August 02, 2019

NIST 800-171 3.1.4

Gregory Morawietz

Gregory Morawietz
Founder/Single Point of Contact

Share This Post

Separate the duties of individuals to reduce the risk of malevolent activity without collusion

Malevolent Activity is when someone is trying to inflict harm on an entity like a person, government or company.   Organizations must separate CUI handling and processing based tasks that employees work on in order to minimize the chance that they could purposely perform malevolent activities.   This can be done by physically having job descriptions for your employees that go over what activities related to their jobs include handling of CUI.  You also want to make sure that people are performing their designated activities and not having others do their work. You should define what job responsibilities are around CUI, in a document and how it is processed, handled and worked on for every person in your organization. You want to define who is authorized to access CUI and how they handle it.  You also want to bake in the ability to change, add or modify these responsibilities as the requirements for CUI handling.  You want to leave the ability to change someones CUI handling responsibilities open ended, but extremely well defined. When responsibilities are segregated there is less chance that someone can attack, retaliate or formulate malevolent activities.  

Share This Post