A recently published article at the National Security Agency (NSA) Central Security Service (CSS) promotes newly issued guidance entitled Selecting and Safely Using Collaboration Services for Telework. This guidance provides simple, actionable, considerations for individual government users and can be found here: Working from Home? Select and Use Collaboration Services More Securely.
The conference begins at 11:00 AM Eastern Time on April 23, 2020; you may join the conference 10 minutes prior.
When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.
Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.
Marking class presentation April
****NOTE: When logging in to participate in the webex, log in with your full name and email address. Your completion certificate will be filled out and emailed to you from this information. *****
Background:
Prior to the CUI Program, the term “unclassified” was used to describe information that did not meet the standards to be classified under Executive Order 13526. In classified environments, the banner marking of “UNCLASSIFIED” was placed at the top and bottom of pages to indicate the absence of classified information in documents. In portions of documents, a “(U)” indicated that a portion did not contain classified information.
In the absence of Government-wide guidance regarding the handling and marking of sensitive but unclassified information, Executive branch departments and agencies started applying additional indicators to convey the status of sensitive but unclassified information in classified documents. Markings such as “U//FOUO” and “U//LES” became commonly used in commingled documents (documents that contain both sensitive but unclassified, as well as classified information).
As agencies implement the CUI Program and modify marking standards to comply with those in 32 CFR Part 2002, the use of legacy markings, such as FOUO and LES, to describe sensitive but unclassified information will be phased out.
As part of this transition to the CUI Program, agencies should convey – through policy and training – that the term Unclassified (or Uncontrolled Unclassified Information, as described in 32 CFR Part 2002) refers to information that: is neither CUI nor classified, but is still subject to agency public release policies.
Reference: CUI Marking Handbook
The CUI program has a lot of flexibility built in to allow agencies to accomplish their mission, including while employees are teleworking.
Agencies must ensure CUI is safeguarded in accordance with 32 CFR 2002 (the CUI Program’s implementing directive) and the applicable laws, regulations, and government-wide policies. In doing so agencies must establish controlled environments where CUI can be effectively safeguarded.
Telework agreements can be used to spell out whether or not CUI is permitted, as well as, which categories of CUI employees can use while teleworking. The agreement should also outline what controls (physical or electronic) need to be in place to ensure adequate protection.
Here are some common issues agencies may encounter as they allow employees to telework with CUI:
1. Increased potential for CUI to be overheard or observed with more people likely to be in the home
2. Difficulty securing devices used for telework (computers, cell phones, tablets, routers, modems)
3. Ensuring compliance with current policies and limiting use of unauthorized equipment and media
4. Enabling employees to accomplish their tasks and adjusting expectations limit use of unauthorized workarounds
Agencies, in consultation with CUI Program Officials, should develop additional guidance that addresses each of the issues described above. Front-line supervisors should initiate discussions with their employees to assist and determine the best ways to ensure the protection of CUI while teleworking.
As we all work to do our jobs in the changing work environment during the COVID-19 crisis, those who work with CUI should continue to make sure they safeguard CUI.
In many cases, CUI can be worked on, in a telework environment, as long as the proper controls are in place to achieve a controlled environment (physical and electronic) and agency policies allow it.
Make sure to follow any agency policy or guidance, especially interim guidance issued in response to COVID-19 as standard practices may have been changed to allow for greater telework participation. If needed, employees should consult their supervisor if they have any questions regarding the proper handling of sensitive information.
Here are some general guidelines to consider as you telework with CUI:
