IBM reports that in quarter 4 of 2023, we saw the exposure of nearly 8 million records worldwide. Keeping the integrity of your sensitive data secure is so important. Especially in today’s ever-changing technical landscape. Controlled Unclassified Information (CUI) is a category of such important data. This class of sensitive information often holds the potential to impact national security. As well as privacy and business operations.
This term reflects the definition and description found in the Code of Federal Regulations (CFR). It is information under the executive branch that law, regulation, or government-wide policies require safeguarding.
As a defense contractor handling this information, you will find that your commitment likely houses a DFARS 252.204-7012 clause in it. Note that DFARS is an acronym for the Defense Federal Acquisition Regulation Supplement. This clause specifically requires you to protect sensitive information. So who else holds the responsibility for protecting CUI? And how should one go about it? Let’s get into it!
CUI contains unclassified data that the United States government creates or possesses. CUI can also include data that organizations create or possess on behalf of the Federal government. If you want to know the specifics about the information types CUI covers, they are available at the CUI Registry of the National Archives.
Different policies oversee the controlling and handling of this unclassified information. Excluding the information classified under Executive Order 13526 or any predecessor or successor order. This also excludes the information in the Atomic Energy Act of 1954.
CUI may include research information or project information. This is often from an exploration team, which receives it through a federally funded contract.
So, with all of this being said, who really needs to abide by these rules and regulations? The answer is: anyone who works with or creates CUI is responsible for protecting it. By handling this sensitive information, you automatically are liable for any possible data leaks.
32 CFR Part 2002 formally names the National Archives and Records Administration (NARA) as this program’s Executive Agent (EA).
NARA houses information such as the Federal CUI Registry, which makes them the perfect point of contact for all CUI-related regulations and policies. However, when it comes to the Department of Defense (DoD), the Defense Counterintelligence and Security Agency (DCSA) handles its CUI Program Implementation.
Speaking of policies, there are four main ones that govern CUI. If you involve yourself in a contract with CUI requirements, be sure to familiarize yourself with the following:
* Executive Order 13556 “Controlled Unclassified Information”. This order establishes the program for handling unclassified information. This ensures a uniform and open program which requires safeguarding and establishing procedures.
These controls are under to and consistent with:
* Law.
* Regulations.
* Government-wide policies.
* 32 CFR Part 2002 “Controlled Unclassified Information”. Establishes the CUI program throughout the federal government. States the roles and responsibilities of said program. As well as any important key elements. Involves Government created/possessed information. Or information that an entity creates on behalf of the Government.
* DoDI Instruction 5200.48 “Controlled Unclassified Information”. Dated on March 6th 2020, this order establishes policy in pursuit of a uniform program for CUI throughout the DoD. This program assigns responsibilities and prescribes procedures based on Executive Order 13556.
* NIST Special Publication 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”. Mentions the baseline CUI security requirements. This is for when information is in nonfederal systems and organizations. This covers the entire Industry, based on Part 2002 of Title 32, CFR.
►Reach out to Etactics @ www.etactics.com​
►Subscribe: rb.gy/pso1fq​ to learn more tips and tricks in healthcare, health IT, and cybersecurity.
►Find us on LinkedIn: / etactics-inc
►Find us on Facebook: / ​
#CUI #CMMC