Author Archives: admin
ISO 27001 Lead Auditor Training Class scheduled for online learning

Mastering the audit of an Information Security Management System (ISMS) based on ISO/IEC 27001
4 1/2 days from August 17th through August 20th, 2020
Summary | Go to Enrollment Form
This five-day intensive course enables participants to develop the necessary expertise to audit an Information Security Management System (ISMS) and to manage a team of auditors by applying widely recognized audit principles, procedures and techniques.
- During this training, the participant will acquire the necessary knowledge and skills to proficiently plan and perform internal and external audits in compliance with ISO 19011 the certification process according to ISO 17011.
- Based on practical exercises, the participant will develop the skills (mastering audit techniques) and competencies (managing audit teams and audit program, communicating with customers, conflict resolution, etc.) necessary to efficiently conduct an audit.
Who should attend?
- Internal auditors
- Auditors wanting to perform and lead Information Security Management System (ISMS) certification audits
- Project managers or consultants wanting to master the Information Security Management System audit process
- CxO and Senior Managers responsible for the IT governance of an enterprise and the management of its risks
- Members of an information security team
- Expert advisors in information technology
- Technical experts wanting to prepare for an Information security audit function
Learning objectives
- To acquire the expertise to perform an ISO/IEC 27001 internal audit following ISO 19011 guidelines
- To acquire the expertise to perform an ISO/IEC 27001 certification audit following ISO 19011 guidelines and the specifications of ISO 17021 and ISO 27006
- To acquire the necessary expertise to manage an ISMS audit team
- To understand the operation of an ISO/IEC 27001 conformant information security management system
- To understand the relationship between an Information Security Management System, including risk management, controls and compliance with the requirements of different stakeholders of the organization
- To improve the ability to analyze the internal and external environment of an organization, its risk assessment and audit decision-making
Course Agenda | Go to Enrollment Form
Day 1: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001
- Normative, regulatory and legal framework related to information security
- Fundamental principles of information security
- ISO/IEC 27001 certification process
- Information Security Management System (ISMS)
- Detailed presentation of the clauses 4 to 8 of ISO/IEC 27001
Day 2: Planning and Initiating an ISO/IEC 27001 audit
- Fundamental audit concepts and principles
- Audit approach based on evidence and on risk
- Preparation of an ISO/IEC 27001 certification audit
- ISMS documentation audit
- Conducting an opening meeting
Day 3: Conducting an ISO/IEC 27001 audit
- Communication during the audit
- Audit procedures: observation, document review, interview, sampling techniques, technical verification, corroboration and evaluation
- Audit test plans
- Formulation of audit findings
- Documenting nonconformities
Day 4: Concluding and ensuring the follow-up of an ISO/IEC 27001 audit
- Audit documentation
- Quality review
- Conducting a closing meeting and conclusion of an ISO/IEC 27001 audit
- Evaluation of corrective action plans
- ISO/IEC 27001 Surveillance audit
- Internal audit management program
Day 5: Certification Exam (Flexible schedule)
- 8 am to 11:30 am (online)
Prerequisites
PECB Certified ISO/IEC 27001 Foundation Certification or basic knowledge of ISO/IEC 27001 is recommended.
Educational approach
- This training is based on both theory and practice:
- Sessions of lectures illustrated with examples based on real cases
- Practical exercises based on a full case study including role playings and oral presentations
- Review exercises to assist the exam preparation
- Practice test similar to the certification exam
Examination and Certification
- The “PECB Certified ISO/IEC 27001 Lead Auditor” exam fully meets the requirements of the PECB Examination and Certification Programme (ECP). The exam covers the following competence domains:
- Domain 1: Fundamental principles and concepts of information security
- Domain 2: Information Security Management System (ISMS)
- Domain 3: Fundamental audit concepts and principles
- Domain 4: Preparation of an ISO/IEC 27001 audit
- Domain 5: Conducting an 27001 audit
- Domain 6: Closing an ISO/IEC 27001 audit
- Domain 7: Managing an ISO/IEC 27001 audit program
- The “PECB Certified ISO/IEC 27001 Lead Auditor” exam is available in different languages (the complete list of languages can be found in the examination application form)
- Duration: 3 hours
- For more information about the exam, refer to the section on PECB Certified ISO/IEC 27001 Lead Auditor Exam
- After successfully completing the exam, participants can apply for the credentials of PECB Certified ISO/IEC 27001 Provisional Auditor, PECB Certified ISO/IEC 27001 Auditor or PECB Certified ISO/IEC 27001 Lead Auditor depending on their level of experience. Those credentials are available for internal and external auditors
- A certificate will be issued to participants who successfully pass the exam and comply with all the other requirements related to the selected credential
- For more information about PECB Certified ISO/IEC 27001 certifications and the PECB certification process, refer to the section on ISO/IEC 27001 certifications
General Information
- Certification fees are included in the exam price
- A student manual containing over 450 pages of information and practical examples will be distributed to participants
- A participation certificate of 31 CPD (Continuing Professional Development) credits will be issued to participants
- In case of failure of the exam, participants are allowed to retake the exam for free under certain conditions
Location:
Online via Join.me
Fee: $1,750.00
Go to Enrollment Form
NIST Releases Two Cybersecurity Guidance Publications

The National Institute of Standards and Technology’s (NIST’s) National Cybersecurity Center of Excellence (NCCoE) released two draft practice guides today:
- Special Publication (SP) 1800-25: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
- Special Publication (SP) 1800-26: Detecting and Responding to Ransomware and Other Destructive Events
Ransomware, malware, insider threats, and even honest user mistakes present ongoing threats to organizations. All types of data, such as database records, system files, configurations, user files, applications, and customer data, are potential targets of data corruption, modification, and destruction.
Formulating a defense against these threats requires thorough knowledge of the assets within the enterprise and protection of these assets against data corruption and destruction.
Furthermore, quick, accurate, and thorough detection and response to a loss of data integrity can save an organization time, money, and headaches. While human knowledge and expertise are essential components of a defense, the right tools and preparation are essential to minimizing downtime and losses due to data integrity events.
As detailed in these two practice guides, the NCCoE, in collaboration with members of the business community and vendors of cybersecurity solutions, has built example solutions to address these data integrity challenges.

CMMC FAQ’s

Background
The Department of Defense (DoD) released the Cybersecurity Maturity Model Certification (CMMC), version 0.7 in December 2019 to support the public’s continued review of the draft model in preparation for the release of the CMMC Version 1.0 at the end of January 2020. The sharing of Federal Contract Information (FCI) and CUI with Defense Industrial Base (DIB) sector contractors expands the Department’s attack surface because sensitive data is distributed beyond the DoD’s information security boundary. Cybersecurity must become a foundation of DoD acquisition.
Towards that end, Office of the Under Secretary of Defense for Acquisition and Sustainment [OUSD(A&S)] is working with DoD stakeholders, University-Affiliated Research Centers, Federally Funded Research and Development Centers, and industry to develop the Cybersecurity Maturity Model Certification (CMMC).
CMMC is a DoD certification process that measures a DIB sector company’s ability to protect FCI and CUI. CMMC combines various cybersecurity standards and maps these best practices and processes to maturity levels, ranging from basic cyber hygiene to highly advanced practices. CMMC also adds a certification element to verify implementation of cybersecurity requirements.
CMMC is designed to provide the DoD assurance that a DIB contractor can adequately protect CUI at a level commensurate with the risk, accounting for information flow down to subcontractors in a multi-tier supply chain. With respect to implementation, a DIB contractor may meet a specific CMMC level for its entire enterprise network or particular segment(s) or enclave(s).
1 – What is CUI?
CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
A CUI Registry provides information on the specific categories and subcategories of information that the Executive branch protects. The CUI Registry can be found at: https://www.archives.gov/cui and includes the following organizational index groupings:
- Critical Infrastructure
- Defense
- Export Control
- Financial
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural and Cultural Resources
- NATO
- Nuclear
- Privacy
- Procurement and Acquisition
- Proprietary Business Information
- Provisional
- Statistical
- Tax
2 – CUI versus FOUO?
CUI, established by Executive Order 13556, is an umbrella term for all unclassified information that requires safeguarding. FOUO, which stands for ‘For Official Use Only’, is a document designation used by the DoD.
3 – What are the concerns regarding cybersecurity in the Defense Industrial Base (DIB)?
The aggregate loss of controlled unclassified information (CUI) from the DIB sector increases risk to national economic security and in turn, national security. In order to reduce this risk, the DIB sector must enhance its protection of CUI in its networks.
The Council of Economic Advisers, an agency within the Executive Office of the President, estimates that malicious cyber activity cost the U.S. economy between $57 billion and $109 Billion in 2016 [Ref: “The Cost of Malicious Cyber Activity to the U.S. Economy, CEA” in February 2018].
The Center for Strategic and International Studies (CSIS), in partnership with McAfee, reports that as much as $600 Billion, nearly 1% of global GDP, may be lost to cybercrime each year. The estimate is up from a 2014 study that put global losses at about $445 Billion. [Ref: “Economic Impact of Cybercrime – No Slowing Down” in February 2018].
4 – What is CMMC?
CMMC stands for “Cybersecurity Maturity Model Certification”. The CMMC will encompass multiple maturity levels that ranges from “Basic Cybersecurity Hygiene” to “Advanced”. The intent is to identify the required CMMC level in RFP sections L and M and use as a “go / no go decision.”
5 – Why is the CMMC being created?
DOD is planning to migrate to the new CMMC framework in order to assess and enhance the cybersecurity posture of the Defense Industrial Base (DIB). The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to ensure basic cyber hygiene as well as protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ networks.
6 – When will the final CMMC framework be released to the public?
Version 1.0 of the CMMC framework will be available in January 2020 to support training requirements. In June 2020, industry should begin to see the CMMC requirements as part of Requests for Information.
7 – Will other Federal (non DoD) contracts use CMMC?
The initial implementation of the CMMC will only be within the DoD.
8 – What is the relationship between NIST SP 800-171 rev.1 and CMMC?
The intent of the CMMC is to combine various cybersecurity control standards such as NIST SP 800-171, NIST SP 800-53, ISO 27001, ISO 27032, AIA NAS9933 and others into one unified standard for cybersecurity. In addition to cybersecurity control standards, the CMMC will also measure the maturity of a company’s institutionalization of cybersecurity practices and processes.
9 – How will CMMC be different from NIST SP 800-171?
Unlike NIST SP 800-171, CMMC will implement multiple levels of cybersecurity. In addition to assessing the maturity of a company’s implementation of cybersecurity controls, the CMMC will also assess the company’s maturity/institutionalization of cybersecurity practices and processes.
10 – How will my organization become certified?
Your organization will coordinate directly with an accredited and independent third party commercial certification organization to request and schedule your CMMC assessment. Your company will specify the level of the certification requested based on your company’s specific business requirements. Your company will be awarded certification at the appropriate CMMC level upon demonstrating the appropriate maturity in capabilities and organizational maturity to the satisfaction of the assessor and certifier.
11 – How much will CMMC certification cost?
Will the cost be based on the level we requested or the size of the organization?
The certification cost has not yet been determined. The cost, and associated assessment, will likely scale with the level requested.
12 – Will there be a self-certification?
Self-certification shall not be recognized by the DoD.
13 – How do I request a certification assessment?
We expect that there will be a number of companies providing 3rd party CMMC assessment and certification.
14 – Who will perform the assessments?
An independent 3rd party assessment organization will normally perform the assessment. Some of the higher level assessments may be performed by organic DoD assessors within the Services, the Defense Contract Management Agency (DCMA) or the Defense Counterintelligence and Security Agency (DCSA).
15 – Are the results of my assessment public?
Does the DoD see my results?
Your certification level will be made public, however details regarding specific findings will not be publicly accessible. The DoD will see your certification level.
16 – How often does my organization need to be reassessed?
The duration of a certification is still under consideration.
17 – If my organization is certified CMMC and I am compromised, do I lose my certification?
You will not lose your certification. However, depending on the circumstances of the compromise and the direction of the government program manager, you may be required to be recertified.
18 – If my organization is certified CMMC and I am compromised will my organization require re-certification?
A compromise will not automatically require a re-certification. However, depending on the circumstances of the compromise and the direction of your government program manager, you may be required to be re-certified.
19 – What if my organization cannot afford to be certified?
Does that mean my organization can no longer work on DOD contracts?
The cost of certification will be considered an allowable, reimbursable cost and will not be prohibitive. For contracts that require CMMC you may be disqualified from participating if your organization is not certified.
20 – My organization does not handle Controlled Unclassified Information (CUI). Do I have to be certified anyway?
Yes. All companies conducting business with the DoD must be certified. The level of certification required will depend upon the amount of CUI a company handles or processes.
21 – I am a subcontractor on a DoD contract. Does my organization need to be certified?
Yes, all companies doing business with the Department of Defense will need to obtain CMMC.
22 – How will I know what CMMC level is required for a contract?
The government will determine the appropriate tier (i.e. not everything requires the highest level) for the contracts they administer. The required CMMC level will be contained in sections L & M of the Request for Proposals (RFP) making cybersecurity an “allowable cost” in DoD contracts.
23 – Will CMMC certifications and the associated third party assessments apply to a classified systems and / or classified environments within the Defense Industrial Base?
The CMMC is intended to serve as a verification mechanism to ensure appropriate levels of cybersecurity practices and processes are in place to protect controlled unclassified information (CUI) that resides on the Department’s industry partners’ unclassified networks.
CMMC audits by third party assessment organizations will not be applied to classified systems or environments. The Defense Counterintelligence and Security Agency (DCSA) will include CMMC assessments as part of their holistic security rating score.
ABCI Consultants provide cyber security guidance, implementation and personnel training services, which focus on Information Security Management Systems (ISO 27001) and regulatory compliance (NIST 800-171).
DFARs 252.204-7012 & NIST 800-171 Foundations Course

- CUI supports federal missions and business functions that affect the economic and national security interests of the United States.
- colleges, universities,
- state, local and tribal governments,
- federal contractors and subcontractors often process, store, or transmit CUI.
NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations.
- Requirements are organized into fourteen families.
- Each family contains the requirements related to the general security topic of the family.
- In addition the Contractor shall include the clause in subcontracts for which performance will involve Covered Defense Information (CDI) or Operationally Critical Support (OCS).
- CDI is used to describe information that requires protection under DFARs Clause 252.204-7012.
- It is defined as unclassified Controlled Technical Information (CTI) or other information as described in the CUI Registry.
(http://www.archives.gov/cui/registry/category-list.html)
- CTI & CUI requires safeguarding/dissemination controls AND IS EITHER marked or otherwise identified in the contract and provided to the contractor by DoD in support of performance of the contract;
- OR the CDI is collected, developed, received, transmitted, used or stored by the contractor in performance of contract.
Order Online Through PayPal’s Secure Card Services
ABCI Expands Supply Chain Quality Management Services
Third-party Auditing Services for GMP in Manufacturing Cosmetics, FDA OTD and Plastic Food Packaging
ABCI Consultants offers a comprehensive range of capabilities to assist an organization with assessing, managing, and improving it suppliers, including contract manufacturers.
ABCI can assist with the improvement of your suppliers through a variety of assessment programs that include onsite auditing and evaluation of a supplier’s management systems. We specialize in Good Manufacturing Practices (cGMP) and Quality Management Systems in manufacturing Cosmetics, FDA OTD and Plastic Food Packaging compared to international standards, which may include:
- ISO 9001:2015 Standard for Quality Management Systems
- ISO 22000 Standard for Food Safety & Quality Management Systems
- FSSC – GMP for Food Safety Systems Certification for Food Packaging (Plastics)
- ISO 22716 Cosmetics Good Manufacturing Practices (GMP)
One of the primary objectives of an onsite third-party audit is to verify that your contract manufacturer or supplier organization is conforming to the applicable standard, its own document methods/processes, and that their systems are ultimately effective to meet their customer’s requirements.
ABCI compliance audit, internal audit and other third-party auditing services include the following international standards:
Aerospace Quality Management Systems – AS9100
Automotive Quality Management Systems – IATF 16949
Environmental Management – ISO 14001
Laboratory Quality Management Systems – ISO 17025
Medical Device Quality Management Systems – ISO 13485
Quote and Contract Review Requirements in ISO Based Quality Management System
In ISO 9001:2015 there are specific requirements for Operational Planning and Control of processes. These control processes must be implemented with methods that can effectively meet the requirements for the provision of products and services, and to implement the actions that can mitigate risk and improve opportunities.
Effective with QMSCAPA software v1.51.3, a journal was added for recording the review process for verifying customer requirements for products and services.
The diagram below shows the data relationships with
Customer ⇓
⇑ ⇒ Opportunities (quotes, contracts, purchase orders) ⇓
⇑ ⇒ Items (labor, material, outsources services, requirements)
Clause 8.1 state, “the planning should include methods for
- determining the customer requirements for the products and services;
- establishing criteria for the the processes and the acceptance of products and services;
- determining the resources needed to achieve conformity to the product and service requirements;
- implementing control of the processes in accordance with the criteria;
- determining, maintaining and retaining documented information to the extent necessary to have confidence that the processes have been carried out as planned;
- to demonstrate the conformity of products and services to their requirements.”
The requirements stated in Clause 8.2.2 is titled, “Determining the requirements for products and services”
Also, “when determining the requirements for the products and services to be offered to customers, the organization SHALL ensure that:
a) the requirements for the products and services are defined, including:
- any applicable statutory and regulatory requirements;
- those considered necessary by the organization;
b) the organization can meet the claims for the products and services it offers.”
Clause 8.2.3 describes the review of the requirements for products and services,
“8.2.3.1 The organization SHALL ensure that it has the ability to meet the requirements for products and services to be offered to customers. The organization SHALL conduct a review before committing to supply products and services to a customer, to include:
a) requirements specified by the customer, including the requirements for delivery and post-delivery activities;
b) requirements not stated by the customer, but necessary for the specified or intended use, when known;
c) requirements specified by the organization;
d) statutory and regulatory requirements applicable to the products and services;
e) contract or order requirements differing from those previously expressed.”
QMSCAPA includes data fields for recording
a. Quote date
b. Quote review date
c. Purchase Order date
d. PO verification date
e. Customer due date
f. Scheduled date
g. Completion date
h. Shipping date
QMSCAPA fulfills the requirements noted in Clause 8.2.3.2, “the organization SHALL retain documented information, as applicable:
a) on the results of the review;
b) on any new requirements for the products and services.”
Report on Lightweight Cryptography

NIST recently announced the release of NISTIR 8114, Report on Lightweight Cryptography.
Link to the NISTIR 8114 document (PDF format) from the NIST Library website:
http://nvlpubs.nist.gov/
Link to NISTIR 8114 located on the CSRC NISTIR page:
<http://csrc.nist.gov/
This report provides an overview of lightweight cryptography, summarizes the findings of NIST’s lightweight cryptography project, and outlines NIST’s plans for the standardization of lightweight algorithms.
Announcement by:
NIST Computer Security Division (Attn: Pat O’Reilly)
ISO 27001 Lead Implementer Training Seminar scheduled for the Los Angeles area

Training Seminar to learn ‘how to guidance’ for the implementation and management of an Information Security Management System (ISMS) based on ISO/IEC 27001
4 1/2 days from May 29th through June 2nd
NIST 800-171 Foundation Training offered on June 2nd from 1 pm to 4 pm
Summary / Go to Enrollment Form
This five-day intensive course enables participants to develop the necessary expertise to support an organization in implementing and managing an Information Security Management System (ISMS) based on ISO/IEC 27001:2013. Participants will also gain a thorough understanding of best practices used to implement information security controls from all areas of ISO/IEC 27002. This training is consistent with the project management practices established in ISO 10006 (Quality Management Systems – Guidelines for Quality Management in Projects). This training is also fully compatible with ISO/IEC 27003 (Guidelines for the Implementation of ISMS), ISO/IEC 27004 (Measurement of Information Security) and ISO/IEC 27005 (Risk Management in Information Security).
Who should attend?
- Project managers or consultants wanting to prepare and to support an organization in the implementation of an Information Security Management System (ISMS)
- ISO/IEC 27001 auditors who wish to fully understand the Information Security Management System implementation process
- CxO and Senior Managers responsible for the IT governance of an enterprise and the management of its risks
- Members of an information security team
- Expert advisors in information technology
- Technical experts wanting to prepare for an information security function or for an ISMS project management function
Learning objectives
- To understand the implementation of an Information Security Management System in accordance with ISO/IEC 27001
- To gain a comprehensive understanding of the concepts, approaches, standards, methods and techniques required for the effective management of an Information Security Management System
- To understand the relationship between the components of an Information Security Management System, including risk management, controls and compliance with the requirements of different stakeholders of the organization
- To acquire the necessary expertise to support an organization in implementing, managing and maintaining an ISMS as specified in ISO/IEC 27001
- To acquire the necessary expertise to manage a team implementing ISO/IEC 27001
- To develop the knowledge and skills required to advise organizations on best practices in the management of information security
- To improve the capacity for analysis and decision making in the context of information security management
Course Agenda / Go to Enrollment Form
Day 1: Introduction to Information Security Management System (ISMS) concepts as required by ISO/IEC 27001; Initiating an ISMS
- Introduction to management systems and the process approach
- Presentation of the standards ISO/IEC 27001, ISO 27002 and ISO 27003 and regulatory framework
- Fundamental principles of Information Security
- Preliminary analysis and establishment of the level of the maturity level of an existing information security management system based on ISO 21827
- Writing a business case and a project plan for the implementation of an ISMS
Day 2: Planning the implementation of ISMS based on ISO/IEC 27001
- Defining the scope of an ISMS
- Development of an ISMS and information security policies
- Selection of the approach and methodology for risk assessment
- Risk management: identification, analysis and treatment of risk (drawing on guidance from ISO/IEC 27005
- Drafting the Statement of Applicability
Day 3: Implementing ISMS based on ISO/IEC 27001
- Implementation of a document management framework
- Design of controls and writing procedures
- Implementation of controls
- Development of a training & awareness program and communicating about the information security
- Incident management (based on guidance from ISO 27035)
- Operations management of an ISMS
Day 4: Controlling, monitoring, measuring and improving an ISMS; certification audit of the ISMS
- Controlling and Monitoring the ISMS
- Development of metrics, performance indicators and dashboards in accordance with ISO 27004
- ISO/IEC 27001 internal Audit
- Management review of an ISMS
- Implementation of a continual improvement program
- Preparing for an ISO/IEC 27001 certification audit
Day 5: Certification Exam
Prerequisites
ISO/IEC 27001 Foundation Certification or a basic knowledge of ISO/IEC 27001 is recommended.
Educational approach / Go to Enrollment Form
- This training is based on both theory and practice:
- Sessions of lectures illustrated with examples based on real cases
- Practical exercises based on a full case study including role playings and oral presentations
- Review exercises to assist the exam preparation
- Practice test similar to the certification exam
Examination and Certification
- The “PECB Certified ISO/IEC 27001 Lead Implementer” exam fully meets the requirements of the PECB Examination and Certification Programme (ECP). The exam covers the following competence domains:• Domain 1: Fundamental principles and concepts of information security
• Domain 2: Information security control best practice based on ISO 27002
• Domain 3: Planning an ISMS based on ISO/IEC 27001
• Domain 4: Implementing an ISMS based on ISO/IEC 27001
• Domain 5: Performance evaluation, monitoring and measurement of an ISMS based on ISO/IEC 27001
• Domain 6: Continual improvement of an ISMS based on ISO/IEC 27001
• Domain 7: Preparing for an ISMS certification audit - The “PECB Certified ISO/IEC 27001 Lead Implementer” exam is available in different languages (the complete list of languages can be found in the examination application form)
- Duration: 3 hours
- For more information, refer to the section on ISO/IEC 27001 Lead Implementer Exam
- After successfully completing the exam, participants can apply for the credentials of PECB Certified ISO/IEC 27001 Provisional Implementer, PECB Certified ISO/IEC 27001 Implementer or PECB Certified ISO/IEC 27001 Lead Implementer, depending on their level of experience
- A certificate will be issued to participants who successfully pass the exam and comply with all the other requirements related to the selected credential
- For more information about PECB Certified ISO/IEC 27001 certifications and the PECB certification process, refer to the section on ISO/IEC 27001 Lead Implementer
General Information
- Certification fees are included in the exam price
- A student manual containing over 450 pages of information and practical examples will be distributed to participants
- A participation certificate of 31 CPD (Continuing Professional Development) credits will be issued to participants
- In case of failure of the exam, participants are allowed to retake the exam for free under certain conditions
Location:
Holiday Inn Express
14299 Firestone Blvd
La Mirada, CA 90638
Fee: $2,750.00
Note: 50% is due with your enrollment invoice and 50% is due on or before May 26, 2017.
Go to Enrollment Form
ISO 27001 ISMS for Controlled Unclassified Information (CUI)

Information Security Management for Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) supports federal missions and business functions that affect the economic and national security interests of the United States. Non-federal organizations (e.g. colleges, universities, state, local and tribal governments, federal contractors and subcontractors) often process, store, or transmit CUI.
Executive Order 13556, as issued November 10, 2010, designated the National Archives and Records Administration (NARA) as the Executive Agent to implement the CUI program. NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal information systems and organizations.
Security Requirements for Protecting the Confidentiality of CUI
NIST Special Publication 800-171 contains fourteen families of security requirements (including basic and derived requirements) 18 for protecting the confidentiality of CUI in nonfederal information systems and organizations.
The security controls from NIST Special Publication 800-53 associated with the basic and derived requirements are also listed in Appendix D. Organizations can use Special Publication 800-53 to obtain additional, non-prescriptive information related to the CUI security requirements (e.g., supplemental guidance related to each of the referenced security controls, mapping tables to ISO/ IEC 27001 Information Security Management System (ISMS), Annex A (security objective & controls), and a catalog of optional controls that can be used to help specify additional CUI requirements if needed).
The security requirements identified in 800-171 are intended to be applied to the non-federal organization’s general-purpose internal information systems that are processing, storing, or transmitting CUI. Some specialized systems such as medical devices, Computer Numerical Control (CNC) machines, or industrial control systems may have restrictions or limitations on the application of certain CUI requirements and may be granted waivers or exemptions from the requirements by the federal agency providing oversight.
NIST 800-171 REQUIREMENTS
1 ACCESS CONTROL
Basic Security Requirements:
1.1 Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).
1.2 Limit information system access to the types of transactions and functions that authorized users are permitted to execute.
Derived Security Requirements:
1.3 Control the flow of CUI in accordance with approved authorizations.
1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
1.5 Employ the principle of least privilege, including for specific security functions and privileged accounts.
1.6 Use non-privileged accounts or roles when accessing nonsecurity functions.
1.7 Prevent non-privileged users from executing privileged functions and audit the execution of such functions.
1.8 Limit unsuccessful logon attempts.
1.9 Provide privacy and security notices consistent with applicable CUI rules.
1.10 Use session lock with pattern-hiding displays to prevent access/viewing of data after period of inactivity.
1.11 Terminate (automatically) a user session after a defined condition.
1.12 Monitor and control remote access sessions.
1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
1.14 Route remote access via managed access control points.
1.15 Authorize remote execution of privileged commands and remote access to security-relevant information.
1.16 Authorize wireless access prior to allowing such connections.
1.17 Protect wireless access using authentication and encryption.
1.18 Control connection of mobile devices.
1.19 Encrypt CUI on mobile devices.
1.20 Verify and control/limit connections to and use of external information systems.
1.21 Limit use of organizational portable storage devices on external information systems.
1.22 Control information posted or processed on publicly accessible information systems.
2 AWARENESS AND TRAINING
Basic Security Requirements:
2.1 Ensure that managers, systems administrators, and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of organizational information systems.
2.2 Ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
Derived Security Requirements:
2.3 Provide security awareness training on recognizing and reporting potential indicators of insider threat.
3 AUDIT AND ACCOUNTABILITY
Basic Security Requirements:
3.1 Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.2 Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
Derived Security Requirements:
3.3 Review and update audited events.
3.4 Alert in the event of an audit process failure.
3.5 Correlate audit review, analysis, and reporting processes for investigation and response to indications of inappropriate, suspicious, or unusual activity.
3.6 Provide audit reduction and report generation to support on-demand analysis and reporting.
3.7 Provide an information system capability that compares and synchronizes internal system clocks with an authoritative source to generate time stamps for audit records.
3.8 Protect audit information and audit tools from unauthorized access, modification, and deletion.
3.9 Limit management of audit functionality to a subset of privileged users.
4 CONFIGURATION MANAGEMENT
Basic Security Requirements:
4.1 Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
4.2 Establish and enforce security configuration settings for information technology products employed in organizational information systems.
Derived Security Requirements:
4.3 Track, review, approve/disapprove, and audit changes to information systems.
4.4 Analyze the security impact of changes prior to implementation.
4.5 Define, document, approve, and enforce physical and logical access restrictions associated with changes to the information system.
4.6 Employ the principle of least functionality by configuring the information system to provide only essential capabilities.
4.7 Restrict, disable, and prevent the use of nonessential programs, functions, ports, protocols, and services.
4.8 Apply deny-by-exception (blacklist) policy to prevent the use of unauthorized software or deny-all, permit-by-exception (whitelisting) policy to allow the execution of authorized software.
4.9 Control and monitor user-installed software.
5 IDENTIFICATION AND AUTHENTICATION
Basic Security Requirements:
5.1 Identify information system users, processes acting on behalf of users, or devices.
5.2 Authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
Derived Security Requirements:
5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.
5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts.
5.5 Prevent reuse of identifiers for a defined period.
5.6 Disable identifiers after a defined period of inactivity.
5.7 Enforce a minimum password complexity and change of characters when new passwords are created.
5.8 Prohibit password reuse for a specified number of generations.
5.9 Allow temporary password use for system logons with an immediate change to a permanent password.
5.10 Store and transmit only encrypted representation of passwords.
5.11 Obscure feedback of authentication information.
6 INCIDENT RESPONSE
Basic Security Requirements:
6.1 Establish an operational incident-handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
6.2 Track, document, and report incidents to appropriate officials and/or authorities both internal and external to the organization.
Derived Security Requirements:
6.3 Test the organizational incident response capability.
7 MAINTENANCE
Basic Security Requirements:
7.1 Perform maintenance on organizational information systems.24
7.2 Provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
Derived Security Requirements:
7.3 Ensure equipment removed for off-site maintenance is sanitized of any CUI.
7.4 Check media containing diagnostic and test programs for malicious code before the media are used in the information system.
7.5 Require multifactor authentication to establish nonlocal maintenance sessions via external network connections and terminate such connections when nonlocal maintenance is complete.
7.6 Supervise the maintenance activities of maintenance personnel without required access authorization.
8 MEDIA PROTECTION
Basic Security Requirements:
8.1 Protect (i.e., physically control and securely store) information system media containing CUI, both paper and digital.
8.2 Limit access to CUI on information system media to authorized users.
8.3 Sanitize or destroy information system media containing CUI before disposal or release for reuse.
Derived Security Requirements:
8.4 Mark media with necessary CUI markings and distribution limitations.25
8.5 Control access to media containing CUI and maintain accountability for media during transport outside of controlled areas.
8.6 Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.
8.7 Control the use of removable media on information system components.
8.8 Prohibit the use of portable storage devices when such devices have no identifiable owner.
8.9 Protect the confidentiality of backup CUI at storage locations.
9 PERSONNEL SECURITY
Basic Security Requirements:
9.1 Screen individuals prior to authorizing access to information systems containing CUI.
9.2 Ensure that CUI and information systems containing CUI are protected during and after personnel actions such as terminations and transfers.
Derived Security Requirements: None.
10 PHYSICAL PROTECTION
Basic Security Requirements:
10.1 Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
10.2 Protect and monitor the physical facility and support infrastructure for those information systems.
Derived Security Requirements:
10.3 Escort visitors and monitor visitor activity.
10.4 Maintain audit logs of physical access.
10.5 Control and manage physical access devices.
10.6 Enforce safeguarding measures for CUI at alternate work sites (e.g., telework sites).
11 RISK ASSESSMENT
Basic Security Requirements:
11.1 Periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of CUI.
Derived Security Requirements:
11.2 Scan for vulnerabilities in the information system and applications periodically and when new vulnerabilities affecting the system are identified.
11.3 Remediate vulnerabilities in accordance with assessments of risk.
12 SECURITY ASSESSMENT
Basic Security Requirements:
12.1 Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application.
12.2 Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems.
12.3 Monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
Derived Security Requirements: None.
13 SYSTEM AND COMMUNICATIONS PROTECTION
Basic Security Requirements:
13.1 Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
13.2 Employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
Derived Security Requirements:
13.3 Separate user functionality from information system management functionality.
13.4 Prevent unauthorized and unintended information transfer via shared system resources.
13.5 Implement subnetworks for publicly accessible system components that are physically or logically separated from internal networks.
13.6 Deny network communications traffic by default and allow network communications traffic by exception (i.e., deny all, permit by exception).
13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks.
13.8 Implement cryptographic mechanisms to prevent unauthorized disclosure of CUI during transmission unless otherwise protected by alternative physical safeguards.
13.9 Terminate network connections associated with communications sessions at the end of the sessions or after a defined period of inactivity.
13.10 Establish and manage cryptographic keys for cryptography employed in the information system.
13.11 Employ FIPS-validated cryptography when used to protect the confidentiality of CUI.
13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.
13.13 Control and monitor the use of mobile code.
13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.
13.15 Protect the authenticity of communications sessions.
13.16 Protect the confidentiality of CUI at rest.
14 SYSTEM AND INFORMATION INTEGRITY
Basic Security Requirements:
14.1 Identify, report, and correct information and information system flaws in a timely manner.
14.2 Provide protection from malicious code at appropriate locations within organizational information systems.
14.3 Monitor information system security alerts and advisories and take appropriate actions in response.
Derived Security Requirements:
14.4 Update malicious code protection mechanisms when new releases are available.
14.5 Perform periodic scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
14.6 Monitor the information system including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.
14.7 Identify unauthorized use of the information system.
NIST 800-171 SECURITY FAMILIES (14 DERIVED FROM 800-53) |
NIST 800-53 R4 SECURITY FAMILIES |
Access Control | Access Control |
Awareness and Training | Awareness and Training |
Audit and Accountability | Audit and Accountability |
Configuration Management | Configuration Management |
(Not required by NIST 800-171) | Contingency Planning |
Identification and Authentication | Identification and Authentication |
Incident Response | Incident Response |
Maintenance | Maintenance |
Media Protection | Media Protection |
Personnel Security | Personnel Security |
Physical Protection | Physical Protection and Environmental Protection |
(Not required by NIST 800-171) | Planning |
(Not required by NIST 800-171) | Program Management |
Risk Assessment | Risk Assessment |
Security Assessment | Security Assessment and Authorization |
System and Communications Protection | System and Communications Protection |
System and Information Integrity | System and Information Integrity |
(Not required by NIST 800-171) | System and Services Acquisitions |
The development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include:
- Nonfederal organizations have information technology infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI;
- Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements;
- Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and
- Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement.
We have a Program to assist Suppliers to the Federal Government with meeting the requirements for Compliance with Executive Order 13556 and NIST 800-171
Our professional services include assisting with:
- Initial Risk Assessments for Controlled Unclassied Information (CUI)
- Preparation of a CUI Security Plan and Statement of Applicability
- Preparation of Policies, Procedures and Control Objectives
- Personnel Awareness Training
- Auditing for Compliance to NIST 800-171 and ISO 27001