COVID-19 – SSP Exception Form

Due to the impact of COVID-19, PIs and researchers may be working on projects differently than they normally would. This includes projects that require SSPs.

To assist, we have compiled best practices for working remotely and meeting the controls of NIST 800-171 through this time period. The guidance below is to ensure employees act safely with GT owned and personal owned devices and information when working remote on projects containing the DFARS 7012 clause.

Contents:

Exception Form

We understand that you may be using computers not listed in the SSP to perform remote work for projects requiring an SSP. Please remember that if the machine is not listed in the original SSP, it is not approved to download, save, or process any project data locally on that machine without an Exception Form on file.

SSP Remote Exception Form
SSP Remote Exception Form Template

The SSP Exception Form document temporarily allows use of GT-Owned and Personal Devices to maintain research continuity as campus reacts to COVID-19. Any data that is stored, processed, or transmitted must be removed from the devices temporarily allowed, and PI will need to sign an attestation form of destruction when they are back to normal function.

Disclaimer: We understand under certain circumstances you may be using computers not listed in the SSP to perform remote work. Please remember if the machine is not listed in the original SSP, it is not approved to download, save, or process any project data locally on that machine. This document serves to allow out-of-scope machines to remotely connect to in-scope machines accounted for in the SSP.

Scenarios

The instructions below are to account for the following scenarios:

  • Researchers might store, process, or transmit CUI on their Personal machines
    • This practice is not generally advised, but the general guidance for this is:
      • Lock screen when away from your machine, as well as locking physical doors and encrypt your hard drive
      • Keep machine up to date with software patches
      • Install Anti-Malware
    • You must be the only user on the personal machine if you are performing research on that machine from home.
    • If Researchers download CUI on their Personal Laptops/Desktops they must sign a destruction form when campus is back to normal to confirm data is deleted.
  • Researchers may use a machine not listed on their SSP to remote into a machine that is listed on the SSP for their Project.
    • This option requires GT VPN with 2FA to be compliant.
  • Researchers may use Office 365 or Box for storing, processing, and sharing data for their project.
    • Researchers must ensure permissions on files/folders in applicable cloud applications are set to only allow those with access to project data per the SSP.

Solutions that meet or exceed the controls are acceptable

Use of GT VPN

We strongly recommend the use of GT VPN to help you meet the following controls while you are remote. Be sure to connect to VPN at all times when off campus and connecting to internal resources to ensure your connection is secure.

For information on how to do use Georgia Tech VPN, please click here.

NIST 800-171 Control Number Control Text Standard Solution
3.1.12 Monitor and control remote access sessions. GT VPN
3.1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions. GT VPN
3.1.14 Route remote access via managed access control points. GT VPN
3.5.3 Use multifactor authentication for local and network access to privileged accounts and for network access to non-privileged accounts.

GT 2FA

LastPass

Thycotic Secret Server

3.5.4 Employ replay-resistant authentication mechanisms for network access to privileged and non-privileged accounts. GT 2FA
3.13.7 Prevent remote devices from simultaneously establishing non-remote connections with the information system and communicating via some other connection to resources in external networks. GT VPN

Privileged Remote Access

Be sure to account for those with remote privileged access. Generally this is covered on your SSP through the personnel with access to systems in-scope.

NIST 800-171 Control Number Control Text Standard Solution
3.1.15 Authorize remote execution of privileged commands and remote access to security-relevant information. Central Endpoint Management

Collaborative Communication

While you are remote, be sure to communicate using approved campus services for teleconferencing:

Please use GT approved collaboration technologies to meet the following controls:

NIST 800-171 Control Number Control Text Standard Solution
3.13.12 Prohibit remote activation of collaborative computing devices and provide indication of devices in use to users present at the device.

BlueJeans

Skype for Business

WebEx

Microsoft Teams

3.13.14 Control and monitor the use of Voice over Internet Protocol (VoIP) technologies.

BlueJeans

Skype for Business

WebEx

Microsoft Teams

GT approved Collaborative Communication technologies include:

  • BlueJeans
  • WebEx
  • Microsoft Teams

For more information about what is available, please navigate to this page.

 

Media and Physical Protection

While you are working from home we recommend the following to protect media from misuse or harm. Media that contains CUI should be secured by one or more of the following:

  • Lock and Key
  • Cable Locks
  • Enable Encryption

 

NIST 800-171 Control Number Control Text Standard Solution

3.8.1

Protect (i.e., physically control and securely store) information system media containing sensitive data, both paper and digital.

Cable lock

Door Keys

Encryption

3.8.2

Limit access to sensitive data on information system media to authorized users.

Central Endpoint Management

SSP Document

3.8.5

Control access to media containing sensitive data and maintain accountability for media during transport outside of controlled areas.

CUI is encrypted during transport

3.8.6

Implement cryptographic mechanisms to protect the confidentiality of sensitive data stored on digital media during transport unless otherwise protected by alternative physical safeguards.

Cable lock

Door Keys

Encryption

3.8.7

Control the use of removable media on information system components.

Either no removable media devices are used or only labeled removable media devices are used

3.8.8

Prohibit the use of portable storage devices when such devices have no identifiable owner.

Either no portable storage devices are used or only labeled storage devices are used

3.8.9

Protect the confidentiality of backup sensitive data at storage locations.

Dropbox

Office 365

Box

3.10.1

Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.

Cable lock

Door Keys

Encryption

3.10.2

Protect and monitor the physical facility and support infrastructure for those information systems.

Cable lock

Door Keys

Encryption

3.10.5

Control and manage physical access devices.

Cable lock

Door Keys

Encryption

3.10.6

Enforce safeguarding measures for sensitive data at alternate work sites (e.g., telework sites).

Cable lock

Door Keys

Encryption