Comment period extended for Draft NIST Special Publication 800-171A

The public comment period for Draft NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information, has been extended to January 15, 2018.
Posted in Events & reviews | Leave a comment

CUI Program update to stakeholders

The next scheduled webinar will be February 15, 2018 (1-3 EDT).  All subscribers to the CUI Blog will receive links and call-in information to access the webinar prior to the event.

Posted in Events & reviews, General updates | Leave a comment

Agency review: Proposed category-subcategory list changes for easier use

In response to agency requests, we are proposing revisions to the CUI Registry’s list of categories and subcategories to make it easier to navigate and understand.  We’ve started with some small organizational changes that we hope will address confusion about the difference between categories and subcategories, clarify a few of the category names, and make it easier to find types of CUI on the Registry listing. These revisions are: Continue reading

Posted in CUI Registry, Events & reviews | Tagged , , , , , , , , , | Leave a comment

NIST issues update for NIST SP 800-171, Revision 1

NIST announces the release of an errata update for Special Publication 800-171, Revision 1Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The errata update includes minor changes to the publication that are either editorial or corrective in nature.

 

nist sp 800-171.1 2.png

Posted in General updates | Tagged , , , , , | Leave a comment

NIST Special Publication 800-171A open for review

Today, NIST announced the release of draft Special Publication 800-171AAssessing Security Requirements for Controlled Unclassified Information. This publication is a companion tool for NIST Special Publication 800-171Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and is intended to help organizations develop assessment plans and conduct efficient, effective, and cost- Continue reading

Posted in Events & reviews | Tagged , , , , , , , , | Leave a comment

Questions and answers: Marking

by Mark Riddle

Markings during phased implementation

  1. When can I start using the CUI markings and following the requirements of the CUI Program?

Continue reading

Posted in Marking & examples | Tagged , , , , , , , , , , , , , , , , , , | 2 Comments

CUI and re-marking legacy Information

Agencies can waive the requirement to re-mark legacy information with the new CUI markings while the CUI is in their control.  The CUI Program does not require the agencies to re-mark unless reusing and sharing the information with others outside of their agency.  In addition, because the CUI regulation also contains flexibility in handling such things as existing on-line databases with numerous PDF documents, a flash screen may suffice to alert users that a law, Federal regulation, or Government-wide policy requires safeguarding and dissemination controls.

Posted in Common questions, Marking & examples | Tagged , , | Leave a comment

The CUI Program and budget considerations

Under the FOUO (For Official Use Only) system (and multiple other protection schemes), agencies are already spending money on protecting the same (or even a greater) range of unclassified information as identified in the CUI Registry.  This includes marking, safeguarding measures, and training.  The CUI Program’s requirements were based on the baseline for current protection measures purposely.  In fact, Executive Order Continue reading

Posted in Common questions | Tagged , , , , | Leave a comment

The CUI Registry and agency employees

Employees that handle CUI in the course of doing agency business are not expected to go directly to and interpret the laws, Federal regulations, and Government-wide policies to determine what unclassified information is controlled, nor will they be responsible for interpreting those authorities and assessing what requirements apply to a given document in their hands or on their systems.  They will be going to their agency information management policies, on which they are trained.  This is what takes place now and will continue in the future.  However, with the advent of the CUI Program and oversight functions, agency policies will be reviewed periodically to ensure they are in line with CUI Program requirements and underlying authorities, and to ensure they are providing sufficient information for employees to carry out both the required protections and permissible sharing.

Posted in Common questions, CUI Registry | Tagged , , , , , | Leave a comment

The CUI Registry and reform

The CUI Registry is a listing of the categories/subcategories of CUI that are required (or permitted) to be protected by law, Federal regulation, and Government-wide policy.  While the Registry was compiled through agency submissions, the entirety of those submissions were vetted to ensure that the text in the law, Federal regulation, or Government-wide policy identified an information type and called for (or permitted) the protection of the information.  By bringing all these authorities together in one place for Continue reading

Posted in CUI Registry | Tagged , , , , , | Leave a comment