WHAT IS CUI AND DOES MY BUSINESS HAVE ANY?

By Ken Michael

As a business owner, you may have heard the term controlled unclassified information or CUI. This term can be confusing and lead many business owners to ask what exactly CUI is and if it impacts them and their organization. In this blog, Dox Electronics looks at what CUI is, who it impacts, what information falls under CUI, and more to clarify this concept.

What is CUI?

On Nov. 4, 2010, United States President Barack Obama issued Executive Order 13556 “Controlled Unclassified Information.” This executive order established “an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies…” This order, in short, established the CUI program in the U.S.

The CUI program is a system that emphasizes openness and uniformity of government-wide practices for protecting valuable information that could be used against our nation should it fall into the wrong hands. Prior to Executive Order 13556, the various branches and entities within the government had an inefficient, inconsistent, disjointed patchwork of more than 100 different methods for safeguarding information that were often hidden from public view.

National defense requires that certain information remain confidential. This allows the government to protect its citizens, provide for homeland security, and secures interactions with other nations. While the U.S. government is based upon openness of its records, there are instances where data needs to remain classified for the purposes of national security.

Executive Order 13556 designated the National Archives and Records Administration (NARA) as the CUI Executive Agent (EA) for overseeing and managing the implementation across the entire U.S. government. It is also responsible for issuing policy directives related to CUI and reports on the implementation of the CUI program.

Who Is Impacted by CUI?

When Executive Order 13556 was issued, the onus of implementing the program in each government department and agency became the responsibility of the head of said division or branch. Any business, company, or organization conducting business with any department, agency, or branch of the federal government is required to adhere to the requirements of CUI.

In other words, if your business is contracted to conduct business with the U.S. federal government by providing products and/or services, your business is impacted by CUI. This also includes flow-down to subcontractors. The CUI program was implemented within 180 days following the issuance of the executive order and is in full effect today.

There is a long list of organizations and industries that fall under the CUI. Some of those include:

• Critical Infrastructure
• Defense
• Financial
• Law Enforcement
• Legal
• Nuclear
• Transportation

The National Institute of Standards and Technology (NIST) has issued several special publications (SP) including NIST SP 800-171 which outlines the development of CUI requirements, access control, and more. Within NIST SP 800-171, the CUI registry is mentioned

What Information Qualifies as CUI?

Any information that by law, regulation, or government policy requires safeguarding or dissemination controls is covered by CUI. Under Executive Order 13526, the Atomic Energy Act, issued Dec. 29, 2009, information covered in this order is excluded from the requirements of CUI.

The CUI Markings page at the National Archives can help you identify what information your business has that may be considered CUI. You can look under the CUI categories or even search the registry. There’s even CUI training available that you can take and share with your employees to further familiarize yourself with the requirements of the program.

Monitoring and Securing CUI

All CUI should be monitored, audited, and protected on an ongoing basis. While having CUI located in one system or application can make applying controls easier, it doesn’t guarantee control.

The physical location of information, the network or networks it is stored on, and the infrastructure where it is utilized must all be evaluated constantly to ensure the CUI is accessed by only authorized users. This is where the principal of least privilege comes in along with software and other controls to prevent the misuse or unauthorized dissemination of CUI. Dox Electronics will gladly assist your organization with implementing monitoring and security controls for your CUI.

By familiarizing yourself with the requirements of the CUI program and adhering to them, your business will not only meet the obligations of its federal contract(s), but it will be able to operate with better data protection and contribute to ensuring our national security.

A list of free CUI resources available from the National Archives. For more information on CUI, visit the National Archives online or contact Dox Electronics at (585) 473-7766.