ISOO issued CUI Notice 2020-01 to facilitate a coordinated transition to the CUI Program.
Implementation Deadlines
Awareness campaign – By June 30, 2020, agencies must initiate an awareness campaign that informs their entire workforce of the coming transition to the standards of the CUI Program.
Policy – By December 31, 2020, agencies must issue policies that implement the CUI Program. Agencies may implement the CUI Program through a single policy or through multiple policies that address specific elements of the CUI Program. If an agency has sub-agencies, all those subordinate components must develop and publish implementing policies and/or modify or rescind all affected policies by June 30, 2021.
Classification marking tools and commingling – By December 31, 2020, agencies that manage, own, or control Classification Marking Tools (CMT) used to mark Classified National Security Information must have initiated any modification of such CMTs as necessary to begin accounting for CUI markings described on the CUI Registry and the standards described in 32 CFR 2002.20(g).
Training – By December 31, 2021, agencies (including any sub-agencies or components) must deploy CUI training to all affected employees. Agencies may implement CUI training through a single module or through multiple modules. CUI training may be incorporated into existing agency training (such as privacy, information systems, or records management training).
Physical safeguarding – By December 31, 2021, agencies (including any sub-agencies or components) must implement or verify that all physical safeguarding requirements, as described in 32 CFR 2002 and in agency policies, are in place.
Information systems – By December 31, 2021, agencies (including any sub-agencies or components) must modify all Federal information systems to the standards identified in 32 CFR 2002. Federal and contractor information systems that are used to store, process, or transmit CUI must be configured at no less than the Moderate Confidentiality impact value (see 32 CFR 2002.14).
Reporting – CUI Senior Agency Officials must submit an annual report on the CUI Program to ISOO no later than November 1 each year, and report on implementation during the preceding fiscal year. Reports must cover all implementation and program activities from October 1 to September 30 of the preceding fiscal year. Only parent agencies are required to report directly to ISOO. Agency components, elements, sub-agencies, regional locations, divisions, and/or internal lines of business must report to their parent agency.
Agencies that anticipate delays in implementing any of the above deadlines must include a narrative in their annual report submission that describes the issue giving rise to the delay and projects when they expect to implement the delayed program element. They must also include a copy of their implementation plan or strategy. ISOO will evaluate and formally approve delays on a case-by-case basis and may report such delays to the President.
How does this timeline effect NIST SP 800-171 requirements?
It is unlikely to change most agency’s timelines for adopting/including the NIST SP 800-171 in contracts or agreements, as many agencies have indicated to our office that they plan to wait for the CUI FAR case to be published first. They are, of course, permitted to include the requirements before that FAR case and then to align with the FAR case once it is published.