As the IT world continues a migration to the cloud, many customers are faced with implementing security standards and controls, and there might be ambiguity around what these mean, or how the standards and control may apply to a use case and deployment. At Oracle, we are committed to assisting our customers to address the challenges of the constantly changing and complex regulatory environment. In this blog, we focus on The National Institute of Standards and Technology (NIST) guidelines NIST 800-171 and follow up with a series to explain the applicability of various security standards, especially for commercial entities or government contractors who serve the US government. In this post we intend to help customer looking to migrate existing, or build a new, solutions on the Oracle Cloud and platform in US Government regions.
An Overview of NIST 800-171
In these dynamic times, the federal government is now more than ever relying on service providers to help with business functions using information systems. Several government contractors in turn are required to process sensitive federal information to provide certain services (i.e., Cloud services). National Institute of Standards and Technology (NIST) is designed to help protect this sensitive data on non-federal systems. NIST is a unique federal agency with core competency in defining measurement science, devising rigorous traceability, development and use of standards. NIST 800-171 are special guidelines and a subclass of existing computer security requirements for federal data gathered from in the Federal Information Processing Standard (FIPS) 200 as well as the Security and Privacy Controls for Federal Information Systems and Organizations (NIST SP 800-53). These guidelines focus on protecting Controlled Unclassified Information (CUI) in Non-federal Information Systems and Organizations as per their latest publication version (revision 2) released in February 2020.
What is Controlled Unclassified Information (CUI) and what applies?
The National Archives and Records Administration (NARA) administers the program under Executive Order 13556, which established the Controlled Unclassified Information (CUI). It was set in place to tackle several weaknesses regarding managing and protecting unclassified information and to standardize the way the executive branch handles such information. Only information that requires safeguarding pursuant to federal law, regulation, or governmentwide policy may be designated as CUI as defined by NARA in the CUI Registry, an online repository for information that requires controls based on government laws and regulations.
Oracle Government Cloud Compliance vs Customer Responsibility
The Oracle Cloud for Government is FedRAMP-accredited and designed to support the cloud computing needs of US federal, state, and local public sector agencies as well as the US Department of Defense (DoD) and approved commercial entities. With the implementation of FedRAMP requirements, Oracle government cloud recognizes in-scope cloud services meet or exceed the requirements of NIST 800-171 and customers can effectively comply instantaneously with the controls Oracle owns. Oracle’s cloud services span applications and infrastructure solutions across SaaS, PaaS, and IaaS, making it easy for government agencies to digitally transform legacy mission systems securely, efficiently, and effectively. Customers can successfully migrate their CUI workloads to our Oracle Cloud for Government, with the knowledge that the Oracle Government Cloud offerings can maintain compliance with US federal security requirements and continue to adapt.
Oracle customers may achieve their own FedRAMP and NIST risk analysis by using audited controls from Third Party Assessment Organizations (3PAOs) reports. These reports play a critical role in the security assessment of a cloud service offering, which attest to the effectiveness of the controls Oracle has implemented in its in-scope cloud services. While some of your controls are inherited from Oracle, many of the controls are shared between you as a customer, and Oracle. Public sector customers are responsible for ensuring that their CUI workloads comply with NIST SP 800-171 guidelines as well as ensuring compliance with all applicable laws and regulations. For more information about compliant services, we offer in our government cloud, see a list of Oracle’s general government cloud services to determine applicability for your services.
It is the customer’s responsibility to analyze their cloud strategy to determine suitability of using Oracle cloud services considering their own regulatory compliance duties.
By meeting several compliance standards, including NIST 800-171, Oracle has continuously proven to be one of the most outstanding government cloud services providers. Oracle has resources and a dedicated team to help you complete you journey to the cloud and your pursuit to achieve your accreditation goals.
Want to know more?
For more information about NIST 800-171 check out their most recent publication here. For specific information regarding Oracle Cloud for Government instances, you can visit the Oracle Cloud Infrastructure US Government Cloud documentation here. Learn more about how Oracle Cloud Infrastructure for Government can support government contractors and service providers.
Let us help you find the right option for your use case using Oracle Cloud Infrastructure. You can select either the Oracle Cloud Free Tier or a 30-day free trial in our commercial regions, which includes US$300 in credits to get you started with a range of services, including compute, storage, and networking. The Oracle Cloud Infrastructure regions dedicated to the Government consist of FedRAMP high federal and civilian authorized regions and IL5 Department of Defense (DoD) authorized regions. If you prefer Oracle Government Cloud, consult your Oracle sales representative for a proof of concept in the appropriate region.
About the co-author:
Jerry Niemeyer is Director of Product Management, Oracle Cloud Infrastructure Public Sector. He has been supporting Public Sector customers and defense contractors for the last 20 years.
Yaisah Granillo is a Solution Architect in Product Management for Oracle Cloud Infrastructure Public Sector. She has been supporting Oracle’s Public Sector customers and defense contractors since 2019, and has previous IT experiences ranging from Data Analysis to ERP Implementations.