In July, the Pentagon’s acquisition office issued a memo reminding acquisition officials of the DoD’s requirements for handling controlled unclassified information (CUI). The standard which applies to Defense contractors is not new. The original Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requirement went into effect in 2017. With the renewed focus on protecting CUI and several regulations governing its handling, including CMMC 2.0, understanding CUI protection is of utmost importance to all US Government agencies, Defense contractors and suppliers.
What is CUI?
Controlled Unclassified Information or CUI is defined as government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies, including the pending CMMC 2.0, DFARS clause 252.204-7012, NIST Special Publication 800-171 and ITAR.
The security requirements are built on the principle that certain types of unclassified information are extremely sensitive, valuable to national security, sought after by strategic competitors and adversaries, and may also have legal safeguarding requirements. The CUI policy aims to standardize the CUI marking system across the Federal Government, replacing agency-specific markings such as FOUO, LES, SBU, etc.
WHAT ARE THE CUI CLASSIFICATION CATEGORIES?
Controlled unclassified information (CUI) falls within one of 125 categories under the following groups:
- Critical Infrastructure
- Defense
- Export Control
- Financial
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural & Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Nuclear
- Patent
- Privacy
- Procurement & Acquisition
- Proprietary Business Information
- Provisional (for DHS use only)
- Statistical
- Tax
- Transportation
A full list of CUI categories and the required banner markings and dissemination controls for each can be found here. Be sure to identify the category and the necessary markings and controls for the information that you are handling.
What’s at Stake?
Improper safeguarding or loss of controlled unclassified information could potentially have serious adverse effects on organizational operations, organizational assets, and/or individuals. Any of these scenarios could result in a degradation in mission capability, damage to organizational assets, financial loss or harm to individuals.
CMMC 2.0 Compliance and CUI
As with many other regulations, the new CMMC Level 2 requirements will follow the 110 security controls of NIST SP 800-171 developed to protect CUI. Defense contractors handling CUI have been required to comply with NIST SP 800-171 since 2017 as part of their DFARS contract obligations. If you’re already in compliance with NIST SP 800-171, you’ve got a jumpstart.
DoD CUI MARKING GUIDELINES
If you have CUI it needs to be marked accordingly. The purpose of CUI markings and the CUI designation indicator is to inform or alert recipients and/or users that CUI is present and of any limited dissemination controls. Here’s a summary of the DoD’s guidance on CUI Markings for Unclassified and Classified documents.
UNCLASSIFIED Documents Containing CUI
- Place “CUI” at the top and bottom of each page.
- Portion markings are optional on unclassified documents, but if used, all portions will be marked.
- The CUI designation indicator will be placed at the bottom of the first page or cover of all documents containing CUI:
- Line 1: The name of the DoD Component (not required if identified in the letterhead)
- Line 2: Identification of the office creating the document
- Line 3: Identification of the categories contained in the document
- Line 4: Applicable distribution statement or limited dissemination control (LDC)
- Line 5: Name and phone number or email of POC
CLASSIFIED Documents Containing CUI
- “CUI” does not go into the banner line.
- The CUI designation indicator and the classification authority block will be placed at the bottom of the first page.
- Portion markings are required on classified documents.
- Classified documents will be marked IAW DoDM 5200.01 Volume 2.
- CUI markings will appear in portions known to contain only CUI.
- A warning statement will be placed at the bottom of the first page of multi-page documents alerting readers to the presence of CUI in a classified DoD document.
Automating CUI Tagging and Marking in Microsoft 365 & GCC High
Relying on users to remember all of the classification and labeling requirements can be prone to error; which can lead to fines and or loss of contracts depending on the regulation. And while most regulations reference NIST 800-171, each has its own caveats. You want to ensure that you have tools in place that can help identify CUI, label it appropriately and restrict access according to the applicable regulation(s).
NC Protect provides a full range of capabilities to identify, mark and protect CUI and other sensitive data, allowing users to automatically classify and apply a CUI Designator Label to documents. Depending on the CUI level, user’s geographic location and security privileges, NC Protect can apply dynamic protection to prevent visibility of the document to unauthorized users, prevent emailing, and/or display the document within NC Protect’s secure ready-only viewer or allow the user to fully interact with the document.
It can also help manage the tagging, labeling and security of CUI across Microsoft 365, GCC and GCC High applications, as well as SharePoint on-premises. The dynamic labeling and marking capability and configurable access and protection policies can easily be extended to other government regulations and requirements for a seamless solution to manage information security and compliance.
Scan and Tag CUI
NC Protect also helps organizations protect CUI from improper access and/or release. It scans your document repositories in M365, GCC or GCC High (SharePoint Online or Server, Teams, OneDrive, File Shares) and identifies files containing CUI. It then classifies the files according to its CUI level and restricts who in the organization can access the documents based on the document’s classification and attributes such as security clearance and country.
NC Protect’s access and protection policies can use multiple attributes in combination with one another. Therefore, it can leverage Microsoft Purview Information Protection (MPIP) sensitivity labels or classifications from other products (e.g., Janusseal, Titus, etc.) and use those values to apply dynamic protection policies and visual markings. Use NC Protect’s classifications or a combination of these other classifications to suit your organization’s taxonomy requirements and overcome labeling limitations in MPIP.
Automatically Apply CUI Markings
NC Protect dynamically embeds CUI Designation Indicator markings, including Owner Name, Controlled By, Category, Distribution/Limited Dissemination Control and POC, as well as headers/footers into documents as a persistent watermark. When any protected document is opened in Microsoft Office or the NC Protect Secure Reader, the CUI Designation Indicator label is embedded in the file as a persistent watermark.
Apply Dynamic Attribute-based Access Control (ABAC) and Data Protection Policies
NC Protect also provides robust access controls and data protection capabilities to safeguard CUI. Using ABAC, it evaluates both data, environment and user attributes against defined policies to determine appropriate access, usage and sharing rights for each and every document. It can control what a user sees when viewing and searching for files in Microsoft apps and determine if a user can open, edit, copy or download a file. It can also redact sensitive/classified information, such as keywords or phrases, in Word, Excel, PowerPoint and PDF, or when the file is presented in the Secure Reader.
Audit CUI Access and Activity
NC Protect audits user activity and permissions. It logs and tracks sensitive access, user actions such as producing, editing or deleting data, and general access. Easily ingest user activity logs collected in NC Protect into Microsoft Sentinel or Splunk to analyze the data at scale as well as trigger holistic alerts and remediation actions.
