June 2020 – CUI Program Blog

FCI and CUI, what is the difference?

June 19, 2020June 19, 2020 by devincaseycui, posted in Common questions, General updates

Buckle up, this is a long one…

First, a disclaimer:

This blog post does not constitute CUI guidance. This post is solely an effort to provide helpful information and context.

Then on to some definitions!

Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]

When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.

In short: All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.

So, what does this mean for safeguarding in a non-federal system?

Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.

Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).

Reminder: CUI Marking Webex (Tomorrow)

June 17, 2020June 17, 2020 by cwallace, posted in Events & reviews, Marking & examples

We will be offering a CUI Marking fundamentals webex on

June 18, 2020 from 11 am – 1 pm (EDT).

Participants will receive a completion certificate for attending the webex.

In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.

During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on June 18, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.: Dial-in: 1-877-369-5243 or 1-617-668-3633; Access Code: 0449805##; Need an international dial-in number?

Step 2: Join the conference on your computer.: Entry Link: https://ems8.intellor.com/login/827980

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.

June Marking class presentation

Optional Non-Disclosure Agreement Template issued

June 11, 2020June 11, 2020 by ecoren, posted in Uncategorized

On June 3, 2020, ISOO issued CUI Notice 2020-03. This notice provides an optional Controlled Unclassified Information (CUI) non-disclosure agreement (NDA) template for executive branch agency use. Executive branch agencies may use the template when they determine that a CUI NDA is appropriate. The template is optional, and agencies can modify it if needed. A list of all CUI Notices can be found here

Alternative Marking Methods

June 10, 2020 by cwallace, posted in General updates, Marking & examples

On June 3, 2020, ISOO issued CUI Notice 2020-02, Alternative Marking Methods. This notice provides agencies with additional marking guidance for when it is impractical to individually mark CUI due to its quantity, the nature of the information, or when the agency has issued a limited CUI marking waiver.

You can find all the CUI Notices here.

Using CUI while teleworking : Microphones and Cameras in Our Homes

June 9, 2020 by ecoren, posted in Uncategorized

When working with CUI, it is required you establish a controlled environment that will safeguard CUI.

This means not just using information systems that have the necessary safeguards in place, it also means being aware of the other potential risks to CUI such as the presence of microphones and cameras in our homes. The microphones and cameras on our computers and mobile devices (phones and tablets) could place CUI at risk. If it is an electronic device it can be hacked, if it connects to the internet it can be hacked remotely. What level of safeguarding do you have on your devices with microphones and cameras?

Take a moment to think about how many internet connected microphones and cameras you have in your house.

Of course, we have our phones and computers, but what else are around?

Is the remote control to your TV voice controlled? What about your thermostat?

Do you have a voice activated personal assistant service?

How about devices other than your phone and computer that are voice activated and you can use WiFi to stream music on?

Some people even have appliances that are voice activated and connected to home WiFi, like refrigerators.

There are often more of these in our homes these days than we might realize at first glance.

Cyber criminals and foreign intelligence services know that with everyone at home they have rich and often less secured targets.

And it isn’t just these threats. If you read many application user agreements, they allow the application to collect data from device cameras and microphones even when the application isn’t in use.

These vary in how anonymized they are. Even if the user agreements say they are anonymized, there is a long history of business intelligence gathering to gain business advantage and contracts that were violated to obtain advantage.

To achieve a controlled environment it is important to be aware of your surroundings. If you have microphones in internet connected devices around, then take action to protect CUI. Keep conversations containing CUI to emails or other written communication on information systems that your agency approved to meet the requirements to handle CUI.

Though internet connected cameras are rare on anything other than phones, computers, baby monitors, and doorbells, if you have CUI on your computer screen or desk then make sure it isn’t visible to cameras on unsecured devices.

Some quick things you can do to make your home and devices more secure are:

Make sure to change the default username and passwords for all internet connected devices .
Make sure you update the firmware on your router, modem, and all connected devices regularly. Many of these updates are pushed out to address known security vulnerabilities. If you don’t know how, check the device website or call customer service.
Turn off and unplug unused devices, consider disabling or covering cameras when not in use.
Keep any security software or firewalls updated to the latest version.

There is a lot more you can do and some great information about how to do it found in the additional resources below:

NSA’s Best Practices for Keeping Your Home Network Secure: including Safeguarding against Eavesdropping
FTC’s Online Security website: including information on Mobile Apps (applications) and IP Cameras, such as the ones used in baby monitors, toys, and door bells
FTC’s Video and Media website: including videos and games to help educate your family about a wide variety of topics including cybersecurity
GAO’s report in Information Security: including a look at mobile device security threats and vulnerabilities
DHS’s Study on Mobile Device Security
NIST’s NIST SP 800-124: Guidelines for Managing the Security of Mobile Devices in the Enterprise
DoD CIO’s Social Media Education and Training website
CISA’s Trusted Internet Connections 3.0: Interim Telework Guidance

Consult with your agency or organization’s security office if you have specific questions or concerns.

CUI Marking Class (Webex)

June 5, 2020June 5, 2020 by cwallace, posted in Events & reviews, Marking & examples