Art Clomera
Vice President, Operations
What is Controlled Unclassified Information (CUI)? The era of CUI before Executive Order 13556 was fragmented, haphazard, and far leakier than it is today.
Each agency had its own rules and procedures for handling unclassified information, leading to a complex, confusing jumble of policies. Sharing information across multiple government agencies in this dysfunctional data environment posed a constant risk to natural security.
In 2009, everything changed when Executive Order 13556 was issued. It replaced the patchwork of agency-specific rules with a unified framework for identifying, safeguarding, and disseminating Controlled Unclassified Information CUI. Thanks to this standardization, sharing Controlled Unclassified Information between agencies is more straightforward and secure today.
Understanding the CUI landscape and exploring the latest regulations, best practices, and emerging threats is essential for maintaining government information security. By delving into this type of government data, we aim to empower organizations and individuals to protect this vital asset better.
Onwards!
What is Controlled Unclassified Information (CUI)?
CUI is a category of information that needs safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
In plainer terms, CUI is sensitive data that the Government creates or holds. Even though it’s not classified, it still needs protection from unauthorized access or disclosure.
What are some examples of CUI?
CUI is the acronym for a range of sensitive information, like confidential business details, proprietary information, and personal identifiable information.
Here are some examples:
- Personally Identifiable Information (PII): Data that has the potential to distinctly identify, make contact with, or pinpoint the whereabouts of an individual
- Sensitive but Unclassified (SBU): Information that, while not classified, is still important to protect due to its sensitive nature
- Proprietary Business Information: Confidential business information that gives an enterprise a competitive edge
- Export Controlled Information: Information related to items that are controlled for export under international agreements
- Law Enforcement Sensitive (LES): Information that could impact law enforcement activities if improperly disclosed
- Critical Infrastructure Information: Information related to systems and assets vital to national security, economic security, or public health and safety
- Financial Information: Sensitive financial data that could be exploited if disclosed
- Health Information: Protected health information that is subject to privacy regulations
The story behind the CUI program
The government-wide initiative aims to standardize identifying and safeguarding unclassified information that requires protection from unauthorized disclosure. The program was established in 2009 by Executive Order 13556, “Improving the Security of Unclassified Information.”
Why was the program created?
The sheer volume and heightened sensitivity of unclassified information that the government collects, stores, and disseminates has increased exponentially since 2009. Before the turn of the decade, this tide was already rising.
The CUI program was a strategic response to ensure that the growing sea of data necessary for government functioning would be adequately protected and easier to share between government agencies.
By adhering to these guidelines, organizations can ensure the proper handling, storage, transmission, and destruction of CUI, safeguard sensitive information, and maintain compliance with relevant laws and regulations.
What is Executive Order 13556?
The order developed a standardized approach to identifying, safeguarding, and disseminating CUI. It established the National Archives and Records Administration (NARA) as the lead agency for the CUI program to develop a list of all authorized CUI categories and subcategories (CUI registry).
The order requires agencies to develop and implement CUI identification and marking procedures, access controls, and training programs. Agencies are legally required to report CUI incidents to NARA.
What happens if you don’t comply with CUI regulations?
The legal obligation for developing and implementing CUI identification and marking procedures, access controls, and training programs are outlined in the Department of Defense Instruction (DoDI) 5200.48, “Controlled Unclassified Information (CUI).” Download the pdf.
By adhering to these guidelines, organizations can ensure the proper handling, storage, transmission, and destruction of CUI, safeguard sensitive information, and maintain compliance with relevant laws and regulations.
Non-compliance with these requirements can lead to violations of law, inefficiency, or administrative errors, as well as potential embarrassment to a person, organization, or agency.
Who manages CUI regulation in the Federal Government?
NARA manages the CUI program in collaboration with other federal agencies. NARA provides guidance and oversight to agencies on the implementation of the program.
Other agencies, such as the Department of Defense and the Department of Homeland Security, have specific responsibilities related to their missions for CUI.
Why is the CUI program important?
The program is helping to improve how the government handles unclassified information, making it more difficult for unauthorized individuals to access and exploit this information. It’s a cornerstone of Government efforts to protect sensitive data and ensure national security.
Lastly, the CUI program is founded on the principle that only information requiring protection based on law, Federal regulation, or government-wide policy can qualify as CUI.
What are CUI markings?
Federal agencies need to be able to identify, manage, and protect CUI to stay legally compliant. CUI markings are visual cues designed to make it easier for these individuals to understand the level of the information’s sensitivity and the required handling protocols.
Look out for the following:
1. CUI banner marking
Where can you find it? At the top and bottom of each page of a CUI document. What’s inside the banner?
- “CUI” indicates that the document contains CUI
- It will specify the date of creation or revision of the document
- It will identify the agency responsible for creating or originating the CU
2. CUI designation indicator
You can find this within the body of the document. The designation indicator identifies the specific category or subcategory of CUI contained within the document. It makes it simple for individuals to understand the nature of the sensitive information and apply appropriate handling measures.
3. Limited Dissemination Controls (LDC)
When CUI requires additional restrictions on access or disclosure, LDC is applied. These controls are typically indicated within the CUI banner marking or in a separate document marking section.
What are some LDC examples?
- For Official Use Only (FOUO): Limits access to government personnel only
- No Foreign Access (NOFORN): Prohibits disclosure to foreign nationals or entities
- Sensitive Personally Identifiable Information (SPII): Indicates that the CUI includes especially sensitive personal information, such as Social Security numbers or medical records
Cover letter Markings
When transmitting CUI through cover letters, recipients need to be informed of the sensitive nature of the enclosed information.
What should your cover letter contain?
- The” CUI” acronym explicitly identifies the CUI content
- Enclosure markings should match the CUI markings on the enclosed documents
- If Limited Dissemination Controls (LDC) apply, they should be clearly stated in the cover letter
- Any specific handling instructions or restrictions should be provided to ensure proper safeguarding of the CUI.
By incorporating these essential markings and instructions, CUI can be effectively identified, protected, and handled appropriately within the federal government.
Why is protecting CUI so important?
Adversaries can and do pursue CUI, posing a risk to national security. This data must be protected to maintain the security, economy, and national infrastructure of the United States. The DoD reinforces this claim by classifying CUI as sensitive and valuable to the country. It can easily be accessed by foreign powers and malicious actors, making it susceptible to security breaches and exploitation.
Nine best practice steps to protect your CUI
As outlined in DoDI 5200.48, CUI must be stored or handled in controlled environments that prevent or detect unauthorized access.
Scroll on to explore the nine steps you’ll need to achieve this:
Step 1: Implement access controls
What are access controls? They prevent unauthorized access to CUI by ensuring that only authorized individuals can access sensitive information. These controls should be reviewed and updated regularly to address changes in personnel and roles.
Here are the controls you’ll need to protect your CUI data:
- User Access Controls: Employ robust authentication mechanisms like multi-factor authentication (MFA) to verify user identities before granting access
- Role-Based Access Control (RBAC): Restrict access to CUI based on user roles and responsibilities, ensuring individuals only have access to the information they need to perform their duties
- Data Access Controls: Implement data encryption techniques to protect CUI at rest and in transit
- Network Access Controls: Employ firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS) to monitor and control network traffic, preventing unauthorized access attempts
Step 2: Conduct regular audits and assessments
Why do you need them? They ensure that your security controls for safeguarding CUI are working. Federal agencies are required to conduct self-assessments. They must also assess any third-party vendors with whom CUI is shared to ensure compliance with security requirements and identify and address any vulnerabilities or non-compliance issues.
What is the best practice for self-assessment?
- Conduct thorough risk assessments to identify, prioritize, and manage risks associated with CUI access, storage, and transmission
- Regularly scan CUI systems for vulnerabilities, such as software flaws or misconfigurations, that unauthorized actors could exploit
- Conduct independent security audits to evaluate the effectiveness of CUI security controls and identify improvement areas.
Step 3: Implement Secure Data Handling Practices
Step three focused on the practical, day-to-day handling of your CUI to establish and enforce secure data handling practices to protect CUI throughout its lifecycle.
Best practices include:
- Mark all CUI documents and systems with appropriate markings indicating their sensitivity and handling requirements
- Store CUI in secure locations, such as locked cabinets or encrypted devices, when not in use
- Properly destroy CUI when it is no longer needed, using methods that render the information unreadable and unrecoverable
Step 4: Limit access
Limit access to CUI to authorized users within your organization and protect your CUI from unauthorized access through solid access controls.
Also, employ role-based access and the principle of least privilege to ensure that only individuals with a legitimate need to access your CUI are granted permission.
Step 5: Use encryption
Encryption is crucial in protecting CUI throughout its lifecycle by ensuring that sensitive data remains confidential even if it falls into the wrong hands.
CUI encryption standards include:
- Secure Hash Algorithm 256 (SHA-256) A cryptographic hash function that generates unique fingerprints, or message digests, for data integrity verification, ensuring that CUI remains unmodified during transmission or storage
- Hash-based Message Authentication Code (HMAC): Combines a hash function like SHA-256 with a secret key to generate message authentication codes (MACs) for data authentication
- Advanced Encryption Standard (AWS): Offers a balance of security and performance, making it a widely adopted, preferred choice for protecting CUI
- Elliptic Curve Cryptography (ECC): A more advanced asymmetric encryption algorithm provides stronger security with smaller key sizes. It is handy for protecting sensitive cryptographic keys and digital signatures
- Rivest-Shamir-Adleman (RSA): Another widely used asymmetric encryption algorithm known for its robustness and compatibility with various applications, often employed for secure key exchange and digital signatures
CUI encryption key management includes:
- Key Generation: CUI encryption keys should be generated using a trusted random number generator (RNG) to ensure their unpredictability and security
- Key Storage: Encryption keys should be stored in secure locations, such as hardware security modules (HSMs) or cloud-based key management services (KMS), that offer robust physical and logical protection
- Key Rotation: Encryption keys should be rotated regularly to minimize the potential impact of key compromise
- Access Control: Access to encryption keys should be strictly controlled, limiting access to authorized personnel only
- Key Recovery: Establish a secure key recovery process to ensure CUI remains accessible in case of key loss or damage
Step 6: Implement security controls
In addition to encryption and access controls, organizations should implement other security controls to secure CUI. These controls may include measures specified based on the level of compliance required, such as Cybersecurity Maturity Model Certification (CMMC 2.0).
They may encompass a variety of technical, administrative, and physical security measures to protect CUI from unauthorized access, disclosure, or alteration.
Technical security controls
- Data loss prevention (DLP): Implement DLP solutions to prevent the unauthorized transfer of CUI outside of authorized channels
- Data masking: Mask sensitive data in logs, test data, and training data to protect against unauthorized access or disclosure
- Vulnerability scanning and patching: Regularly scan CUI systems for vulnerabilities and promptly apply patches to address identified weaknesses
- Network segmentation: Segment networks to isolate CUI systems from less secure networks, reducing the attack surface
- Endpoint security: Implement endpoint security solutions, including antivirus, anti-malware, and firewalls, to protect CUI systems from endpoint threats
Administrative security controls
- CUI identification and marking: Establish clear procedures for identifying and marking CUI to ensure consistent and accurate classification
- CUI awareness and training: Provide regular training to employees on CUI identification, handling, and security requirements to foster a culture of cybersecurity
- Incident response: Create and put into action an incident response plan specifically designed to handle and address security breaches involving CUI efficiently
- Risk assessment: Conduct them regularly to identify, prioritize, and address risks associated with CUI access, storage, and transmission
- Supply chain security: Assess and manage risks associated with third-party vendors and service providers that access or handle CUI
Physical security controls
- Implement physical access control, such as security guards, access cards, and biometric authentication, to restrict access to CUI facilities and storage areas
- Implement environmental Controls: Including temperature and humidity monitoring, to protect CUI from physical damage or environmental hazards
- Implement secure disposal: Establish procedures for the secure disposal of CUI media, such as hard drives and paper documents
- Implement visitor management procedures: To track and control access of visitors to CUI facilities and areas
- Implement security awareness signage: To remind employees and visitors of security protocols and restrictions
Step 7: Develop and Implement a CUI Security Policy
This policy serves as a framework for your organization, providing a structured approach to CUI security and ensuring consistency in how CUI is handled across the organization.
What does this strategic step involve?
- Create a comprehensive policy that outlines how CUI should be stored, secured, and shared
- Ensure the policy aligns with compliance requirements, such as the CMMC
- Include specific security measures, access controls, encryption requirements, and guidelines for handling and disseminating CUI
Want to know more?
- For a deeper dive into various security controls and their importance in protecting CUI, check out our comprehensive guide on Security Controls.
- For guidance on developing a thorough System Security Plan (SSP) tailored explicitly to safeguarding CUI, explore our SSP Template for in-depth insights and practical tips
- To understand more about the NIST 800-53 framework and its application in securing CUI, read our in-depth post on NIST 800-53.
Step 8. Provide CUI Awareness and Training:
So that all personnel know the latest threats and security practices, education about the importance of CUI protection and the specific practices they must follow is essential. Plus, it has the added benefit of building a security-conscious organizational culture.
The types of training include:
- CUI Awareness Training: Conduct regular training sessions to raise awareness about CUI, its importance, and the potential consequences of unauthorized disclosure
- Security Awareness Training: Provide training on general security practices, including password hygiene, phishing awareness, and social engineering tactics
- Role-Specific Training: Tailor training to specific roles and responsibilities, ensuring employees understand the CUI handling requirements relevant to their work
Step 9. Implement Incident Response Plans
A strong incident response plan is crucial to quickly address any security breaches involving CUI. To ensure its effectiveness, you are required to test and revise your incident response plan regularly. Your plan should outline procedures during a breach, including containment, investigation, and notification procedures.
What should your incident response plan include?
- Incident Identification: Develop procedures for promptly identifying and reporting CUI security incidents
- Investigation and Containment: Implement processes to investigate incidents, identify their root causes, and contain the damage
- Notification and Reporting: Establish clear guidelines for notifying appropriate authorities and reporting incidents to NARA
- Recovery and Remediation: Develop plans for restoring systems, remediating vulnerabilities, and preventing future incidents
The changing regulatory landscape and the consequences of not protecting CUI
An ongoing trend in CUI regulation is the focus on data security. Regulators emphasize the need for organizations to implement robust security controls to protect CUI from unauthorized access, disclosure, or modification. This includes encryption, access controls, and DLP.
Another trend is the growing importance of supply chain security. Regulators recognize that agencies often rely on third-party vendors and service providers to handle CUI. As a result, they are requiring organizations to assess and manage risks associated with their supply chains to ensure that CUI remains protected throughout its lifecycle.
Protecting CUI is a non-negotiable to maintaining the security, economy, and national infrastructure of the United States. The consequences of CUI leaks can be severe, particularly for defense contractors and organizations handling CUI.
Noncompliance with DFARS 7012 obligations presents serious business risks and could lead to costly consequences, including potential legal and financial penalties. In addition to reputational and financial damages, organizations that fail to protect CUI may also face regulatory penalties and legal action.
Maintain a high standard of compliance with IPKeys
IPKeys can help organizations identify, classify, protect, and manage CUI throughout its lifecycle.
Our CUI compliance solutions include the following:
- Automated CUI discovery and classification: Automatically scan your organization’s data repositories to identify and classify CUI data, ensuring your CUI is appropriately handled
- Continuous CUI monitoring and assessment: Continuously monitor your organization’s CUI to identify any changes or new risks
- Centralized CUI risk management: Centralized platform managing CUI risks to eliminate any blind spots in your risk management procedures
- Integrated CUI incident response: Integrated solutions for CUI incidents ensure your organization can quickly and effectively respond to any breaches
- Compliance reporting and auditing: IPKeys’ comprehensive compliance reporting and auditing tools keep your organization compliant with all CUI regulations
Chat with our teams today about implementing automated compliance solutions to protect your CUI from unauthorized access, disclosure, or modification. Or book a demo.
CUI – common FAQs
What must all CUI documents contain?
All CUI documents must include the CUI designation indicator on the first page or cover. The CUI designation indicator must be annotated to identify the document containing CUI. Additionally, the acronym “CUI” should be marked at the top and bottom of each page, and the document should include the contact information of the designating agency and identify a point of contact or division within the organization.
For more detailed information, click on CUI Marking Job Aid.
What are the two types of CUI?
1) Controlled Technical Information (CTI) is a subcategory of CUI and includes technical information with military or space applications subject to access, reproduction, and dissemination controls.
2) CUI encompasses unclassified information that requires safeguarding or dissemination controls.
For more details: Controlled Unclassified Information Markings.
How do I know if I have CUI data?
To determine if unclassified information in your document is CUI, you should check the information against the CUI Registry. If the information potentially fits within a broad category of CUI, such as Privacy, Legal, or Budget, it may be considered CUI. At a minimum, CUI markings for unclassified documents will include the acronym “CUI” at the top and bottom of each page and the CUI designation indicator.
For more information, DOD Mandatory CUI Training.