On November 4, 2010, U.S. President Barack Obama signed a new Executive Order to establish a uniform policy for the government treatment of “Controlled Unclassified Information” (CUI). This framework standardizes practices around the sharing of Controlled Unclassified Information, with the goal of improving the sharing of information within the executive departments of the U.S. Federal Government.
Government agencies must complete a number of deliverables as part of the CUI implementation plan. In May 2011, agencies were required to submit a catalogue of proposed Controlled Unclassified Information categories to the National Archives and Records Administration (NARA). The next step is for agencies to develop a CUI compliance plan, which is due by December 6, 2011.
TITUS has partnered with PKH Enterprises to help agencies develop their CUI compliance plan. In a joint white paper with Patricia Hammar, executive secretary of the CUI Presidential Task Force, we provide expert advice, templates, and best practices from governments that have implemented similar initiatives. The white paper, called “Protect Your CUI Data: 5 Steps to Implementing Your Controlled Unclassified Information Plan”, includes the following content:
1. A 5-step process to develop a CUI compliance plan
The white paper describes the following 5 steps for developing a Controlled Unclassified Information compliance plan:
- CUI Program Development: Define who is responsible for CUI management, what resources they have, and how they interact with offices, such as the CIO or Security Office, which are critical to CUI implementation.
- Finalize Categories and Sub-Categories: Work with the CUI Office to ensure that the CUI Office understands the agency’s information sharing and safeguarding needs so that these needs are reflected in the CUI Registry.
- Define Process for Paper and E-Media: Review the agency’s data and the means in which the agency uses that information to accomplish their mission.
- System Inventory: Understand which systems in the agency handle Controlled Unclassified Information and evaluate the safeguarding measures required for each system.
- Plan Development: Use the sample CUI compliance plan template to define how the agency will handle Governance, Policy, Training, Technology, and Self-Inspection.
2. Best practices for information classification, data loss prevention and email retention
The white paper outlines studies of similar initiatives in other countries, such as the Australian government, which requires that all government-originated email contain protective markings to identify the information’s sensitivity. Like CUI, these markings are used to identify and protect sensitive information in a consistent manner across the Australian federal government.
By requiring users to classify and mark their data, the Australian government is able to gain greater knowledge about the type of data that employees handle day to day. They are also able to significantly strengthen their security program in ways that extend beyond the simple selection of a classification label. With minimal training, government employees have become critical partners in raising security awareness, and identifying and protecting sensitive government information.
3. Details on how to meet CUI requirements with easy-to-use marking and safeguarding software
The Controlled Unclassified Information framework requires users to classify and mark their data, including documents and email. This enables the agency to safeguard the information while enabling information sharing with citizens, government agencies, and other organizations.
The white paper describes how TITUS solutions are ideal for meeting CUI classification and safeguarding requirements. TITUS products include:
- Message Classification™ for the marking of email in Microsoft Outlook®, Outlook Web Access ®, and mobile devices (support for Lotus Notes® is also available)
- Classification™ for Microsoft Office® for the marking of Microsoft Office Word®, PowerPoint®, and Excel® documents
- Classification for Desktop™ for the classification of any file type in Windows Explorer®, including PDF, CAD, and multimedia files.
- Marking and metadata security solutions for Microsoft SharePoint®
- File server marking solutions for Microsoft Windows Server 2008 File Classification Infrastructure® (FCI).
TITUS classification and safeguarding software has been instrumental in helping organizations implement similar programs in other countries. Agencies have an opportunity to use products, such as those from TITUS, to comply with CUI guidelines and fully leverage their information assets.
Download the “Protect Your CUI Data” white paper and discover how to protect your organization’s most important information assets.
Although the white paper is targeted at U.S. government agencies, the document will be of interest to all organizations looking for templates and best practices for information protection. Visit our website to download the “Protect Your CUI Data” white paper, and discover how TITUS and PKH Enterprises can help meet your requirements for Controlled Unclassified Information and other data protection programs.