How Is Controlled Unclassified Information Changing?
Certainly, it sounds official and has all the makings for a Jason Bourne-style thriller about espionage and government conspiracies. It also could make a good title for the next hit crime series if placed before the name of a racy city. Its history of more mysterious aliases such as “sensitive but unclassified,” “official use only,” and “law enforcement sensitive” only makes it more intriguing. But what is CUI? Should your company even care about it? Controlled Unclassified Information (CUI) went by several aliases and was overshadowed by the more popular Classified information. It was until November 2010 that CUI got an established identity. Though “unclassified,” CUI could threaten National Security should it fall into the wrong hands. That is why any entity handling CUI must take every measure to protect it per the Government’s guidelines.
This post addresses CUI, what it is, its importance, changes in its management, and what any company can do to manage CUI properly. Remember, getting a Government contract may depend on how a company addresses Controlled Unclassified Information. Therefore, it is a worthy topic of discussion
CUI Versus Classified Information
Classified information has the highest level of government protection, and its access is on a “need to know basis,” making it get all the attention. Depending on the severity of the damage that could be caused by releasing classified information, it has four categories in the military. However, the confidential, secret, and top-secret are the most sensitive and could cause exceptionally grave damage were their contents released and/or end up in the hands of the wrong person. The other category is controlled unclassified information.
CUI is not classified. However, the government feels it should be controlled as its release could undermine National Security. Since a few controls govern CUI, malicious actors can get a hold of it. Access to CUI only requires a “lawful government purpose,” unlike classified information with a stricter “need to know” requirement. Today, securing CUI is taken with more seriousness, but it isn’t viewed with the same level of urgency as classified information.
What is CUI?
CUI is Federal non-classified information created or owned by the U.S. Government or that a non-Federal entity (such as DIB organizations) creates, receives, or possesses on behalf of the United States Government. It requires dissemination and safeguarding controls that are consistent with the applicable regulations, laws, and other government-wide policies. CUI isn’t a corporate property unless it is included in or created for requirements relating to a government contract.
As mentioned, CUI only got a clear and established identity in 2010. It appeared under different aliases such as “sensitive but unclassified” and “for official use only.” Unfortunately, there weren’t standard guidelines governing CUI access. For instance, a company could label the information “extremely sensitive” while another one could treat the same information as less sensitive.
To standardize non-classified information, Executive Order 13556 was passed in November 2010 by the Obama Administration. The executive mandate created ten categories of unclassified information that need protection and control because of the potential security risks and vulnerability. Creating a uniform system for disseminating and safeguarding CUI was the primary objective. As such, to support a standardized methodology for CUI assessment, NARA (National Archives Records Administration) passed the Final Rule in 2016 as implementation guidance for Executive Order 13556.
Two subsets of CUI are defined in Section 2002.4 of Title 32 CFR based on the control levels; specified and basic. CUI basic has moderate handling and dissemination controls as identified in the Final Rule under FISMA ( Federal Information Systems Modernization Act) with the information marked controlled or CUI. On the other hand, CUI specified has more restrictive handling controls. The designating agency must also apply specific dissemination controls to each information category. Agency subset categories for controlled unclassified information include legal, agriculture, tax, immigration, and transportation.
DoDI 5200.48: CUI Handling Requirements
For the entities looking forward to working with the U.S. Government, especially the DoD (Department of Defense), DoD Instruction 5200.48 presents the basic CUI requirements in contractor relationships. Does your company want to contract with the Department of Defense? Remember the following:
- When providing information, the DoD must inform its contractors of any controlled unclassified information and mark it accordingly.
- DoD contracts and legal documents must explicitly state that CUI is provided.
- The Department of Defense requires contractors to monitor controlled unclassified information and report classifications to its representative.
- CUI should be classified in all DoD systems with a “moderate” confidentiality level. It should also follow DoDI 8500.01 and 8510.01 within all Department of Defense systems. All legal documents with non-DoD entities must incorporate appropriate security provisions. The guidelines specified in DoDI 8582.01 must be followed.
- Under Department of Defense Instruction 5230.09, the contractors and DoD representatives should submit all unclassified DoD information for review and approval before release.
- Whenever DoD provides controlled unclassified information to or when CUI is generated by any other person or entity besides DoD, the mandatory disposition authorities for CUI records must be followed.
How is CUI Management Changing?
Today, CUI management is increasingly important and more evident, especially in government-related sectors. Defense Counterintelligence Security Agency (DCSA) was named DoD enterprise manager of CUI in May 2018 by the Under Secretary of Defense for Intelligence, the senior official responsible for CUI at the time. This was done to help promote the prioritization of CUI department-wide, CUI management training, universal standards for CUI assessment, and a shared library for CUI data. Today, the CMMC (Cybersecurity Maturity Model Certification) significantly impacts how various companies should manage controlled, unclassified information. CUI compliance verification is no longer based on casual “self-attestation.” All the DoD contractors must undergo an official and rigorous audit by an independent CMMC third-party assessor organization (C3PAO). Any other individual certified by DoD can also do the audit.
Any delays in passing the certification might hinder your company’s ability to work with the Department of Defense. You can conduct a gap analysis and assess your current cybersecurity posture and practices to ensure that you are ready and fully prepared for a CMMC audit. Whether you are looking to hire a third party to conduct the analysis or you plan to do it in-house, you must first identify the certification level you will be required to acquire based on the type of contract you are bidding for. Remember, the Department of Defense doesn’t accept results from any other auditor. However, meeting the regulation requires a considerable commitment from the DoD contractors, and most smaller players don’t have the necessary resources to meet the new DoD requirements.
Cyber Incident Reporting Requirements for DoD Contractors
DFARS 7012 requires defense contractors and subcontractors to rapidly report within 72 hours any cyber incident involving covered defense information on their networks or systems. Covered defense information includes sensitive data like weapons designs, operations details, and other DOD-controlled technical or military information. Contractors must report qualifying cyber incidents at https://dibnet.dod.mil and include details like the technique used, systems impacted, and people affected. This allows DOD to coordinate responses and prevent further issues. Companies that fail to properly report face violation of the DFARS 7012 clause.
In their cyber incident reports, contractors must also identify compromised computers, servers, data, and accounts. They have to preserve images and monitoring data relevant to the incident for at least 90 days so DOD can analyze the impact if needed. Contractors additionally have to provide access to any further data or equipment necessary to conduct forensic investigation of the incident. If DOD elects to perform a damage assessment, it can request all the details the contractor gathered during its review. Taken together, these DFARS 7012 provisions ensure DOD has visibility and input into significant cybersecurity incidents on contractor systems involving sensitive defense data.
What Can Defense Contractors Do To Manage CUI And Remain CMMC Compliant?
Data classification is the best way of managing CUI. The contractors should know the type of CUI within their systems and its location. Today, CUI can be stored in workstations, file cabinets, third-party clouds, tablets, thumb drives, smartphones, and on-site servers, to name a few. Upon determining the location of CUI, ask yourself whether it should be stored where it is currently. Storing controlled unclassified information on intelligent devices and thumb drives is risky since end users control these devices. The users are sometimes woefully lax in securing these storage devices and might even lose them. Robust encryption of CUI on mobile computing platforms and mobile devices is required under section 3.1 of NIST SP 800-171. Section 3.8 of the same regulation prohibits storing CUI on employee-owned devices. If a company must have controlled unclassified information on paper, it must be stored in locked, tamper-proof, and fire-resistant cabinets.
Therefore, knowing that you have CUI within your systems and where it’s located is essential. Owing to the many benefits of classifying CUI, it’s never too soon to start classifying your data. Hence, start the process by creating and adhering to a classification structure rather than waiting until you are forced. But how can you classify controlled unclassified information?
Effective CUI Classification: What Steps Should Contractors Follow?
Having the right training and tools enables contractors to demonstrate that they can recognize and handle CUI labeling and classification. An effective classification ensures that they also can produce evidence where needed. You can classify CUI through the following five steps:
Identify
You should know the CUI you create, store, process, and disseminate. Additionally, understand your partner organization’s security policies and contracting security obligations and ensure that you can comply. This includes understanding which information should be marked, the language to use , and the markings themselves.
Discover
You should get visibility of the CUI that you’re required to process, where it originates from, where it’s stored, where it’s sent, and who might have access to it. From this point, you can establish the necessary controls to place on the CUI.
Classify
Choose a technology solution that enables the employees and users to apply the classification scheme consistently, add essential metadata to the file, and control access each type of CUI via correct labeling. Begin by classifying “live” data, which includes emails, and documents being created, received, and handled right now. After this, move on to labeling the legacy and existing CUI held and stored in your organization.
Secure
The other critical step in effective CUI classification is securing it. Employ a tool that can control and protect the controlled unclassified information throughout its journey. The metadata label added on the classification stage will ensure higher grade controls such as access controls, Security Incident and Event Monitoring (SIEM) tools, DLP solutions, and data governance tools to secure CUI when used or accessed later.
Monitor
CUI frameworks are constantly evolving. Therefore, use reporting and monitoring tools to track how CUI is being used, classified, and accessed within your organization. Additionally, ensure that you keep the background intelligence required to evolve the approach in line with the constantly available regulatory changes.
Data classification is the cornerstone of any successful information security management system. Compliant and secure companies ensure they properly understand their data profiles and base the classification on their privacy requirements and other company-specific criteria. The classification policy goals set by these organizations are clear and definable and are guided by solid internal ownership. They also understand the essence of streamlining their classification process using automation, keeping their policies simple, and monitoring them to keep pace with the constantly changing environments.
What Can Defense Contractors Do To Manage CUI And Remain CMMC Compliant?
Data classification is the best way of managing CUI. The contractors should know the type of CUI within their systems and its location. Today, CUI can be stored in workstations, file cabinets, third-party clouds, tablets, thumb drives, smartphones, and on-site servers, to name a few. Upon determining the location of CUI, ask yourself whether it should be stored where it is currently. Storing controlled unclassified information on intelligent devices and thumb drives is risky since end users control these devices. The users are sometimes woefully lax in securing these storage devices and might even lose them. Robust encryption of CUI on mobile computing platforms and mobile devices is required under section 3.1 of NIST SP 800-171. Section 3.8 of the same regulation prohibits storing CUI on employee-owned devices. If a company must have controlled unclassified information on paper, it must be stored in locked, tamper-proof, and fire-resistant cabinets.
Therefore, knowing that you have CUI within your systems and where it’s located is essential. Owing to the many benefits of classifying CUI, it’s never too soon to start classifying your data. Hence, start the process by creating and adhering to a classification structure rather than waiting until you are forced. But how can you classify controlled unclassified information?
Effective CUI Classification: What Steps Should Contractors Follow?
Having the right training and tools enables contractors to demonstrate that they can recognize and handle CUI labeling and classification. An effective classification ensures that they also can produce evidence where needed. You can classify CUI through the following five steps:
Identify
You should know the CUI you create, store, process, and disseminate. Additionally, understand your partner organization’s security policies and contracting security obligations and ensure that you can comply. This includes understanding which information should be marked, the language to use , and the markings themselves.
Discover
You should get visibility of the CUI that you’re required to process, where it originates from, where it’s stored, where it’s sent, and who might have access to it. From this point, you can establish the necessary controls to place on the CUI.
Classify
Choose a technology solution that enables the employees and users to apply the classification scheme consistently, add essential metadata to the file, and control access each type of CUI via correct labeling. Begin by classifying “live” data, which includes emails, and documents being created, received, and handled right now. After this, move on to labeling the legacy and existing CUI held and stored in your organization.
Secure
The other critical step in effective CUI classification is securing it. Employ a tool that can control and protect the controlled unclassified information throughout its journey. The metadata label added on the classification stage will ensure higher grade controls such as access controls, Security Incident and Event Monitoring (SIEM) tools, DLP solutions, and data governance tools to secure CUI when used or accessed later.
Monitor
CUI frameworks are constantly evolving. Therefore, use reporting and monitoring tools to track how CUI is being used, classified, and accessed within your organization. Additionally, ensure that you keep the background intelligence required to evolve the approach in line with the constantly available regulatory changes.
Data classification is the cornerstone of any successful information security management system. Compliant and secure companies ensure they properly understand their data profiles and base the classification on their privacy requirements and other company-specific criteria. The classification policy goals set by these organizations are clear and definable and are guided by solid internal ownership. They also understand the essence of streamlining their classification process using automation, keeping their policies simple, and monitoring them to keep pace with the constantly changing environments.
Securing CUI
Securing CUI is a critical requirement for contractors who work with the DoD. The DoD has established a set of regulations and standards to ensure that CUI is protected from unauthorized access, disclosure, modification, or destruction. DFARS 7012 requires contractors to implement adequate security measures to safeguard CUI that is provided to them by the DoD or generated by them in support of a DoD contract. The clause mandates that contractors must comply with the NIST SP 800-171, which outlines the security requirements for protecting CUI in non-federal information systems and organizations. The clause also requires contractors to report any cyber incidents that affect the confidentiality, integrity, or availability of CUI to the DoD within 72 hours.
CMMC 2.0 builds upon DFARS 7012 and requires contractors to demonstrate their compliance with a set of cybersecurity practices defined in NIST SP 800-171 and NIST SP 800-172. The program 3 certification levels, each of which corresponds to a set of cybersecurity maturity processes and practices. The higher the level of certification, the more stringent the cybersecurity requirements. To secure CUI under DFARS 7012 and CMMC 2.0, contractors must implement a range of technical, administrative, and physical security controls. These controls include access controls, such as multi-factor authentication and role-based access control, encryption of data at rest and in transit, network segmentation, vulnerability scanning and patching, incident response planning and testing, and security awareness training for employees.
Conclusion
Today, organizations cannot overlook CUI despite its history of being overshadowed by classified information. This is particularly so in compliance-conscious companies looking forward to securing contracts with the Federal Government. There are standard guidelines for assessment and uniform, transparent systems such as those defined under the CUI Program to disseminate and safeguard controlled unclassified information, all thanks to legislation finally catching up with CUI. Further, CMMC has imposed stricter regulatory controls to ensure that CUI is safely handled. Do you need help assessing your cybersecurity posture in readiness for an upcoming CMMC audit? Or do you even need help creating a template or framework for CUI? Our professionals at Cleared Systems can help. Contact us today for more information on CUI marking and Labeling, CMMC consulting, and readiness assessment, or to learn more about CUI compliance regulations.