In July, the Pentagon’s acquisition office issued a memo reminding acquisition officials of the DoD’s requirements for handling controlled unclassified information (CUI). The standard which applies to Defense contractors is not new. The original Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requirement went into effect in 2017. With the renewed focus on protecting CUI and several regulations governing its handling, including CMMC 2.0, understanding CUI protection is of utmost importance to all US Government agencies, Defense contractors and suppliers.
What is CUI?
Controlled Unclassified Information or CUI is defined as government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies, including the soon to be released CMMC 2.0, DFARS clause 252.204-7012, NIST Special Publication 800-171 and ITAR.
The security requirements are built on the principle that certain types of unclassified information are extremely sensitive, valuable to national security, sought after by strategic competitors and adversaries, and may also have legal safeguarding requirements. The CUI policy aims to standardize the CUI marking system across the Federal Government, replacing agency-specific markings such as FOUO, LES, SBU, etc.
WHAT ARE THE CUI CLASSIFICATION CATEGORIES?
Controlled unclassified information (CUI) falls within one of 125 categories under the following groups:
- Critical Infrastructure
- Export Control
- International Agreements
- Law Enforcement
- Natural & Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Procurement & Acquisition
- Proprietary Business Information
- Provisional (for DHS use only)
A full list of CUI categories and the required banner markings and dissemination controls for each can be found here. Be sure to identify the category and the necessary markings and controls for the information that you are handling.
What’s at Stake?
Improper safeguarding or loss of controlled unclassified information could potentially have serious adverse effects on organizational operations, organizational assets, and/or individuals. Any of these scenarios could result in a degradation in mission capability, damage to organizational assets, financial loss or harm to individuals.
CMMC 2.0 Compliance and CUI
As with many other regulations, the new CMMC Level 2 requirements will follow the 110 security controls of NIST SP 800-171 developed to protect CUI. Defense contractors handling CUI have been required to comply with NIST SP 800-171 since 2017 as part of their DFARS contract obligations. If you’re already in compliance with NIST SP 800-171, you’ve got a jumpstart.
DoD CUI MARKING GUIDELINES
If you have CUI it needs to be marked accordingly. The purpose of CUI markings and the CUI designation indicator is to inform or alert recipients and/or users that CUI is present and of any limited dissemination controls. Here’s a summary of the DoD’s guidance on CUI Markings for Unclassified and Classified documents.
UNCLASSIFIED Documents Containing CUI
- Place “CUI” at the top and bottom of each page.
- Portion markings are optional on unclassified documents, but if used, all portions will be marked.
- The CUI designation indicator will be placed at the bottom of the first page or cover of all documents containing CUI:
- Line 1: The name of the DoD Component (not required if identified in the letterhead)
- Line 2: Identification of the office creating the document
- Line 3: Identification of the categories contained in the document
- Line 4: Applicable distribution statement or limited dissemination control (LDC)
- Line 5: Name and phone number or email of POC
CLASSIFIED Documents Containing CUI
- “CUI” does not go into the banner line.
- The CUI designation indicator and the classification authority block will be placed at the bottom of the first page.
- Portion markings are required on classified documents.
- Classified documents will be marked IAW DoDM 5200.01 Volume 2.
- CUI markings will appear in portions known to contain only CUI.
- A warning statement will be placed at the bottom of the first page of multi-page documents alerting readers to the presence of CUI in a classified DoD document.
Automating CUI Tagging and Markings in Microsoft 365
Relying on users to remember all of the classification and labeling requirements can be prone to error; which can lead to fines and or loss of contracts depending on the regulation. And while most regulations reference NIST 800-171, each has its own caveats. You want to ensure that you have tools in place that can help identify CUI, label it appropriately and restrict access according to the applicable regulation(s).
NC Protect provides a full range of capabilities to identify and protect CUI and other sensitive data, allowing users to automatically classify and apply a CUI Designator Label to documents. Depending on the CUI level, user’s geographic location and security privileges, NC Protect can apply dynamic protection to prevent visibility of the document to unauthorized users, prevent emailing, and/or display the document within NC Protect’s secure ready-only viewer or allow the user to fully interact with the document.
It can help manage the tagging, labeling and security of CUI across Microsoft 365 applications (Teams, SharePoint Online, Exchange, Office and OneDrive), GCC and GCC High, as well as SharePoint on-premises. The dynamic labeling capability and configurable access and protection policies can easily be extended to other government regulations and requirements for a seamless solution to manage information security and compliance.