Organizations working closely with the US Government must take extraordinary measures to safeguard any sensitive data deemed worthy by government agencies for protection, such as CUI Specified data which requires strict guidelines to adhere to.
Authorized holders should review the CUI Registry to become acquainted with CUI categories and handling requirements, which are adaptable enough to adapt as laws or policies change.
What is CUI?
CUI (Controlled Unclassified Information) may sound like the title of a Jason Bourne thriller, but it’s a vital government policy that companies need to understand and comply with.
NARA oversees the CUI Program; however, executive agency heads also bear responsibilities for its implementation, management, and compliance. For example, DoD recently created the Cybersecurity Maturity Model Certification (CMMC), aiming to enhance protection standards for companies handling CUI and sensitive unclassified information (SII).
CUI refers to any information created or held by the government that requires safeguarding and dissemination controls but doesn’t fall under Executive Order 13556, Atomic Energy Act, or similar categories. For instance, research teams collaborating on federally funded research projects are subject to such controls on any information they receive, possess, create or receive as part of their projects.
Information deemed confidential under NIST 800-171 standards must be marked accordingly. It may only become publicly available after being subject to an evaluation process conducted by its source agency, including risk analysis and disclosure review, before being determined suitable for release.
Organizations with CUI must establish and follow policies regarding it; this involves identifying and managing it at a departmental level while reviewing any contracts or agreements that contain CUI regularly. Furthermore, any legacy markings made initially by agencies not participating in the CUI Program should still be treated according to pre-CUI policies and practices.
Companies with CUI must label all documents, emails, and communications related to it with a CUI designation indicator that includes the name of their designated agency and is visible to authorized holders. It should stand out from other hands, like banners and colors, and never be used to represent classification levels.
CUI Basic
No matter your position in government, “Controlled Unclassified Information” might sound like something from an action thriller novel. At least it sounds more official than some of the less specific names for government data we may be more familiar with, like sensitive but unclassified (SBU), law enforcement sensitive (LES), or for official use only (FUO).
CUI encompasses 125 categories of information deemed by the federal government as worthy of protection, although not all are classified. Instead, many types are considered sensitive or proprietary and do not warrant the higher levels of security required for classified material. Understanding how to safeguard CUI is significant for organizations doing business with or providing services to the government as it can prevent fines, penalties, or contract losses for unwarranted disclosure of this data.
When dealing with CUI, it is essential to remember that any organization not authorized to handle it could face disciplinary action – mainly if your organization releases this data or allows it to be processed on personal devices. To reduce this risk, the federal government requires all authorized holders to familiarize themselves with CUI guidelines and complete training. At the same time, The CUI Guide contains more details regarding standards and rules governing its handling and dissemination, along with NIST baseline controls identified for safeguarding this sensitive material.
One of the critical requirements of CUI management is marking it clearly and conspicuously. Any document containing CUI must bear a CUI banner at the top of each page, clearly specifying its category as either CUI Basic or Specified.
Documents that contain CUI must also be identified with a CUI Designation Indicator. This may be done via banner marking at the start of a document or agency signature block with a “Controlled By” line that specifies who owns it. Furthermore, additional identifying information (NOFORN Limited Distribution Statements or portion markings) may need to accompany these designation indicators to adequately handle and disseminate these documents.
CUI Specified
Law, regulation, or government-wide policy stipulating specific handling and dissemination controls for CUI falls into the “Specified” category of information. This subset has an impact level above moderate and requires additional safeguarding requirements from laws or policies to keep it safe for its intended audience. Authorized holders of any data in the Specified category should apply appropriate safeguarding and dissemination controls before sharing this data with others.
Authorized holders must also ensure that Specified information is marked at the time of creation or update, including keeping printed copies of documents. When an official document containing CUI has been marked as such, it should be covered with protective paper or stored away securely when not being used; when transporting such equipment, it must be placed in an opaque cover or container before leaving its work area; for remote workers, this applies equally well; any printouts containing CUI must be secured in their carry-on bag for safekeeping.
CUI Specified must comply with NIST SP 800-171 guidelines when installed on nonfederal systems, including labeling it “FOR OFFICIAL USE ONLY” and having an approved privacy risk assessment that identifies risks associated with each type of system and provides recommendations to mitigate those risks.
If a person shares classified or unclassified information improperly, they could face discipline such as removal from a position, loss of pay, and suspension/revocation of clearances. When considering appropriate sanctions for improper CUI sharing violations, frequency of incidents that involved classified/unclassified information misuse incidents as well as violations relating to CUI misuse are taken into consideration when assessing their sanctions; sanctions vary according to circumstances and severity of incidents according to relevant laws, regulations and policies and may include counseling/reprimanding sessions/suspension without pay suspension/termination or other disciplinary actions taken as appropriate in accordance with regulations/policies as determined by relevant law/regulations/pol policies/law/regulations/policies which take into account frequency/severity when assessing penalties; depending upon their frequency/severity when making mistakes are also taken into consideration when assessing sanctions are assessed; according to laws, regulations/policies violations/incidents committed relating to misuse of CUI may include removal from employment and suspension/revocation/penal penalties as appropriate to ensure its misuse as well as possible suspension without pay, termination from employment agreements and possible other forms of discipline actions being taken as needed according to applicable laws, regulations & policies and applicable policies when considering their frequency / severity when considering possible sanctions that will vary accordingly; this could include verbal/written counseling or suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension without pay suspension/terminations agreements etc & policies accordingly tailored accordingly depending on severity imposed according to each incident depending upon frequency/any other forms disciplinary measures taken according to complying policies policies to take further actions taken against other /disciplinary measures being applied /imposed according to relevant policies etc & policies etc; sanction etc imposed.
CUI Dissemination Controls
Information identified as CUI Specified has undergone the CUI EA vetting process and has been designated by law, regulation, or Government-wide policy as CUI, with specific safeguarding or dissemination controls that differ from those applicable to CUI Basic. Each piece of CUI Specified information must also bear a “CUI/SP” mark to restrict it as such clearly.
Working for the US government requires special care in understanding which information must be protected by federal agencies. CUI-Specified data in particular, requires extra safeguards due to being some of the most closely controlled data sets.
Generalized rule: changing from moderate to high impact level on CUIs without consulting its creator agency is prohibited; similarly, modifying handling requirements of this information must also be agreed to before changes take effect. This should help reduce the number of over-broad marks applied to data while at the same time prohibiting individual agencies from creating their special marking for information – which should further minimize over-broad marking. However, the rule does allow agencies to add additional administrative markings (e.g., Pre-decisional, Draft, or Deliberative) to indicate the status of work being completed. These markings don’t add additional safeguarding or dissemination restrictions but remind us that information being handled temporarily should be treated accordingly.
CUI rules also outline requirements to decontrol information when its original purpose has ceased. All executive branch entities that handle CUI must follow this requirement to ensure it still conforms with any laws, regulations, or government-wide policies applicable to it.
Practically, most agencies will likely not require detailed procedures for meeting these requirements to be written down as they are already set forth by laws, regulations, or Government-wide policies, NIST publications, and standards, OMB memos, Freedom of Information Act requests (FOIA requests), public contracts (e.g., future FAR case), agency websites as well as their CUI Program requirements and policies.
