CUI compliance – What you need to know
Learn about the Controlled Unclassified Information (CUI) program, how it works, and who is responsible for its implimentation.
Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. This framework standardizes practices around the sharing of controlled unclassified information, with the goal of improving the sharing of information across Federal executive branch agencies.
In this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some key questions on CUI compliance.
Who is responsible to implement CUI?
CUI, as implemented by 32CFR2002(September 14, 2016), is a government policy and through the regulation applies to federal departments and agencies. This establishes the policy for designating, handling and decontrolling information that qualifies as CUI. It is expected, however, that the federal government will require similar controls to all they share sensitive information with through contract, memorandums of understanding or acquisition rules. The expectation is that they will require all parties with whom they share to follow NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations
The CUI office has differentiated when NIST SP 800-171 would apply to contracts. The key to this question is whether the contractor is developing a product that contains CUI or if they are developing a system that processes, stores or handles CUI. NIST SP 800-171 only addresses the confidentiality of CUI which is important to all users of CUI, ensuring that the CUI is not shared inappropriately. In developing systems that process store or handle CUI, the system must ensure the Availability and Integrity of the information as well as its confidentiality. In these cases, the government may establish additional controls through the contracting process.
How will I know what markings to use?
As with classified information, the government will be the party that designates the protection level of the information. The registry will then explain the basis of the sensitivity. The CUI Marking Handbook Rev 1.1 and the markings listed in the registry will assist in marking. It is expected that unless the information is in a classified document few agencies will require portion marking. This will leave the banner marking, which includes three elements: “Controlled” or CUI, the category or subcategory, and limited dissemination markings. All CUI must also have a designation indicator that identifies who has designated the information as CUI.
The largest division of CUI is between CUI Basic (87 different categories and subcategories) and CUI Specified (39 different categories and subcategories). The category and subcategory markings are mandatory for CUI specified and are found in the registry, it is important to note that all specified categories must be listed in alphabetical order. The CUI Basic categories are only required if the agencies add this requirement as part of their policy. The last part of the banner marking is the limited dissemination marking. This includes: NOFORN, FEDONLY, FEDCON, NOCON, DL ONLY, REL TO (designator), and DISPLAY. Only Designating Agencies can establish the use of limited Dissemination marking and must approve others to use the marking.
In the next post in this series, Patricia Hammar will answer questions on the various types of CUI, and what you need to know before sharing CUI.