Ten Steps to CUI Compliance – What Obama’s Controlled Unclassified Executive Order Means for IT Administrators

Earlier this week we posted a blog on Controlled Unclassified Information, covering the need for marking and protection in this area, and the earlier Bush government Memorandum.  Yesterday, President Obama signed off on the new Executive Order for Controlled Unclassified Information which replaces the previous order by President Bush.   The new executive order mandates all departments to provide feedback on the use of categories and sub categories of markings in their department to NARA (the Executive Agent for this order) within 180 days.  Within a year agencies must provide NARA with a proposed plan for compliance with the requirements of this order, including the establishment of interim target dates.

Ten Steps to CUI Compliance

The Executive Order and planning requirements have important implications for Information Technology planning.  As an organization that has been supplying automated marking solutions to large organizations for the last 7 years, here is what we believe are the top 10 steps to CUI compliance:

  1. Review if categories or sub categories are currently being used to mark electronic information such as email, documents, or other types of files.  If so, these markings should be fed into the reporting of current use to NARA.
  2. Take inventory of your electronic informaton that will need to be marked as a result of the Executive Order.  This includes both the structured (databases, stovepipe systems etc) and unstructured information (email, documents, collaboration tools etc).
  3. Are you currently using marking tools?  If so, determine if they will be able to support the new requirements.  Ideally, any information marking tool being used today should be able to switch over and be used with the new markings within a very short period of time.
  4. If you are not yet using current automated marking tools, begin a study of available marking tools that will meet your agency’s requirements.
  5. Set aside, or obtain budget funds to purchase the required automated marking tools.
  6. Determine if current stovepipe systems can be modified to generate markings on any electronic information output (reports, documents, forms etc) from the stovepipe system.  If not, begin planning on what will need to be done to meet this requirement.
  7. Determine how marked information will need to be secured as a result of the CUI Executive Order.  For example, when a user generates a new document or email and marks it as CUI, will the information need to be protected? Will current file shares, or portals (SharePoint etc) need to be secured?  Will the distribution of CUI by email need to be limited?  If so, are current systems able to do this?
  8. Determine how marked information will need to be retained as a result of the Executive Order. How long will you need to retain CUI information?  If retention is mandated, do current archiving systems allow this retention?
  9. Plan for user training of any new automated marking tool.
  10. Take a break, have a coffee, and move on to your next task 🙂

Titus provides a suite of automated marking tools for Microsoft Office, Microsoft Outlook, SharePoint and several mobile platforms.   This software suite is also the first CUI marking solution that helps Government Agencies ensure compliance with the new Controlled Unclassified Information Executive Order (CUI EO).

What does your CUI Planning look like?

Leave a Reply