archTIS Director of Federal and Defense, Bill Kalogeros recently presented a CMMC 2.0 Workshop with FCW on new controlled unclassified information or ‘CUI’ marking requirements for CMMC 2.0 which is expected to go into effect in May of 2023. Here’s a summary of his session and a link to the recording to learn more about the pending changes to CUI handling and how to prepare.
CUI Handle with Care
The U.S. Department of Defense (DOD) has doubled down on how it protects controlled unclassified information, underscoring the importance of using a solution that ensures any sensitive data is properly safeguarded.
Controlled unclassified information (CUI) is government-created or owned information that needs to be protected from improper dissemination or access. It can include a wide range of information related to defense, intelligence and critical infrastructure, among other areas.
CUI, which is maintained in government and contractor systems, is often a target and a cyber risk for the DOD.
The process of labeling and classifying CUI can be a complex endeavor
Often, data can change over time, and sometimes unclassified information may become part of a classified program, said Bill Kalogeros, director, Federal and Defense, at archTIS. “You need to have the ability to tag that data properly based on the attributes of that data, to apply the right rules for CUI labeling,” he said.
CUI needs to be marked appropriately in order to keep it safe from improper dissemination. For instance, CUI has to have a header and a CUI designation indicator, which includes what component within the DOD owns the data, and what office controls and created the document. Classified and unclassified documents containing CUI are marked differently.
“The ability to be able to do this based on the attributes of that data is extremely important,” Kalogeros said. archTIS can help. It automates the identification, classification and protection of CUI data across Microsoft 365 and SharePoint on-premises systems within a single solution. It also supports CMMC requirements.
Tagging CUI and Applying Designation Indicator Markings
Through NC Protect, archTIS can dynamically apply a CUI designator label to data at rest using a digital watermark. It can also dynamically apply a CUI designator label as the file is being viewed.
By using a secure viewer, archTIS can present an image or snapshot of the data to a user, but won’t allow them to take a screen capture or print it. A CUI watermark embedded in the document will show who opened the document to help track the source of any data leaks.
“We are sending that information in real-time to Microsoft Sentinel or Splunk. It is a real-time alert to what is happening,” Kalogeros said. “This allows you to trigger holistic alerts and remediation actions in Sentinel and Splunk alongside the dynamic and real-time access controls of NC Protect.”
When any watermarked document is opened in Microsoft Office or the NC Protect Secure Reader, the CUI designator label is already embedded in the file.
“As information is shared with different subcontractors being able to control that information appropriately is extremely important,” he said.
Protecting CUI from Improper Access and Sharing
archTIS helps organizations protect information from improper release. It scans and identifies files containing CUI and classifies them according to CUI level, restricts who in the organization can access documents containing CUI by classification and geolocation, and applies a secure digital watermark with date, user and CUI level. It can also tag data that moves from on-premise to the cloud.
NC Protect can control what a user sees when viewing and searching for files or determine if a user can open, edit, copy or download a file.
“We are preventing accidental and malicious data loss based on the attributes of the data,” Kalogeros said. “We are controlling the data through guest party access so we can… ensure data is not leaking through third parties.”
The company also enforces regulatory compliance through checkpoints that scan the data for CUI information to restrict access to information and audits the activity and permissions of the users. It can change the portion mark if an unclassified file becomes part of a classified file and can automatically redact a document.
“We have the ability to do a lot of really powerful things with the data using NC Protect,” he said.
FCW Workshop Webinar:
Preparing for CMMC 2.0 CUI Marking Requirements