Implementing Security Controls: An Intro to JSIG

By Walker Haddock and Spencer Shimko

Occasions often arise requiring information system owners to be diligent when it comes to protecting their data and projects. Researchers feel burdened by having to develop an information security plan to assure the Institutional Review Board (IRB) that their collected data and its study will be protected. In this blog, the first in a series, we’ll explore the integration of security controls as it relates to the Joint Special Access Program Implementation Guide (JSIG). Before digging into the JSIG, let’s first start with the ubiquitous need for security protocols across industries, not only within the government.

Information Security Burdens Felt Across Industries

In healthcare, patient information must be secured by medical providers and payers under the Federal Health Insurance Portability and Accountability Act (HIPAA) rules.

In healthcare, patient information must be secured by medical providers and payers under the Federal Health Insurance Portability and Accountability Act (HIPAA) rules. Financial institutions as well require businesses to safeguard credit card information under their Payment Card Industry Data Security Standard (PCI/DSS) requirements. Outside of industry-specific, legislated security standards, most businesses take measures to guard their intellectual property from competitors, especially when working with other companies on joint projects. Nations, too, have requirements to protect sensitive information that might result in serious economic, political, or even life and death consequences.

In the United States, most of these concerns can be protected by developing security plans consisting of controls selected from the NIST SP 800-53 security control catalog. NIST’s Information Security suite, known as the Risk Management Framework (RMF), includes a comprehensive set of practices.

Other international standards for implementing information security exist such as the ISO/IEC 27000 family of information security controls.

The DoD and JSIG

The U.S. Department of Defense (DoD) protects important information and classifies it based on its sensitivity level. Classifications include Confidential, Restricted, Secret, and Top Secret. Information not assigned to a classification level is considered Unclassified, yet may still have specific distribution or handling requirements such as Controlled Unclassified Information. Special Access Programs (SAP) within the DoD work with such highly sensitive data, that granting someone “need to know” privileges must be vigilantly controlled and tend to take place at the Secret and Top Secret levels.

DoD contractors also participate in SAP. A Chief Information Office oversees the Special Access Programs that provide special security guidance based on the RMF. This guidance is defined in the JSIG. The JSIG is one of many “overlays” that tailor the NIST 800.53 and RMF to meet specific requirements addressing the unique risks across varying environments. The current version of the JSIG is 2016 errata 5. In addition to the JSIG, the Committee on National Security Systems Instruction (CNSSI) No. 1253 defines a set of overlays, essentially control selections for common use cases for the JSIG in Appendix F.

JSIG & Removable Media

Certain JSIG controls address the risks associated with storing sensitive information on various media like USBs.

Threats can also occur through the media vector. As a result, certain JSIG controls address the risks associated with storing sensitive information on various media. Take the STUXNET virus for example, a great illustration of how a media-based vector can be used to attack an environment even when it’s air-gapped, meaning isolated from other networks. Air-gapped environments are typically utilized to achieve very strict control over the ingress and egress of data. The initial attack took place at a uranium enrichment facility in Natanz, Iran. The attackers deployed special malware onto removeable media. Removable media was used as the vector to traverse the air gap that existed to protect the uranium enrichment facility. Eventually, media containing the malware was inserted into a system within the environment. The malware infiltrated the Siemens Programmable Logic Controllers (PLCs) that controlled the centrifuges used within the facility.

Recently, a Linux Executable Linux Format (ELF) binary made its presence known by targeting the X86 architecture and wiping all storage devices in its wake in /dev/dm-XX and /dev/ubiXX. This malware, called AcidPour, first appeared in the Russo-Ukrainian war and targeted KA-SAT high speed satellite modems for Internet communications owned by Viasat. The original KA-SAT modem attack was aptly named AcidRain. While AcidRain was likely propagated through capabilities exposed to on the modem management network, AcidPour could feasibly spread through media vectors similar to STUXNET. In contrast to STUXNET which targeted a very specific Siemens PLC, AcidPour is a general-purpose wiper and could cause widespread damage to most general-purpose computer systems by erasing the data stored on the systems.

The NIST 800.53 and JSIG refinements provide guidance supporting mitigations for these types of media-based attacks, including the use of two person controls for utilizing removable media. This reduces the likelihood of human error and helps mitigate insider threat attacks via media.

Experts in JSIG control implementation

Sealing Technologies (SealingTech) works with organizations where compliance to the JSIG holds critical importance to their mission. Our experienced team can provide an entire spectrum of JSIG control implementation and the design of systems and process around these controls to help solve your unique mission-critical needs.

Ready to implement a security program for your agency or business? Contact us. Continue the conversation by following SealingTech on Facebook and LinkedIn.