Why we must all think like the military to achieve true CUI compliance
By Jim Donnelly
When international airline British Airways had a huge chunk of personal guest data stolen by hackers, it’s fair to say the company probably wasn’t sure what to expect in terms of punishment from the UK’s privacy watchdog. But that changed in July 2019 when the company was slapped with a fine of nearly €200 million, the largest General Data Protection Regulation (GDPR) fine ever imposed.
The British Information Commissioner’s Office was unequivocal in its comments, saying BA had "poor security arrangements" in place to protect its customer data. "When an organisation fails to protect (personal data) from loss, damage or theft it is more than an inconvenience," said UK Information Commissioner Elizabeth Denham in The Guardian. "The law is clear – when you are entrusted with personal data, you must look after it."
Indeed, at this point, we all know how important it is to not share unauthorized classified information. Penalties in the U.S. for doing so range from hefty fines to up to 10 years of imprisonment (or both), along with the privilege of likely never being given access to classified information ever again.
But what about the unauthorized sharing of Controlled Unclassified Information (CUI), within both commercial and government settings?
What is CUI?
Let’s first define what we mean when we say "CUI". According to the National Archives, which oversees the U.S. government’s CUI Program, it’s "unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies." That’s a pretty broad definition, because CUI covers virtually anything that could be considered sensitive but unclassified – from an employee’s banking information, to meeting room details, to an email about a doctor’s appointment next week.
A short history of CUI in government
The concept of a standardized, consistent method of classifying CUI in the U.S. government originated in the 9/11 Commission Report of 2004, which recommended tighter integration and more information sharing among agencies. Traditionally, policies to handle sensitive information were siloed and walled-off from one another, making for a jumble of previous unclassified-but-sensitive categories such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LWS) – each one doing the same thing, just a little bit differently.
The potential for confusion, especially between organizations, was simply too great. So a formal CUI Program was eventually established by Executive Order 13556, in 2010, to improve uniformity and consistency across agencies, departments and other government entities. The National Archives were tabbed as the government’s CUI enforcer to implement and ensure compliance with the program. Since then, the CUI Program has continued to evolve through refinements such as 32 CFR Part 2002 in 2016 and NIST SP 800-171 (more on this in the next section).
NIST SP 800-171
The importance of CUI in some areas of the U.S. government (such as defense) was cemented in the winter of 2017-18, with the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 – Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations – on Dec. 31, 2017. It’s also known as the Defense Federal Acquisition Regulation Supplement (DFARS).
That may sound like a mouthful, but it’s actually pretty simple: it’s a specific set of standards governing the way certain U.S. government departments, agencies and military branches and their partners handle unclassified yet still sensitive information. It also means all Department of Defense (DoD) contractors must be DFARS compliant or they’re at risk of losing their contracts (not to mention potentially being on the hook for legal liabilities).
CUI, industry, and GDPR
Indeed, CUI compliance isn’t just a government employee thing – far from it. The directives laid down by NIST SP 800-171, for example, require all contractors dealing with the U.S. Department of Defense (DoD), and certain other executive branch agencies, to be compliant when sharing CUI through contracts, memorandums of understanding, or acquisition rules. To facilitate this, it provides a standardized set of requirements meant to ensure CUI data protection across hundreds if not thousands of organizations.
Defense contractors who aren’t sure whether they comply can consult NIST Handbook 162, a free resource to help assess a manufacturer’s information systems against NIST SP 800-171 security requirements. The CUI Marking Handbook Rev 1.1 is also a very good resource companies can rely on to determine which markings to use.
However, in the 21st century, even organizations with no ties to government agencies or defense contracts need to be aware of CUI protection. That’s because of relatively new online privacy requirements like the EU’s GDPR and California Consumer Privacy Act (CCPA). These new regulations have forced virtually all organizations with any online presence to think about CUI – and CUI compliance – in a serious way: violators of GDPR can be fined up to €20,000 or up to four per cent of the preceding year’s annual worldwide turnover, whichever is greater.
And it’s not just a hypothetical threat, either, as we mentioned earlier. Retailer Morele.net was recently fined €645,000 in Poland for "insufficient protection of personal data", while Marriott International was tagged with fines of €235,000 (Turkey) and £99 million (UK) this past July.
Indeed, the importance of protecting personal data for virtually everyone across the commercial spectrum means we all have to think like the government or military when it comes to protecting CUI, according to Titus Chief Technology Officer Stephane Charbonneau. "It’s taking concepts originally developed for the military and government and bringing them to the commercial market," he explains.
"It’s global now – whatever your industry or sector, these are global things that people are worried about."
Thankfully, CUI compliance can now be achieved through software that runs in the background of your everyday business processes to aid employees when handling CUI. Although AI-driven automation doesn’t always work for militaries requiring manual controls, CUI compliance for fast-moving industries like finance can be achieved through virtually invisible processes driven by automation and machine learning.
Why it’s vital to get and stay CUI compliant
We’ve already mentioned some of the fines being doled out to commercial violators of international CUI regulations like GDPR. But being found in non-compliance of government CUI rules can be even worse, resulting in the loss of important contracts – not to mention trashing your organization’s reputation for being a trustworthy partner. This is especially true for those working with the U.S. DoD. As mentioned, in those cases, contractors and subcontractors are required to meet the minimum-security standards of DFARS.
But complying with these standards and requirements while also staying competitive, keeping costs down, and continuing to move at the speed of business has proven to be a huge challenge for many organizations. Even though most understand and appreciate the importance of standardizing information controls, the actual boots-on-the-ground process of consistently controlling and marking thousands of emails and documents per day can be difficult, time consuming, and sometimes confusing for staff.
At larger organizations, whole compliance teams are often created. But that’s simply not possible at medium- and smaller-sized government or military contractors, which often don’t have the resources to adequately staff these teams. But when smaller contractors sometimes try to go without strong controls in order to save money, they risk their livelihoods in the process.
Because it’s not just government clients who check up on CUI compliance – many prime contractors, as well, often conduct random spot checks and on-site visits to ensure their supply chain is up to snuff. That’s why a well-oiled marking system is your first line of defence and must be a foundational safeguard of your data protection program.
Best practices: Getting and staying CUI compliant
Because we all need to strike the right balance between compliance and continuing to stay agile as a business, a standardized system of marking documents and emails is crucial. If that system can be refined and eventually automated via machine learning, then so much the better. Without a strong and consistent system, even your best employees can make harmful mistakes due to a lack of understanding or consistency in either applying or recognizing markings.
Thankfully, there are best practices you can deploy within your organization to ease staff burden and ensure bulletproof compliance with federal regulations. Here are just a few of them:
- Recognize and apply CUI markings. As we’ve mentioned, the foundation of your CUI protection strategy must be a consistent system of recognizing and applying markings. Data identification and classification software can instantly recognize government-applied CUI markings, update or change markings (if authorized), and even be configured to exist alongside other marking schemes for ITAR, EAR and other compliance programs. And that’s without requiring employees to memorize 40 or 50 pages of arcane marking rules.
- Protect CUI from disclosure across boundaries. CUI information – both incoming and outgoing – must be protected at all times, and it’s up to the information holder to ensure that happens. You can set up automated controls and handling rules that proactively evaluate recipient lists, redact sensitive information, and encrypt outgoing information, along with applying metadata to unstructured data that other security solutions can understand. This allows previous security software investments such as DLP and CASB to work in tandem with data classification software.
- Raise CUI awareness among staff. Ignorance is not a defence when you’re dealing with NIST SP 800-171, which requires users to know the risks and all applicable information protection policies, standards, and procedures or face the consequences. Discussing it for 30 minutes during a staff lunch-and-learn is great, but not nearly enough: organizations must zealously educate staff on both the risks and proper processes required to stay CUI compliant.
An automated software solution engineered to identify, detect and respond to CUI data within everyday business processes, documents and emails has become a must-have for many organizations in the post-GDPR and NIST SP 800-171 world. Arming staff with the tools to quickly, easily and intuitively recognize and apply standardized CUI markings can make the difference between compliance and the not-so-pleasant alternatives.