What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is a category of unclassified information that is required by law, regulations, or government policy to have safeguarding or dissemination controls around it.
According to the National Archives and Records Administration (NARA), the CUI initiative was put in place to help standardize how information is shared and protected across separate departments and agencies as well as private sector entities doing business with governmental agencies.
The program is designed to safeguard government data that is not designated as classified, confidential or secret, but is still information that should not be made public, as it is shared. It is information that should, instead, be controlled. Executive Order 13556, or the CUI rules, defines the security requirements for protecting CUI in non-federal information systems and organizations and standardizes how information that doesn’t meet the criteria for classification under E.O. 13526, ‘Classified National Security Information’, or the Atomic Energy Act is handled.
Working with information that falls under CUI requires appropriate access control measures be taken to ensure only the right people have access to data that falls under CUI labeling categories.
Government organizations subject to compliance requirements, such as those under the International Traffic in Arms Regulations (ITAR), as well as the Defense Department Federal Acquisition Regulations (DFARS) 252.204.2071 clauses, helped to drive the adoption of policies around CUI.
Specific guidance for CUI can be found in the National Institute of Standards and Technology (NIST) Special Publication 800-171: Protecting Controlled Unclassified Information in Non-federal Information Systems and Organizations.
CUI and Regulatory Compliance
One of the steps towards achieving compliance is to incorporate a data classification solution. With robust data classification technology in place, consistent and accurate labeling is applied to data according to the data governance policy and as required by NIST SP 800-171. Having this capacity in place is proof that CUI is managed with the appropriate metadata and visual markings of information specified in the NARA CUI registry.
To comply with CUI rules, government and non-government entities working with governmental agencies need to have a strong security plan in place that covers 14 security control areas, including:
Audit and accountability
Identification and authentication
System and communications protection
These controls work in conjunction with the task of classifying material that falls under CUI into three categories to help users determine how it should be accessed and handled:
This is information that is to be subject to standard safeguarding measures to reduce the risks of unauthorized or inadvertent disclosure. Information in this category can be shared to the extent that it is reasonably believed it would further the execution of a lawful or official purpose.
This is information that requires safeguard measures designed to reduce the risk of unauthorized or inadvertent disclosure. The material identified at this level should contain additional instructions on what dissemination is permitted
This content requires more stringent safeguard measures, as the inadvertent or unauthorized disclosure of it would create risk of substantial harm. Material in this category should also contain additional instructions for handling.
DFARS and NIST CUI Compliance
DFARS and NIST CUI Compliance
Contractors and subcontractors with the US Department of Defense (DoD) need to follow the compliance steps published by the DoD in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause, regarding how they are to safeguard CUI. The DFARS clause outlines the implementation of the controls identified by NIST publication 800-171, and is required in all contracts except for contracts used only to purchase commercial, off-the-shelf items. It also applies to subcontracts involving covered defense information or operationally critical support.
To comply, contractors and subcontractors must:
- Safeguard covered defense information
- Report cyber incidents
- Submit malicious software
- Facilitate damage assessment
NIST 800-53, 800-171 and CUI compliance also go hand-in-hand with CUI rules and are supported with a robust data classification solution and policies to help streamline compliance and provide consistent labeling practices to relevant data. NIST SP 800-171 specifically addresses the confidentiality of CUI to help ensure CUI is not inappropriately shared.
Ensure confidential and sensitive information is controlled
Classify or label data with both visual and metadata labels to address, identify, and highlight any special handling requirements.
Alert users when their personal data is leaving the organization to help prevent sending any potentially sensitive messages
Educate users about data sensitivity and reinforce adherence to corporate policies
Who is Responsible for Protecting CUI?
The CUI regulation’s policies for designating, handling, and controlling CUI information applies to federal departments, agencies, and contractors who may develop products containing CUI or systems that process, store, or handle CUI.
Prior to the executive order establishing the CUI program, various government agencies used a variety of agency-specific policies, ad-hoc policies and procedures, and inconsistent markings to help control and safeguard information deemed sensitive.
EO 13556 established a uniform program with only the categories of information listed in the CUI Registry to be identified and handled as CUI.
As such, the government oversees the designation of what level of protection information falls under. This information on markings, the CUI Marking Handbook, is listed in the CUI Registry. In addition, all CUI must have a designation indicator that identified who has deemed the information as CUI.
Overall oversight for the CUI program is the Information Security Oversite Office. This office acts as the Executive Agent of the National Archives and Records Administration and monitors the implementation and compliance of the CUI Program by executive branch agencies.
A CUI Advisory Council, with representatives from each executive branch agency, also works with the EA on matters related to CUI.
How HelpSystems Helps with Protecting CUI
At the heart of the CUI program is data classification to ensure appropriate control and consistent handling of sensitive information, as well as enforcement of control across all branches of government and its contractors.
By classifying or labeling data with visual as well as metadata labels to highlight special handling requirements as specified by the CUI program, users can more easily comply with CUI rules. With robust data classification technology in place, users would receive an alert when personal data is leaving the organization or as a warning to prevent them from sending messages that contain sensitive information, as defined by the CUI Registry.
The automation and streamlined functionality of data classification solutions, such as that from HelpSystems Data Classification, helps both secure the information deemed sensitive as well as educate users about the sensitive of data they are handling, while adhering to the policies established.