3 Common Questions Regarding the Handling of CUI: Part 2
In Part 1 of this three-part series, we reviewed the primary federal regulations covering Controlled Unclassified Information (CUI). Today, we’re discussing how companies can achieve compliance with one-stop shopping with the RegDOX Data Room System.
Question 2: How does the RegDOX Data Room System enable compliance?
RegDOX’s secure document and file collaboration solution provide the platform and the tools needed to keep CUI safe – especially when it comes to encryption and enabling the requirement of the least required access. It also meets the regulatory expectations that the use of CUI be recorded, tracked, and subject to alerts.
This robust ability of the RegDOX® system to achieve compliance is apparent from a comparison of the SPs 800-171/172 controls with the features and functions of the RegDOX system. Given the recent introduction of SP 800-172, a comprehensive concordance document has been made available by RegDOX, but here is a quick review of some of the most important compliance-enabling attributes of the RegDOX system.
Encryption is the method of obscuring information through encoding. Essentially, this means that data is made unreadable by anyone intercepting the data without the proper means to decrypt the message.
Currently, the US government recognizes the Advanced Encryption Standard (AES) as a FIPS-140 compliant encryption method. All data coming in and out of RegDOX is transmitted and stored in an encrypted manner, utilizing the AES-256-bit encryption method.
End to End Encryption
This term refers to the ‘terminating points’ of a communication. Usually, these are a user via a web browser on one end, and a server of web pages and data at the other. Each end of the connection needs to be communicating through passing certificate information, a key, and the data. This works similar to a Virtual Private Network (VPN), which creates a “tunnel” for all communications to be kept confidential. For RegDOX users, the RegDOX system is at one end of this tunnel, and the user is at the other end.
SSL/TLS Communications Protection
Historically, the SSL (Secure Sockets Layer) protocol secured web transactions using encryption between a user (through the web browser) and a web server. While still in use, SSL has become less popular due to potential weaknesses and is being replaced by the more secure TLS (Transport Layer Security) protocol. By analogy, TLS creates a ‘handshake’ between sender and recipient that verifies the identity through a trusted third party, and then encrypts the message, allowing the parties to communicate securely.
The RegDOX system utilizes this more advanced protocol.
In addition to allowing access only through a TLS connection, the RegDOX system allows clients to restrict access to a single IP address or a range of IP addresses. This available feature ensures that CUI is only accessible or exchangeable with previously approved partners at those addresses. These access control restrictions can further enable RegDOX customers in implementing export restrictions, DFARS controls, and company confidentiality requirements.
In addition to persistent encryption and IP address restriction capabilities, the RegDOX system includes features that allow its customers to impose other valuable access controls. These include preventing API access, prohibiting screen and document printing, not allowing file saving on local devices, and preventing the redirecting of access to files to secondary recipients. All of these features and others provide additional levels of security and enable regulatory compliance.
RegDOX account access is granted only through secure, authentication methods. This means individual user accounts are protected with unique username and password combinations, certificates, SSO/SAML, or other secure authentication technologies. RegDOX by default requires multi-factor authentication through email or soft tokens, which is yet another step in controlling access to authorized people only and specifically implementing the requirements of the ITAR, SP 800-171, and now SP 800-172.
As background functionality, scanning of all files by anti-virus and anti-malware prevention software is installed and updated regularly within the RegDOX platform. Platform systems are reviewed to evaluate and implement security patches and updates to address the latest available security protections at the application and network levels.
Using the RegDOX system, along with specific corporate access, training, and use policies and processes, and the application’s ability to monitor users for compliance implement required SP 800-171 and 172 controls. Very importantly, these protections come without an enormous spend or learning new, complex software.
Permissioning-Least Necessary Privilege
RegDOX enables its subscribers to implement the requirements of SPs 800-171 and 172 mandating that access to CUI be limited to identified users and then only so long as required. So, for example, if only specific information is needed at a specific point in time (and not ongoing access) and that access need not be to an entire array of documents or files, RegDOX enables its corporate subscribers to implement the necessary restrictions. This capability is enabled by the granular permissioning that can be imposed at multiple levels, including specifically for individual or groups of users, documents or files, folders, and data rooms.
Audit & Tracking-Preserving Evidence of Compliance
Underlying the goals of the DDTC in the ITAR, as well as of the controls adopted by NIST in SPs 800-171/172, is that compliant electronic document and file security must not just be achieved, but that this compliance must be documented, and failures alerted. Essential for RegDOX earning the DDTC’s favorable opinion of compliance and underlying each of the four existing patents and the new patent to be issued covering the RegDOX solution, is the persistent and un-editable tracking and recording of actions within the solution by users and actions affecting documents and files. This information remains available to corporate subscribers of RegDOX through a robust series of on-demand reports and an ability to identify conditions for which a subscriber’s administrators may receive immediate alerts or periodic updates.
From encryption to auditing through sophisticated permissioning controls, the RegDOX Data Room ensures every aspect of our system holds to the highest current standards. With the introduction of NIST SP 800-172, we continue to meet or exceed new security standards. The safety and security of CUI is your top priority and will always be RegDOX’s top priority.