The ever-increasing ability to share information is a double-edged sword. On the one hand, it is much easier to communicate and work more efficiently, but it also means less control over shared information and more people looking at data. This trend, along with ad-hoc and agency specific markings, policies, and procedures, led to the need for the U.S. government to develop a standardized classification framework that would protect Controlled Unclassified Information (CUI) without impeding the authorized sharing of it. Let’s explore what CUI is, the standardized classification framework developed to protect CUI, and what steps organizations can take to ensure that CUI is properly secured.
What is CUI?
First things first, we need to understand what CUI is exactly. The National Archives and Records Administration (NARA), which oversees the U.S. Government’s CUI Program, defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies”. Simply put, CUI is data that is created, or possessed by, on behalf of the US federal government which is not classified but is either required or allowed to be protected by law, regulation, or policy. This can include, but is not limited to, the following:
- Personally Identifiable Information (PII)
- Sensitive Personally Identifiable Information (SPII)
- Proprietary Business Information (PBI), or currently known within the U.S. Environmental Protection Agency (EPA) as Confidential Business Information (CBI)
- Unclassified Controlled Technical Information (UCTI)
- Sensitive but Unclassified (SBU)
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES)
The CUI Program and NIST SP 800-171
The Controlled Unclassified Information (CUI) program, implemented in 2010, standardizes the way all U.S. government agencies and military entities handle unclassified information that requires safeguarding. It clarifies and limits what kinds of information to protect, reinforces existing legislation and regulations, and promotes authorized information-sharing.
NIST Special Publication (SP) 800-171, implemented in 2017, requires all current U.S. Department of Defense (DoD) contractors to be compliant with DFARS Part 252.204-7012. Other executive branch agencies may also require nonfederal entities, including contractors, to follow NIST SP 800-171 when sharing CUI through contracts, memorandums of understanding, or acquisition rules. NIST SP 800-171 provides a standardized set of requirements for all CUI security needs, tailored to nonfederal systems.
The main difference between the CUI Program and NIST SP 800-171 is that the CUI Program established a standardized CUI framework for the military and government only, while NIST SP 800-171 was implemented later, and is specific to contractors and other nonfederal entities.
CUI markings, categories, and policies
Now that we have established what CUI is and the regulations surrounding it, let’s look at the standardized classification framework used to protect CUI and how it works. The framework uses markings to alert holders to the presence of CUI and, when portion markings are used, identify the exact information or portion that needs protection. In addition, these markings also alert holders to any CUI dissemination and safeguarding controls that need to be taken.
- How CUI markings work
The CUI Marking Handbook, published by NARA, outlines how CUI markings should visually appear in documents and emails. There are currently 125 categories of CUI, and each has its own markings. In addition to the sheer number of markings that organizations must understand and use, NARA has published detailed guidelines on how the markings should be formatted. Banner markings must include CUI markings for every category of information contained in the document, as well as markings that dictate dissemination and release protocols. Markings must also appear in a certain order, and some have corresponding information that must be included as a footer to the document with additional legalese, contact information, and other details. Similar rules exist for emails as well.
- CUI categories and subcategories
While markings show what type of information is in the document or email, it’s the CUI categories that determine how the information should be handled and provide instructions regarding dissemination. The use of three CUI categories is recommended, which should be clearly visible in the header and footer of relevant documents:
CUI Basic: Requires standard safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Dissemination is permitted to the extent that it is reasonably believed that it would further the execution of a lawful or official purpose.
CUI Specified: Requires safeguarding measures with specific protections, such as markings, enhanced physical safeguards, and limiting who can access the information, that reduce the risk of unauthorized or inadvertent disclosure. The material should contain additional instructions on what dissemination is permitted.
Limited Dissemination: Requires safeguarding measures more stringent than CUI Basic and CUI Specified, as the inadvertent or unauthorized disclosure would create risk of substantial harm. This material will contain additional instructions on if or what dissemination is permitted.
- Who needs to use CUI markings?
CUI markings must be implemented not only by federal agencies but also by contractors and subcontractors who may be handling government information.
- Consequences for non-compliance
Organizations that do not take steps to comply with the CUI framework risk losing existing contracts or missing out on future opportunities. Failing to adequately protect CUI also has its implications – a data leak that exposes a client or breaches a regulation could lead to a reputational damage, monetary fines, additional penalties, lawsuits, and loss of business/earnings.
While these markings and policies set uniform standardized controls for the way CUI is handled, the process of implementing these CUI markings across agency data is complex, time-consuming, and sometimes unclear. In addition, with so many categories and such complex guidelines to keep track of, human error can be an issue. It’s easy for a user to miss sensitive content within a document and fail to label that information correctly. By not marking the Dissemination portion of the document correctly, the document could accidentally be shared with unauthorized parties.
Keeping CUI Secure
Preconfigured data classification designed specifically for handling CUI streamlines the process for both email and documents, makes it easy for users to implement the CUI framework accurately and consistently. When a document is saved, or an email is sent, content is scanned for any sensitive data and the appropriate CUI markings are automatically applied. In addition to the visual markings required by the CUI framework, labels are embedded into the file properties as metadata. This metadata steers the actions of downstream enterprise security and data management solutions, such as DLP, allowing CUI to be accessed or used only in accordance with the rules that correspond to its classification.
In order to ensure that CUI is being appropriately handled, organizations must be able to track unlawful, unauthorized, or inappropriate CUI activity. Using monitoring and reporting tools helps you track how CUI is being accessed, used, and classified in your organization. This not only helps with CUI compliance, but can show opportunities where user training may be needed, and awareness of CUI can be improved. As the CUI framework continues to change, using monitoring and reporting tools will provide the intelligence needed to evolve the approach in line with changes.
Ultimately, it is the responsibility of the CUI holder to honor CUI markings and ensure adequate protection. Implementing a software solution that automatically applies CUI markings ensures that CUI stays within the approved domain and is viewed only by the appropriate audience, while empowering users to engage with and share information confidently for increased collaboration and greater productivity. In today’s digital world of shared information, a preconfigured solution to identify, detect and respond to CUI within everyday business processes, documents, and emails is critical for any organization that may encounter CUI within their industry.
Resource : Understanding and Protecting CUI – Titus