If you’re a firm that works with foreign governments, in addition to certifications like ISO 27001 that you will generally need to achieve, you will also have to have processes in place for handling foreign government information or FGI. It’s not enough that your internal network is classified and access controlled; you need specific handling processes and procedures for managing FGI separately from other confidential or classified data you may have.

There are also specifics you will need to follow if you’re working with the federal government and are achieving an Authority to Operate under CMMC. Federal contractors are often tasked with handling both domestic confidential information and foreign government information, and there are specifics you need to meet in order to do so in a satisfactory manner.

Is it Difficult to Handle FGI?

Truthfully, not really.

If a business or government contractor wants to add the ability to handle FGI to their existing ATO or a new ATO, there aren’t really very many changes that need to be made over what you have to achieve to get the ATO in the first place. The security controls and their implementation are almost all the same, and only a small handful of them have different requirements.

That said, there are a few things you need to know, a couple of common problems to avoid, and a particular process you might find it better to follow instead.

• Understand the equivalence between FGI and domestic confidential information.
• Understand the storage requirements associated with FGI.
• Avoid the problem of downstream information requirements.

We’ll discuss these and more details besides, as we go. If you need to handle FGI and aren’t sure how to do it – or if you’re trying to decide if adding the ability to handle FGI would be a benefit to your business – read on for our answers to some of the more common questions and problems.

Understand Equivalency

The first thing you will need to do is understand the equivalency rules laid out in the CMMC framework and across various federal government regulations.

In general, any foreign government information you handle must be treated the same or better as the equivalent United States Confidential Classified National Security Information, or CNSI. CNSI is often labeled as restricted, designated, or under a specific label like Secret or Top Secret.

Foreign governments generally have their own classification systems. These systems may not line up directly with the US equivalents, so you need to take the next best tier of security. FGI can fall into two categories: FGI and FGI-MOD.

FGI is raw foreign government information. In cases where it has a security designation equivalent to a US security designation, it must be treated the same way. If the foreign government designation does not have a US equivalent, you need to identify whatever US standard covers all of the bases; if that means something a tier higher, that’s what you need to use.

FGI-MOD is FGI that has been authorized for modified handling. Typically, this means a reduction in security; as long as certain security baselines are met, the US standard may be less restrictive than a pure equivalent. This is used primarily in cases where a standard above CUI but below US Confidential should be used.

Establish Separate Storage

Even in cases where your entire business network adheres to a standard that enables it to be confidential or classified, foreign government information should not be mixed with non-FGI within your network. Users and the business as a whole need to store FGI In a separate folder and location, clearly labeled as containing FGI, and with the appropriate access control and other limitations, logging, and auditing to ensure that only those authorized to access it are able to do so.

As with most access control for confidential and above information, it should be restricted to a need-to-know basis and generally practice the principle of least access; every individual user and account should have only the minimum access necessary to do their jobs and no more. The less access there is, the less available the information is to accounts in the case of a compromise or breach, so the more protected it is.

Other than the requirement that you store FGI separately from non-FGI, there are no additional requirements beyond what is specified in the classification level of the information.

It’s worth mentioning that separate storage does not necessarily mean entirely different servers or even different drives. FGI can be stored in a different folder on the same drive as non-FGI; as long as the folder is clearly marked and access is strictly and properly controlled, it’s fine. More separation makes it easier to maintain that control, and in the event of a serious physical breach, it can make it harder to access, but it’s not strictly required.

Avoiding Downstream Requirements

One of the common problems seen in defense contractors and other government contractors handling FGI is passing that FGI onwards to other partners and contractors.

Your business may have a reason to have, handle, and process foreign government information as part of your operations. You may, in turn, need to pass on some of that information to a partner or supplier to assist with your operations.

The difficulty here arises from the fact that the partner or supplier you work with may be authorized to handle CNSI and domestic information but not FGI. If you hand them FGI, it’s likely a violation of their SCA, and can put both you and them in hot water.

There are two solutions to this scenario.

The first is to encourage the partner to add FGI compliance to their ATO. While they can choose to do this, it’s likely that they have no other reason to do so, and adding unnecessary compliance can make overall compliance more difficult for no real gain. This is also an added burden to working with you, which can disincentivize other potential partners.

A better option is to use an AFT process to remove the marking as necessary. When information has been created or media produced, and it has an FGI marking that may be unnecessary, an After the Fact process can review and remove the marking as necessary. An AFT can be used to remove the FGI marking from parts of the information you transfer, allowing your partners to access it without needing to be FGI-certified. Following this process allows you to work with partners more smoothly, worry about less information, and minimize the burden of unnecessary requirements.

The proliferation of marked information – especially when that information doesn’t particularly need to be marked – is a problem throughout industries. When businesses and contractors proliferate information that requires additional security adherence, like FGI, it can cause problems if people who aren’t supposed to have it are given it, especially when nothing about the information itself is actually protected; it’s just a byproduct of a greater portion of the information needing protection.

As with most compliance and information handling, the best option is to proactively work with regulators to make sure your information is processed and handled in an appropriate way, with all relevant controls and transfer protocols in place.

Are There Specific FGI Access Requirements?

A common question is whether or not FGI has specific access requirements that vary or differ from standard CNSI access controls. Fortunately, because of equivalency, there are no real differences in access control requirements between CNSI and FGI. Your users will need to have the relevant clearance level to access and handle the information, the same as they would for domestic confidential information.

Similarly, users looking to access FGI will need to demonstrate the reason why they need to know it to satisfy the appropriately-named need-to-know (NTK) requirements. Anyone who doesn’t need to know the classified information won’t be given access to it.

The difference is primarily in the training of users to handle FGI. Since FGI is separate from CNSI, there are always some small details that vary in terms of the handling, marking, and protecting of FGI, and who is responsible for what aspects of compliance.

Remember Appropriate Marking

A common problem with businesses that handle FGI comes up when burning media from the system. If you burn media for handling, transfer, or distribution, and your system contains FGI, do you mark the media as containing FGI?

There are a few answers to this question, but only one right answer.

A common answer is to mark it as FGI, as a “just in case” caveat. This way, if the information burned to media happens to contain FGI, it’s appropriately marked. This is, unfortunately, exactly the wrong way to handle the situation. In fact, it’s a sign of an underlying problem; if you don’t know whether or not the information being added to the burned media contains FGI, you aren’t properly controlling FGI within your system. And, of course, marking the burned media as FGI means it’s dramatically limiting who can access it, which may not be necessary if the information actually contained on the media is not FGI.

Some businesses get around this by effectively maintaining two separate and distinct systems: one for FGI and one for non-FGI. Anything produced by the FGI system is marked FGI. This does, however, still have the same information control problem and is more work than actually handling information properly.

The best solution is to review the information being burned to media and mark it appropriately. If it contains FGI, you can mark it as FGI. If it does not contain FGI, it doesn’t need the FGI marking, even if it comes from a system that also handles FGI.

Essentially, remember that the marking reflects the actual information, not the system it came from. There is always going to be plenty of non-classified information on classified systems; after all, marking all of that information as classified doesn’t help anyone and reduces the perceived value and importance of the classified markings.

Fortunately, there are potential automated tools that can help with reviewing information before producing media to ensure that it doesn’t need a marking if it doesn’t or validate that it does if it does. You may need to get specific approval for a specific tool’s usage within your organization, but it’s relatively easy to do so.

Review Your Contracts

One important caveat to everything we’ve written above is that these are all generalities and best practices. When it comes to the specific operations of your specific business, your partners, and your information sources, there may be additional requirements or even changed requirements. Generally, your contract will specify any additional burden or requirement you will have to implement.

If you need help with interpreting these additional requirements, your contacts at the DCSA will generally be able to help. Again, the best option for most contractors is to be in continual contact with these representatives to ensure that you’re doing things properly and aren’t opening up yourself, your partners, the government, or any other involved entity to liability or breach.

Bear in mind as well that the stronger the secrecy around a given piece of FGI, the greater the overview, the greater the penalties of failure to comply, and the greater the requirements you will need to adhere to. This is also a big part of why it’s a good idea to operate with as little information as is necessary to do your job and facilitate the jobs of others.

At Ignyte, we work with a wide range of clients handling a wide range of different kinds of information. If you have questions or need assistance, we’re happy to help; simply reach out and contact us. And if you’re looking for additional information, be sure to check out our other articles. While you’re at it, consider if the Ignyte Platform is right for you. We designed the platform to help with achieving ATOs, pursuing all manner of certifications, and ensuring that the information you need is accessible to those who need it without being limited to siloed software and non-collaborative platforms.

*** This is a Security Bloggers Network syndicated blog from Ignyte authored by Max Aulakh. Read the original post at: https://www.ignyteplatform.com/blog/security/managing-foreign-government-information/