How Can You Protect Sensitive Unclassified Information?
The term “CUI” refers to Controlled Unclassified Information. CUI is information that is designated by law, regulation, or government-wide policy to require safeguarding and dissemination controls. As such, CUI protection methodologies cover digital and physical locations and assets. Boundaries prevent CUI from being removed without authorization, from inside those boundaries, including networks, devices, locations, media, and people.
There are two types of boundaries—logical and physical.
1. Logical boundaries include:
- Locked cabinets
- Metal enclosures that protect network devices
- Conduits around critical cabling on the outside of buildings
- Unplugging a network cable that is used to run between buildings
2. Logical boundaries include:
- Firewalls that create logical boundaries
- WiFi networks
- Cloud gateways
- Credentials for system login
- Virtual private networks (VPN)
- HTTPS connections
There are four main government policies that focus on CUI protection.
1. Executive Order 13556 “Controlled Unclassified Information”
2. 32 CFR Part 2002 “Controlled Unclassified Information” Part 2002 establishes the CUI Program
3. DoDI Instruction 5200.48 “Controlled Unclassified Information”
4. NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
Why Do We Need CUI Protection?
CUI protection is necessary, because any unintentional or malicious release of sensitive data could represent a threat to national security. In addition, any CUI that resides in nonfederal systems and organizations may directly impact the ability of the federal government to successfully conduct its assigned missions and business operations, including those related to critical infrastructure.
Six Myths About Storing and CUI Protection
Based on its significance to U.S. national security, several myths exist about CUI and how it should be managed:
Any enterprise that handles CUI must ensure that the entire environment is CMMC 2.0 level three compliant.
In some cases, it makes sense for an enterprise to secure the entire environment to protect CUI. However, it is not a requirement. CMMC 2.0 only requires that the CUI be protected, meaning that the entire enterprise environment does not need to be held to the CMMC requirements if it can be separated and protected. CMMC 2.0 Level 2 compliance is often sufficient to protect CUI and Federal Contract Information (FCI) at most organizations.
CMMC 2.0 dictates the type of storage security solutions that defense industrial base (DIB) Defense contractors must use for CUI protection.
CMMC 2.0 does not proscribe specific storage solutions that DIB contractors must use. It simply sets forth the security compliance framework for CUI protection within a DIB contractor’s ecosystem.
Any cloud service provider (CSP) that handles CUI must be listed in the FedRAMP Marketplace.
To handle CUI, a CSP may be listed in the Federal Risk and Authorization Management Program (FedRAMP) marketplace, but that is not mandatory. However, if a CSP is used to store, process, or transmit any CUI, the DIB contractor must ensure that the CSP meets security requirements for FedRAMP Moderate.
The CSPs also must have requisite processes, including those stated in DFARS 7012, which state that “cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment” are required.
CSPs must accept DFARS 7012 flow downs.
While a DIB contractor does not have to flow down to DFARS clause 252.204-7012 to a CSP, they are required to ensure that the CSP meets the clauses' requirements.
In the event that a DoD user sends CUI to a DIB contractor via an unencrypted email, it is considered a data breach.
Sending CUI to a DIB contractor via an unencrypted email is not treated as a data breach incident. It is an issue that is referred to as a security incident and does not impact the DIB contractor’s ability to bid on DoD contracts. However, it is strongly recommended that proper training and IT Security measures be put into place for DoD users and DIB contractors, to prevent such incidents from occurring again.
Because of issues with improper or lack of CUI markings on documents, DIB contractors must assume that all content is potentially CUI.
Starting in January 2021, all content related to DoD programs must include CUI that matches its CMMC 2.0 compliance level. If a DIB contractor receives content that they consider to be mislabeled or need labeling, they should contact the DoD sender and have them apply the correct CUI markings.
How to Protect Confidentiality of CUI
The methods used to protect CUI are driven by how it is stored and its state.
The two ways that CUI can be stored are:
1. Non-digital media—e.g., paper and microfilm
2. Digital media—e.g., CDs, DVDs, magnetic tapes, external or removable hard disk drives, flash drives, or saved on systems and servers (on-premises and cloud)
CUI protection on non-digital media is performed by using physical security controls. When CUI is stored on non-digital media, it should be held in a controlled environment with strict limitations on access. Only people with authorization should be able to access, observe, or overhear CUI. To ensure CUI protection, it should be stored in locked rooms, cases, or cabinets.
CUI protection for digital media should leverage encryption. When digital media is moved outside of a controlled environment, it needs to be encrypted, as per CMMC MP.3.125, NIST SP 800-171 3.8.6, which states, “Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.” This varies whether the data is at rest or in transit.
When referring to CUI protection for digital data at rest, information is not moving through the network. This usually means it is stored on hard drives, media, and mobile devices. In addition to encryption and physical security systems, other CUI protection tactics can be employed. These include:
- Data loss prevention
- Intrusion detection and intrusion prevention systems (IDS and IPS)
Ensuring CUI protection for data in transit or when it is being transmitted over computer networks requires another set of tools. Common examples of data in transit are sending an email that contains CUI, sharing a digital document that contains CUI over a network, or entering CUI into a form on a website. CUI protection methods for data in transit are primarily based on various encryption implementations.
CUI protection must also be considered for verbal communications. Talking with another person on the phone or in person can share CUI with unauthorized parties. To protect the confidentiality of CUI, discussions involving CUI should take place in controlled areas with voice encryption in place for calls.
Why CUI Protection Is Important
When summarizing the importance of CUI protection, the United States Defense Counterintelligence and Security Agency says it best, “Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is one of the most significant risks to national security, directly affecting lethality of our warfighters.” Source
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 17,000+ customers with millions of users worldwide.
Last Updated: 18th November, 2022