The CUI program has a lot of flexibility built in to allow agencies to accomplish their mission, including while employees are teleworking.
Agencies must ensure CUI is safeguarded in accordance with 32 CFR 2002 (the CUI Program’s implementing directive) and the applicable laws, regulations, and government-wide policies. In doing so agencies must establish controlled environments where CUI can be effectively safeguarded.
Telework agreements can be used to spell out whether or not CUI is permitted, as well as, which categories of CUI employees can use while teleworking. The agreement should also outline what controls (physical or electronic) need to be in place to ensure adequate protection.
Here are some common issues agencies may encounter as they allow employees to telework with CUI:
1. Increased potential for CUI to be overheard or observed with more people likely to be in the home
2. Difficulty securing devices used for telework (computers, cell phones, tablets, routers, modems)
3. Ensuring compliance with current policies and limiting use of unauthorized equipment and media
4. Enabling employees to accomplish their tasks and adjusting expectations limit use of unauthorized workarounds
Agencies, in consultation with CUI Program Officials, should develop additional guidance that addresses each of the issues described above. Front-line supervisors should initiate discussions with their employees to assist and determine the best ways to ensure the protection of CUI while teleworking.