CUI FAQ
Unlike many other industry frameworks, NIST SP 800-171 and CMMC are focused on following the data. The scope of applicability for your System Security Plan (SSP) is dependent on those systems in your environment that store, process, and/or transmit Controlled Unclassified Information (CUI). To understand the scope of your environment you must first understand what CUI is, if you have it, and where it resides in your information system.
What is CUI?
32 CFR 2002 defines CUI, in part as, “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
CUI is not classified information nor corporate intellectual property. CUI is always information that belongs to the Government that the Government itself has created, or a contractor has created on behalf of the Government.
“Information… that a law, regulation, or Government-wide policy” governs covers a lot of data. Therefore, the CUI Registry via the National Archives and Records Administration (NARA) provides a collection of all the types of unclassified information that should be controlled based on established law, regulation, and Government-wide policies.
If your organization has data that you believe could be CUI, you should navigate to the CUI Registry to see if your data matches the description of any of the CUI categories. It is important to remember that after searching the CUI Registry, if you feel your data does not match any of those categories, “it shall not be so designated” as established by Executive Order 13556.
When dealing with CUI, information should always air on the side of not being CUI if it truly does not match the definition. Over-designating information as CUI is not a “safe” option, nor does it follow the law. This is quite contrary to classified information where lots of data are over-classified as a fail-safe option.
How do I know if my organization has CUI?
- If CUI has been delivered to the organization directly from the Government or by a Contractor.
- The organization creates CUI itself under a lawful government contract.
CUI may not always be labeled as just “CUI”. Sometimes, CUI may be labeled as Controlled Technical Information “CTI” or ITAR. If your organization holds ITAR that originated with the Government, you should be aware that you hold CUI. Organizations should also be cognizant of legacy markings (i.e., FOUO, SBU, etc.) as that information may now require a CUI designation.
How should my organization protect CUI?
The standard for protecting CUI in unclassified, non-federal systems is NIST Special Publication 800-171 r2. Many executive agencies have additional requirements for protecting CUI, such as the Department of Defense with the upcoming CMMC. It is important to remember that it is the Government standard to protect CUI in unclassified non-federal information systems with NIST SP 800-171 and no matter what happens to CMMC that those core 110 controls will continue to be the requirement.
OCD Tech CUI consulting services
OCD-Tech understands that navigating the CUI waters can be difficult. Therefore, OCD-Tech offers the following services to aide your organization in creating a CUI compliance program and aligning that program with NIST SP 800-171:
Free Initial CUI Consult
Free of charge and commitment, you can sign up for a 30-minute session with one of our experts to discuss CUI in your environment. During this 30- minute session, our team will review the definition of CUI and discuss possible categories of CUI that you may have in your environment. You may sign up for a 30-minute free CUI consult here.
Identifying CUI in your environment
OCD-Tech can help your organization identify CUI in your environment through discussion with stakeholders, review of contractual obligations, and granular reviews of the type of data your process.
Proper handling of CUI
OCD- Tech can assist in ensuring that the CUI you create in your environment is properly marked & labeled in accordance with the executive agency’s policies for which your CUI belongs. OCD-Tech can help you navigate any limited dissemination requirements (such as with ITAR) that your organization might have. Additionally, our team can help you identify the proper channels for destroying and/or decontrolling CUI.
CUI Education
Per executive agency guidelines, such as the DoD’s DoDI 5200.48, your organization is likely liable to train your employees on identifying, protecting, destroying, disseminating, decontrolling, marking, and incident reporting relating to CUI. OCD can design a training program for your organization that is both compliant and repeatable.
Controlling data flow
As per CMMC requirement AM.3.036 and the requirement to define your system boundary in NIST SP 800-171, OCD Tech can assist in creating a data flow diagram for your organization that includes policy and technical enforcement. Understanding, and refining, the flow of CUI in your environment is essential to creation of a System Security Plan (SSP) and to DoD and other executive agency requirements.
CUI Handling Policies
Whether you handle CUI or not, your organization should maintain documented policy for how CUI is to be handled (or destroyed upon delivery) in your environment. OCD Tech can create documented policies for CUI data handling in your organization that align with the requirements of the executive agency(s) with which you do business and NIST SP 800-171.