How Is Controlled Unclassified Information Changing?

Certainly, it sounds official and has all the makings for a Jason Bourne-style thriller about espionage and government conspiracies. It also could make a good title for the next hit crime series if placed before the name of a racy city. Its history of more mysterious aliases such as “sensitive but unclassified,” “official use only,” and “law enforcement sensitive” only makes it more intriguing. But what is CUI? Should your company even care about it?

Controlled Unclassified Information (CUI) went by several aliases and was overshadowed by the more popular Classified information. It was until November 2010 that CUI got an established identity. Though “unclassified,” CUI could threaten National Security should it fall into the wrong hands. That is why any entity handling CUI must take every measure to protect it per the Government’s guidelines.

This post addresses CUI, what it is, its importance, changes in its management, and what any company can do to manage CUI properly. Remember, getting a Government contract may depend on how a company addresses Controlled Unclassified Information. Therefore, it is a worthy topic of discussion.

CUI Versus Classified Information

Classified information has the highest level of government protection, and its access is on a “need to know basis,” making it get all the attention. Depending on the severity of the damage that could be caused by releasing classified information, it has four categories in the military. However, the confidential, secret, and top-secret are the most sensitive and could cause exceptionally grave damage were their contents released and/or end up in the hands of the wrong person. The other category is controlled unclassified information.

CUI is not classified. However, the government feels it should be controlled as its release could undermine National Security. Since a few controls govern CUI, malicious actors can get a hold of it. Access to CUI only requires a “lawful government purpose,” unlike classified information with a stricter “need to know” requirement. Today, securing CUI is taken with more seriousness, but it isn’t viewed with the same level of urgency as classified information.

What is CUI?

CUI is Federal non-classified information created or owned by the U.S. Government or that a non-Federal entity (such as DIB organizations) creates, receives, or possesses on behalf of the United States Government. It requires dissemination and safeguarding controls that are consistent with the applicable regulations, laws, and other government-wide policies. CUI isn’t a corporate property unless it is included in or created for requirements relating to a government contract.

As mentioned, CUI only got a clear and established identity in 2010. It appeared under different aliases such as “sensitive but unclassified” and “for official use only.” Unfortunately, there weren’t standard guidelines governing CUI access. For instance, a company could label the information “extremely sensitive” while another one could treat the same information as less sensitive.

To standardize non-classified information,  Executive Order 13556  was passed in November 2010 by the Obama Administration. The executive mandate created ten categories of unclassified information that need protection and control because of the potential security risks and vulnerability. Creating a uniform system for disseminating and safeguarding CUI was the primary objective. As such, to support a standardized methodology for CUI assessment, NARA (National Archives Records Administration) passed the Final Rule in 2016 as implementation guidance for Executive Order 13556.

Two subsets of CUI are defined in Section 2002.4 of Title 32 CFR based on the control levels; specified and basic. CUI basic has moderate handling and dissemination controls as identified in the Final Rule under FISMA ( Federal Information Systems Modernization Act) with the information marked controlled or CUI. On the other hand, CUI specified has more restrictive handling controls. The designating agency must also apply specific dissemination controls to each information category. Agency subset categories for controlled unclassified information include legal, agriculture, tax, immigration, and transportation.

Basic Requirements

For the entities looking forward to working with the U.S. Government, especially the DoD (Department of Defense), DoD Instruction 5200.48 presents the basic CUI requirements in contractor relationships. Does your company want to contract with the Department of Defense? Remember the following:

• When providing information, the DoD must inform its contractors of any controlled unclassified information and mark it accordingly.
• DoD contracts and legal documents must explicitly state that CUI is provided.
• The Department of Defense requires contractors to monitor controlled unclassified information and report classifications to its representative.
• CUI should be classified in all DoD systems with a “moderate” confidentiality level. It should also follow DoDI 8500.01 and 8510.01 within all Department of Defense systems. All legal documents with non-DoD entities must incorporate appropriate security provisions. The guidelines specified in DoDI 8582.01 must be followed.
• Under  Department of Defense Instruction 5230.09, the contractors and DoD representatives should submit all unclassified DoD information for review and approval before release.
• Whenever DoD provides controlled unclassified information to or when CUI is generated by any other person or entity besides DoD, the mandatory disposition authorities for CUI records must be followed.

How Is the Management of CUI Changing?

Today, CUI management is increasingly important and more evident, especially in government-related sectors. Defense Counterintelligence Security Agency (DCSA) was named DoD enterprise manager of CUI in May 2018 by the Under Secretary of Defense for Intelligence, the senior official responsible for CUI at the time. This was done to help promote the prioritization of CUI department-wide, CUI management training, universal standards for CUI assessment, and a shared library for CUI data.

Today, the CMMC (Cybersecurity Maturity Model Certification) significantly impacts how various companies should manage controlled, unclassified information. CUI compliance verification is no longer based on casual “self-attestation.” All the DoD contractors must undergo an official and rigorous audit by an independent CMMC third-party assessor organization (C3PAO). Any other individual certified by DoD can also do the audit.

Any delays in passing the certification might hinder your company’s ability to work with the Department of Defense. You can conduct a gap analysis and assess your current cybersecurity posture and practices to ensure that you are ready and fully prepared for a CMMC audit. Whether you are looking to hire a third party to conduct the analysis or you plan to do it in-house, you must first identify the certification level you will be required to acquire based on the type of contract you are bidding for.

Remember, the Department of Defense doesn’t accept results from any other auditor. However, meeting the regulation requires a considerable commitment from the DoD contractors, and most smaller players don’t have the necessary resources to meet the new DoD requirements.

What Happens If A DIB Company Suffers A Cybersecurity Incident?

Any contractor who suffers a cybersecurity incident will not automatically lose their CMMC certification. However, the contractor must follow the proper cyber incident reporting procedures as per DFARS 252.204-7012. They should contact the Department of Defense and prepare a thorough incident report.

The report should detail why the incident occurred and the contractor’s steps to prevent such breaches in the future. Generally, CMMC certifications are valid for three years. Although this isn’t made public, it is posted on specific DoD databases. After this period, the contractor should be recertified. Recertification is also required in the unfortunate event of a data loss.

What Can A Company Do to Help Manage CUI and Remain CMMC Compliant?

Data classification is the best way of managing CUI. The contractors should know the type of CUI within their systems and its location.

Today, CUI can be stored in workstations, file cabinets, third-party clouds, tablets, thumb drives, smartphones, and on-site servers, to name a few. Upon determining the location of CUI, ask yourself whether it should be stored where it is currently.

Storing controlled, unclassified information on intelligent devices and thumb drives is risky since end users control these devices. The users are sometimes woefully lax in securing these storage devices and might even lose them. Robust encryption of CUI on mobile computing platforms and mobile devices is required under section 3.1 of NIST SP 800-171. Section 3.8 of the same regulation prohibits storing CUI on employee-owned devices. If a company must have controlled unclassified information on paper, it must be stored in locked, tamper-proof,  and fire-resistant cabinets.

Therefore, knowing that you have CUI within your systems and where it’s located is essential. Owing to the many benefits of classifying CUI, it’s never too soon to start classifying your data. Hence, start the process by creating and adhering to a classification structure rather than waiting until you are forced. But how can you classify controlled unclassified information?

Steps to Effective CUI Classification

Having the right training and tools enables contractors to demonstrate that they can recognize and handle CUI labeling and classification. An effective classification ensures that they also can produce evidence where needed. You can classify CUI through the following five steps:

Identify

You should know the CUI you create, store, process, and disseminate. Additionally, understand your partner organization’s security policies and contracting security obligations and ensure that you can comply. This includes understanding which information should be marked, the language to use , and the markings themselves.

Discover

You should get visibility of the CUI that you’re required to process, where it originates from, where it’s stored, where it’s sent, and who might have access to it. From this point, you can establish the necessary controls to place on the CUI.

Classify

Choose a technology solution that enables the employees and users to apply the classification scheme consistently, add essential metadata to the file, and control access each type of CUI via correct labeling. Begin by classifying “live” data, which includes emails, and documents being created, received, and handled right now. After this, move on to labeling the legacy and existing CUI held and stored in your organization.

Secure

The other critical step in effective CUI classification is securing it. Employ a tool that can control and protect the controlled unclassified information throughout its journey. The metadata label added on the classification stage will ensure higher grade controls such as access controls, Security Incident and Event Monitoring (SIEM) tools, DLP solutions, and data governance tools to secure CUI when used or accessed later.

Monitor

CUI frameworks are constantly evolving. Therefore, use reporting and monitoring tools to track how CUI is being used, classified, and accessed within your organization. Additionally, ensure that you keep the background intelligence required to evolve the approach in line with the constantly available regulatory changes.

Data classification is the cornerstone of any successful information security management system. Compliant and secure companies ensure they properly understand their data profiles and base the classification on their privacy requirements and other company-specific criteria. The classification policy goals set by these organizations are clear and definable and are guided by solid internal ownership. They also understand the essence of streamlining their classification process using automation, keeping their policies simple, and monitoring them to keep pace with the constantly changing environments.

Securing Controlled Unclassified Information

So, how can you best secure CUI? The best place to start is by examining the CMMC, which addresses various CUI security requirements for Department of Defense contractors and partners. This model ensures that all DoD contractors have adequate security procedures and practices to safeguard their systems against CUI. CMMC has five maturity levels, from “basic cybersecurity hygiene” to “advanced progressive.” These maturity levels provide the users with a hierarchy of CUI security options. The five levels of CMMC are:

Level 1

This level emphasizes basic cyber hygiene practices, including regularly changing passwords and installing anti-virus software to protect or secure Federal Contract Information (FCI). Therefore organizations seeking to be certified under this level must meet the 17 basic safeguards specified under FAR 48 CFR 52.204-21.

Level 2

Organizations seeking certification under this level must establish and document SOPs (Standard Operating Procedures), strategic plans, and policies guiding the implementation of their CMMC efforts. They also must ensure that the policies and SOPs are practiced at all times in the same manner. Besides the 17 cybersecurity practices attained in level one, the organization must adopt 55 additional practices. 48 or these security practices are based on a subset of security requirements specified under NIST SP 800-171. Organizations under this level are deemed to have attained “intermediate cyber hygiene.”

Level 3

This level implements all the security requirements of NIST SP 800-171 and other additional standards under a company-wide security management plan. This level raises the bar higher to “good cyber hygiene.” To be certified in this level, you should establish, maintain and also provide a plan detailing how you’ll manage the implementation of all the required cybersecurity practices. The plan might cover:

• Project plans
• Mission goals
• Required training
• Roles of each relevant stakeholders, and
• Resources that it will tap

You must be DFARS compliant and adopt 20 more cyber hygiene practices, including all FAR 48 CFR 52.204-21 requirements.

Level 4

This level establishes the techniques and processes to address the “Advanced Persistent Threats (APT).” Therefore, your organization must meet a select subset of 11 security requirements of the Draft NIST SP 800-171B  and 15 additional cybersecurity best practices. Adopting all the 156 practices required under this level enhances your organization’s detection and response capabilities. Hence, you can effectively adapt and address the changing techniques, tactics, and procedures used by APTs.

Level 5

This level standardizes and optimizes techniques and processes to handle advanced persistent threats. It also establishes measuring and reviewing the effectiveness of the security practices. You can achieve this level after meeting all the requirements of lower CMMC levels and adopting 15 more cybersecurity practices. Hence, level 5 has a total of 171 cybersecurity practices.

The first three CMMC levels comprise 110 security requirements specified under NIST SP 800-171. CMMC adds practices and processes at each level on top of those specified in the lower levels. CMMC mirrors NIST SP 800-171 as it assesses an organization’s implementation and institutionalization of cybersecurity practices.

Conclusion

Today, organizations cannot overlook CUI despite its history of being overshadowed by classified information. This is particularly so in compliance-conscious companies looking forward to securing contracts with the Federal Government. There are standard guidelines for assessment and uniform, transparent systems such as those defined under the CUI Program to disseminate and safeguard controlled unclassified information, all thanks to legislation finally catching up with CUI.

Further, CMMC has imposed stricter regulatory controls to ensure that CUI is safely handled. Do you need help assessing your cybersecurity posture in readiness for an upcoming CMMC audit? Or do you even need help creating a template or framework for CUI? Our professionals at Cleared Systems can help. Contact us today for more information on CUI marking and Labeling, CMMC consulting, and readiness assessment, or to learn more about CUI compliance regulations.