected users to edit, view, copy, save, save-as, export functions within the CAD application.
3.1.3 Control the flow of CUI in accordance with approved authorizations.
HALOCAD can block or grant access to select CAD files based on authorization granted in the Purview active directory. CAD documents cannot be emailed or otherwise transmitted if they are blocked by HALOCAD
3.1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
HALOCAD can prevent malevolence in manipulating CAD drawings by restricting editing and copy functions by controlling authentication. A CAD drawing is assigned an author, and other users are restricted in change rights.
3.1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
With HALOCAD, a CAD drawing is assigned an author, and other users can be restricted from using functions such as edit, copy, print, save, save-as, and view.
3.1.6 Use non-privileged accounts or roles when accessing Non security functions.
Users can be assigned read-only privilege, not allowing changes to the security settings for a CAD file.
3.1.7 Prevent non-privileged users from executing privileged functions and capture the execution of such functions in audit logs.
With HALOCAD, attempts at unauthorized access to a CAD file will be blocked, and Purview will capture the event in an audit log.
3.1.9 Provide privacy and security notices consistent with applicable CUI rules.
With HALOCAD, security labels can contain a CUI notification text visible to the user.
3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
With HALOCAD, all protected files are encrypted, regardless of remote or local access.
3.1.17 Protect wireless access using authentication and encryption.
With HALOCAD, all CAD protected files are encrypted, regardless of remote or local access, and authentication is always required.
3.1.19 Encrypt CUI on mobile devices and mobile computing platforms.
With HALOCAD, all CAD files (containing CUI) are encrypted, regardless of remote or local access, and authentication is always required.
3.2 AWARENESS AND TRAINING
3.1.22 Control CUI posted or processed on publicly accessible systems.
With HALOCAD, access control of CAD files containing CUI is maintained in public systems. Authentication is still required in files copied to public systems, regardless of location.
3.2.2 Ensure that personnel are trained to carry out their assigned information security-related duties and responsibilities.
With HALOCAD, instructions are provided to train CAD users in assigning security labels, whether automatically or manually.
3.3 AUDIT AND ACCOUNTABILITY
3.3.1 Create and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
With HALOCAD, Purview audit logs will be available for monitoring and SIEM analysis.
3.3.2 Ensure that the actions of individual system users can be uniquely traced to those users, so they can be held accountable for their actions.
With HALOCAD, Purview audit logs related to CAD files will be available for monitoring and SEIM analysis.
3.12 SECURITY ASSESSMENT
3.12.1 Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
SECUDE provides instructions for testing and verification of HALOCAD.
3.13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
HALOCAD encrypts CUI in CAD automatically regardless of location.
3.13.16 Protect the confidentiality of CUI at rest.
HALOCAD protects CUI in CAD files both at rest and in use and with PLM transfers.
NIST SP 800-53 mapping relevant to CAD protection