Archive for ‘Controlled Unclassified Information (CUI)’

CUI Compliance – What You Need To Know (Part 2)

Friday, October 6th, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. As of December 31, 2017, all federal contracts will require contractors to comply with the Federal CUI Rule (32 CFR Part 2002) that governs the treatment of CUI.

In the second installment of this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some additional questions on Controlled Unclassified Information (CUI) compliance.




CUI Compliance – What You Need To Know

Monday, October 2nd, 2017

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. This framework standardizes practices around the sharing of controlled unclassified information, with the goal of improving the sharing of information across Federal executive branch agencies.

In this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some key questions on CUI compliance.




Time to Get Serious about Controlled Unclassified Information

Wednesday, August 26th, 2015

It’s time to start getting serious about Controlled Unclassified Information (CUI) and the implementation of a solution that ensures compliance. It is expected that the 32 Code of Federal Regulations (CFR) 2002 will be completed in the November-December 2015 time frame. With the rules and markings in place, the National Archives and Records Administration (NARA) will release the official Marking Handbook to kick off the phased implementation process.

TITUS Classification software can help any department easily comply with these regulations. By using the TITUS classification and marking solution, organizations can enhance their overall security program and realize the following benefits:



Top Data Security Blog Posts for 2011: Data Classification, Mobile Security, Data Security and Compliance, Data Loss Prevention, and Cloud Data Security

Wednesday, December 28th, 2011

As 2011 draws to a close, I thought it would be interesting to provide a list of the most popular data security articles on this blog. Here are the topics and articles that were most popular with our readers:

1) Data Classification

More and more commercial organizations have started to see data classification as the foundation of their information protection strategy. We wrote several articles about this trend, including an article that described how to implement a data classification policy in 5 simple steps, and an article that recommended best practices for defining a data classification scheme. Readers were also interested in how to use classification software to bulk classify, mark, and label large numbers of files.

2) Mobile Security

Mobile security has become a hot topic, especially with the trend toward consumerization of mobile devices. (more…)



Controlled Unclassified Information(CUI): The CUI Registry is out!

Tuesday, November 8th, 2011

On November 4, 2011, the National Archives and Records Administration (NARA) released the first-ever registry for Controlled Unclassified Information(CUI) for records that are not classified as top secret or secret, but require some protection. The release of this registry meets one of the first targets of President Obama’s Executive Order on Controlled Unclassified Information.

The order stated that “Within 1 year of the date of this order, the Executive Agent shall establish and maintain a public CUI registry reflecting authorized CUI categories and subcategories”. Although much work remains, the new registry “is certainly an important milestone,” according to John Fitzpatrick, the office’s director. Looking back at the origin of this registry, one of the key reasons to move forward with this initiative was that executive branch performance “suffers immensely from interagency inconsistency” in the CUI arena. And no wonder– there were 117 different markings. The results were inconsistent marking and safeguarding of documents, which led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing.

The new CUI registry provides a common definition, standardizes processes and procedures and breaks CUI down into 15 subject categories, such as law enforcement, immigration and privacy, followed by 85 subcategories (“privacy-contract use,” privacy-financial,” and so on.) It also justifies each with a reference to a specific law, regulation or government-wide policy. The next major steps (more…)



Best Practices for Defining a Classification Scheme

Wednesday, November 2nd, 2011

In my previous blog post, 5 Easy Steps for Implementing a Classification Policy, I discussed the importance of starting with a simple set of classification labels. In this post, I will expand on the topic of classification schemes, especially as they apply to commercial organizations.

At TITUS, we recommend that organizations try to keep the number of classification options down to four or fewer. We find that the simpler your classification scheme, the easier it will be for users to decide which category to use. Later, as your users become used to classifying content, you can add additional categories.

Many organizations use three categories:

1) A category such as “Public” to indicate non-sensitive information
2) An “Internal” category for information that should stay within the organization
3) A category such as “Confidential” or “Restricted” for information that is particularly sensitive

Surprisingly, the “Public” category is often what causes the most debate in commercial organizations. (more…)



Is Your Agency Ready for CUI Compliance? Meet Your December 6th Deadline

Thursday, October 13th, 2011

On November 4, 2010, U.S. President Barack Obama signed a new Executive Order to establish a uniform policy for the government treatment of “Controlled Unclassified Information” (CUI).  This framework standardizes practices around the sharing of Controlled Unclassified Information, with the goal of improving the sharing of information within the executive departments of the U.S. Federal Government.

Government agencies must complete a number of deliverables as part of the CUI implementation plan. In May 2011, agencies were required to submit a catalogue of proposed Controlled Unclassified Information categories to the National Archives and Records Administration (NARA). The next step is for agencies to develop a CUI compliance plan, which is due by December 6, 2011.

TITUS has partnered with PKH Enterprises to help agencies develop their CUI compliance plan. In a joint white paper with Patricia Hammar, executive secretary of the CUI Presidential Task Force, we provide expert advice, templates, and best practices from governments that have implemented similar initiatives. The white paper, called “Protect Your CUI Data: 5 Steps to Implementing Your Controlled Unclassified Information Plan”, includes the following content: (more…)



Ten Steps to CUI Compliance – What Obama’s Controlled Unclassified Executive Order Means for IT Administrators

Friday, November 5th, 2010

Earlier this week we posted a blog on Controlled Unclassified Information, covering the need for marking and protection in this area, and the earlier Bush government Memorandum.  Yesterday, President Obama signed off on the new Executive Order for Controlled Unclassified Information which replaces the previous order by President Bush.   The new executive order mandates all departments to provide feedback on the use of categories and sub categories of markings in their department to NARA (the Executive Agent for this order) within 180 days.  Within a year agencies must provide NARA with a proposed plan for compliance with the requirements of this order, including the establishment of interim target dates.

Ten Steps to CUI Compliance



CUI: Unclassified Information Isn’t Always Public

Tuesday, November 2nd, 2010

The United States Government is currently going through a review of how it labels and handles “Controlled Unclassified Information”. In May 2008, President George W. Bush issued a Memorandum for the Heads of Executive Departments and Agencies on the Designation and Sharing of Controlled Unclassified Information (CUI) to replace the existing “Sensitive But Unclassified” (SBU) Information Sharing Environment. The National Archives and Records Administration (NARA) was appointed as the Executive Agent for implementation and oversight of the CUI program. In this article we’ll look briefly at some of the important elements of the CUI Framework, and their impacts on how unclassified information is handled in the US Government.