CUI compliance: What you need you know (Part 2)
Get details on CUI regulations and what you should know in order to fully achieve compliance.
Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program defines a uniform policy for the treatment of unclassified information that requires safeguarding or dissemination controls. As of December 31, 2017, all federal contracts will require contractors to comply with the Federal CUI Rule (32 CFR Part 2002) that governs the treatment of CUI.
In the second instalment of this two-part blog series, Patricia Hammar, founder of PKH Enterprises and a recognized expert in the areas of government policy and privacy, answers some additional questions on Controlled Unclassified Information (CUI) compliance.
What do I need to know about someone before I share CUI?
CUI still maintains an analysis that sharing the CUI furthers a lawful government purpose. The goal is to share to all who need the information, but not indiscriminately. An authorized holder – anyone who has the information validly – is permitted to use their judgement on whether the sharing furthers a lawful government purpose. The two ways that the government can change this basic rule is through limited dissemination marking or through a dissemination provision of the specified CUI authority. The limited dissemination markings include: NOFORN, FEDONLY, FEDCON, NOCON, DL ONLY, REL TO (designator), and DISPLAY. In order to comply with these markings the authorized holder must know the citizenship (for NOFORN, REL TO (designator), or DISPLAY) and the employer (for FEDONLY, FEDCON, NOCON). The most specific of these markings is DL ONLY which requires knowledge that the individual is on a given Designated list.
Specified CUI has been specified because it requires either specialized safeguarding or specialized dissemination rules based on the authority which established it as CUI. It is critical to read the rules for handling specified CUI since there are CUI that may require formal training, a more thorough need to know evaluation, registered individuals or other constraints in sharing this material.
How many different types of CUI are there?
There are a lot of different ways to count. The registry contains 315 control citations, which means that there are 315 statutes, regulations or policies that require safeguarding or dissemination rules on unclassified data. One hundred and six (106) of these rules establish sanctions for improper handling of CUI. The registry has combined these different rules into 23 categories and 84 subcategories.
Based on this there are 126 different types of CUI. Each of these are based on a statute, regulation or government-wide policy. In 87 of these the policies are broad enough to allow for the use of CUI Basic with standard rules for safeguarding and disseminating. In 39 cases, the authority requires something specific, either in safeguarding or dissemination that is unique to that type of information. In 24 cases a given category or subcategory contains some information that can be treated as Basic and other information that must be treated as Specified.
How does this impact privacy information?
In the registry the privacy category states that it “refers to personal information, or, in some cases, “personally identifiable information,” as defined in OMB M-07-16, or “means of identification” as defined in 18 USC 1028(d)(7).” There are 60 statutes, regulations or government-wide policies that require safeguarding or dissemination rules on privacy information, 50 of which can be handled under CUI Basic. 10 citations require specified handling. It should be noted that all of these rules existed prior to CUI, so the specified requirements were already in place. The biggest change for privacy information is in the CUI Basic areas of Marking which had generally not been a requirement.