search

What is controlled classified information?

1 years ago
Comments: 0
Views: 53

Are you an I.T. specialist responsible for securing information in your corporation? Depending on the nature of information your organization deals with, you might have come across terms like classified information and standards like NIST 800-171. While classified information is clearly defined, you might never come across it; there is another type of information that you may come across now and then if your company undertakes Defense contracts, Controlled Unclassified Information (CUI).

Show

What is CUI data? How can you protect it? Does my company deal with Controlled Unclassified Information? What are the information standards to use when protecting such data? Read on to get answers to all the questions you might have regarding Controlled Unclassified Information.

What is CUI

CUI refers to information created or owned by the Government that needs dissemination or safeguarding controls consistent with the applicable government-wide policies, laws, and regulations. As the term indicates, this information is not classified.

Controlled Unclassified Information (CUI) is a collective term that includes both Controlled Technical Information (CTI) and Covered Defense Information (CDI). These markings apply to the unclassified information that needs special protection within and out of the government information systems.

Although they may sound new, the information markings have been around for some time. The markings that were used to identify this type of information include Sensitive But Unclassified (SBU), Law Enforcement Sensitive (LES), UCTI (Unclassified Controlled Information), and FOUO (For Official Use Only). Today, all these terms comprise the Controlled Unclassified Information (CUI).

Initially, CUI was developed for the agencies within the executive branch of the United States federal government. Each agency used its set of markings, classifications, and rules to control and manage information before the current Controlled Unclassified Information was implemented. CUI greatly simplified and standardized the process.

CUI Categories

Many laws, U.S. codes, and regulations specify how each CUI is controlled. The best way to know the requirements for any CUI type is by going to the CUI registry and searching for what content you are interested in. You can find a complete list of CUI categories in the CUI Registry. CUI is categorized into 24 categories and 83 sub-categories of content. However, the categories can be defined as CUI Specified or CUI Basic.

CUI Specified

This is a subset of controlled Unclassified information where the authorizing policy, law, or regulation places more restrictive controls on controlling and handling the Controlled Unclassified Information specified content. The underlying authority maintains the handling controls of the CUI specified content, and only the designating agency might apply for limited dissemination control to the contents of the CUI.

If an agency wasn't the original designating authority, it could not do the above. An agency cannot increase the Controlled Unclassified information Basic's impact levels over moderate external to itself without agreeing with an external agency or a contractor organization running an information system for them.

CUI Basic

This contains the baselines for dissemination and handling controls as per NARA's final rule on 14th November 2016. FISMA requires the CUI Basic to be protected at FISMA moderate level and maybe marked Controlled or CUI.

Does My I.T. System Have CUI Data?

This is a concern for many I.T. specialists. As a government contractor, do you have CUI data that should be protected? Sure, there is a DFARS 7012 clause but is there CUI content in your organization. Unfortunately, the answer is in the affirmative in most cases. Below is the common information to ensure protection under the DFARS if you are a defense contractor.

  • Technical information like engineering drawings, engineering, and research data, standards, manuals, process sheets, catalog-item identifications, technical orders, technical reports, data sets, and associated lists. Others include computer software source code and executable code.
  • Vulnerability information for computers and information systems.
  • Any PII (personally identifiable information) you might be storing, processing, or transmitting on behalf of the U.S. government as part of contract delivery. Such data is "Government-owned" PIII and is considered CUI. For instance, if PII is within a contract used for processing the benefits, it can be regarded as CUI.

There is a lot of unclassified content that can be defined as controlled data. Any company under the DIB (Defense Industrial Base) has CUI data in its infrastructure. Most of them have a DFARS 7012 clause on one of the contracts.

What Qualifies As CUI?

The CUI categories and sub-categories are determined by the executive branch of the United States Federal Government. They include the following:

  • All proprietary information regarding the protected, critical energy as specified in the AEA (Atomic Energy Act)
  • Any proprietary information relating to the CUI Registry categories
  • All proprietary information pertaining to export controls
  • Proprietary information regarding geospatial, imagery, and geodetic intelligence
  • CTI applying to aerospace, Government, or the Military

How Can I Protect CUI Data?

If your business deals with national security matters, ensure you conduct due diligence to comply with the applicable laws, regulations, and policies for the federal information sharing related to your defense contract. It will likely involve various compliance regulations and standards like DFARS, CMMC, and NIST. The Government provided a blueprint in the DFARS 7012 rule, which stipulates the types of controls you must instigate to protect CUI content within your information systems. In the rule, you have the following:

  • The on-premise data center that has all your company's internal I.T. systems
  • A CSP (cloud service provider) like Microsoft GCC High, AWS, or Azure
  • A hybrid solution of on-premise systems and Cloud Service Provider that meets the NIST 800-171 specification

With either of the three solutions, ensure that the solution will address the 110 NIST SP 800-171security controls, POA&Ms (Program of Actions and Milestones), and SSP (Systems Security Plan). Organizations service the DIB have historically been managing data in localized data facilities.

Are There Consequences Of Not Protecting CUI?

The federal law does not specify the particular provision for penalties for not protecting the CUI. Instead, according to CFR-2017, misusing CUI is subject to the specified penalties under the applicable laws, government-wide policy, and regulations. Any non-executive branch should report any non-compliance at handling requirements to disseminating agency using the methods that the senior agency official has approved of that agency. If the disseminating agency isn't the designating agency, the designating agency must be notified immediately by the disseminating agency.

Essentially, businesses that do not comply with Controlled Unclassified Information requirements are subject to administrative, civil, or criminal action if they fail to prevent a cybersecurity threat or report that incident properly. More practically, you will lose your federal government contracts if you do not comply with all the CUI requirements.

Controlled classified information should be handled or disseminated according to existing government policies, laws, or regulations. When aggregated, CUI can become TOP SECRET. Carefully study the CUI Registry to know if your company has some CUI specified information to ensure you take the appropriate steps. Visit Cleared Systems for more details on information security.


Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. Relative to UTEP, such clauses and safeguarding controls are mostly commonly found in NIST 800-171 and DFARS 252.204-7012.

Executive Order 13556 "Controlled Unclassified Information” establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance.

32 CFR Part 2002 "Controlled Unclassified Information" establishes designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.

As such, contractors, subcontractors, and universities need to be compliant with CUI controls. For CUI Categories and Subcategories please go to CUI Registry General Guidelines site.


NIST 800-171 and DFARS 252.204-7012

NIST Special Publication 800-171 (NIST 800-171) is a Federal standard on security controls applied to Controlled Unclassified Information (CUI) and systems and processes involved with this data. UTEP and its research enterprise must ensure all systems and processes involved with CUI are compliant with NIST 800-171 to continue receiving Federal funds associated with the use of this data (either directly received from the government or indirectly through associated covered contracts and contractors).

DFARS 252.204-7012 is a standard clause in many DoD contracts requiring:

  • Implementation of NIST Special Publication 800-171
  • Safeguarding covered defense information (CDI), which is CUI
  • Reporting cyber incidents that affect covered defense information or that impact the contractor’s ability to perform requirements designated as operationally critical support
  • Submitting malicious software discovered and isolated in connection with a reported cyber incident to the DoD Cyber Crime Center
  • Notifying the DoD of any security not implemented, within 30 days of contract award

How to Comply

Any UTEP project with NIST and/or DFARS or other legal or contractual obligations to properly protect Controlled Unclassified Information (CUI) may properly ensure compliance by:

  • Contacting the Information Security Office to establish a System Security Plan (SSP), wherein the information security team will help guide investigators and their teams in a compliant data security program,
  • Submit your System Security Plan (SSP) with the data sensitive research portal (DataSense) maintained by the Office of Research and Sponsored Projects, and
  • Ensure you and your team are trained in CUI and CUI protection.

As part of the DataSense process, you may be asked to create a Technology Control Plan (TCP), which provides information on your operating environment, data needs, and basic project information. The System Security Plan (SSP) may be uploaded within the DataSense portal as part of the TCP.

All UTEP projects with applicable CUI needs must go through the approval process, wherein all environments involved with CUI must comply fully with the NIST 800-171 standards (either directly or through compensating controls) and follow the guidance provided by approved System Security Plan (SSP). Any deviations from the SSP must be approved by the Chief Information Security Officer (CISO). The CISO will route such request to either the Vice President of Research (for research-related activities) or the Vice President for Business Affairs (for administrative activities), as appropriate, for additional approval.

All environments that are involved with CUI must undergo an annual NIST 800-171 compliance assessment by Information Security before interacting with CUI. These assessments will result in an attestation report signed by the CISO, or designee. All environments that are involved with CUI must also operate in a manner which allows incident reporting of cyber incidents involving CUI within 72 hours.

Training, more information, and assistance can be found by contacting or .


Process Flow

An export control project or one with CUI should generally follow a process as below:

  1. A contract has clauses and/or sponsor indicates a project has Export Control &/or Controlled Unclassified Information (CUI) restrictions
  2. The PI is notified of such restrictions by ORSP
  3. The PI provides information in the DataSense portal to allow a review to occur between Export Control and/or Research Administration to determine if the clauses may be negotiated or exclusions exist that reduce the need for compliance. If compliance is required, then the process moves to step 4, otherwise, the PI is informed of the exclusion and the exclusion is documented for archiving.
  4. PI enters information into the DataSense portal, using a template to generate a Technology Control Plan (TCP)
    1. An email is sent to the PI and Information Security Office to generate a System Security Plan (SSP)
    2. Personnel working on the project are trained on Export Control and/or CUI
    3. PI uploads the information security office approved SSP into the DataSense portal
  5. An approved TCP with SSP is documented in the DataSense Portal
  6. A UTEP account is established for the project
  7. Auditing and monitoring occur to ensure compliance, as in the TCP and SSP

Training

All personnel interacting with or otherwise handling Controlled Unclassified Information, whether appointed, funded, or not, must take the below training. It is the responsibility of the Principal Investigator to follow the safeguards to ensure a compliant operating environment, as in the System Security Plan (SSP), and to ensure all relevant personnel are successfully trained.

Training, more information, and assistance can be found by contacting or .


References

Q&A What

Related Posts

How to transfer internal storage to SD card in Samsung j7
How to transfer internal storage to SD card in Samsung j7

Explain why ice is more effective in cooling than water at the same temperature
Explain why ice is more effective in cooling than water at the same temperature

When a transversal intersects two parallel lines the pair of corresponding angles formed are?
When a transversal intersects two parallel lines the pair of corresponding angles formed are?

What is 9 10 as a decimal
What is 9 10 as a decimal

Which symptoms should the nurse expect a client to exhibit who is diagnosed with a pheochromocytoma?
Which symptoms should the nurse expect a client to exhibit who is diagnosed with a pheochromocytoma?

At what rate of compound interest will Rs 576 amount to Rs 625 at the end of 2 years?
At what rate of compound interest will Rs 576 amount to Rs 625 at the end of 2 years?

Which peer status includes children who are both actively liked and actively disliked by peers?
Which peer status includes children who are both actively liked and actively disliked by peers?

What are the two sizes (minimum and expected maximum) of an Ethernet frame
What are the two sizes (minimum and expected maximum) of an Ethernet frame

What do you call the activity of rowing or sailing in boats as a sport or form of recreation?
What do you call the activity of rowing or sailing in boats as a sport or form of recreation?

Is the process of identifying and tracking high-potential employees who will be able to fill top management positions when they become vacant?
Is the process of identifying and tracking high-potential employees who will be able to fill top management positions when they become vacant?

How long can koi fish live in a bucket
How long can koi fish live in a bucket

¿Qué hacer cuando la computadora no encuentra la impresora?
¿Qué hacer cuando la computadora no encuentra la impresora?

Your Lie in April characters age
Your Lie in April characters age

What part of Vermont is closest to New York?
What part of Vermont is closest to New York?

Why are my Mods not working Vortex?
Why are my Mods not working Vortex?

Galaxy note 8 qualcomm vs exynos
Galaxy note 8 qualcomm vs exynos

Average cost of living in California per year
Average cost of living in California per year

Who is the real king of country music?
Who is the real king of country music?

How do you say chief in spanish
How do you say chief in spanish

What triggers the final mission in me3?
What triggers the final mission in me3?

LATEST NEWS

There are three phases of gastric secretion. the cephalic phase occurs
1 years ago . by OperativeApologise
How was the Battle of Saratoga won?
1 years ago . by SubtleSolicitation
How does a Taurus man text when he likes you
1 years ago . by UrinaryLigament
What is the distance covered by the athlete?
1 years ago . by GeopoliticalSchooner
At which value will the graph of have a zero
1 years ago . by InsatiableAnomaly
How long does it take to go from Texas to Mexico border?
1 years ago . by UndecidedMouthful
Why are t statistics more variable than z scores
1 years ago . by SubstantialResurgence
How much water at 32°c is needed to just melt 1.5 kg of ice at -10°c?
1 years ago . by ErsatzNursery
What was created to prevent similar banking disasters?
1 years ago . by Ground-floorCorpus
A client has answered some questions in a query, so you’re able to edit the _________ ones.
1 years ago . by MaroonRodeo

Populer

About

Legal

Help

Social

Copyright © 2024 ShotOnMac Inc.