When working with CUI, it is required you establish a controlled environment that will safeguard CUI.
This means not just using information systems that have the necessary safeguards in place, it also means being aware of the other potential risks to CUI such as the presence of microphones and cameras in our homes. The microphones and cameras on our computers and mobile devices (phones and tablets) could place CUI at risk. If it is an electronic device it can be hacked, if it connects to the internet it can be hacked remotely. What level of safeguarding do you have on your devices with microphones and cameras?
Take a moment to think about how many internet connected microphones and cameras you have in your house.
Of course, we have our phones and computers, but what else are around?
Is the remote control to your TV voice controlled? What about your thermostat?
Do you have a voice activated personal assistant service?
How about devices other than your phone and computer that are voice activated and you can use WiFi to stream music on?
Some people even have appliances that are voice activated and connected to home WiFi, like refrigerators.
There are often more of these in our homes these days than we might realize at first glance.
Cyber criminals and foreign intelligence services know that with everyone at home they have rich and often less secured targets.
And it isn’t just these threats. If you read many application user agreements, they allow the application to collect data from device cameras and microphones even when the application isn’t in use.
These vary in how anonymized they are. Even if the user agreements say they are anonymized, there is a long history of business intelligence gathering to gain business advantage and contracts that were violated to obtain advantage.
To achieve a controlled environment it is important to be aware of your surroundings. If you have microphones in internet connected devices around, then take action to protect CUI. Keep conversations containing CUI to emails or other written communication on information systems that your agency approved to meet the requirements to handle CUI.
Though internet connected cameras are rare on anything other than phones, computers, baby monitors, and doorbells, if you have CUI on your computer screen or desk then make sure it isn’t visible to cameras on unsecured devices.
Some quick things you can do to make your home and devices more secure are:
- Make sure to change the default username and passwords for all internet connected devices .
- Make sure you update the firmware on your router, modem, and all connected devices regularly. Many of these updates are pushed out to address known security vulnerabilities. If you don’t know how, check the device website or call customer service.
- Turn off and unplug unused devices, consider disabling or covering cameras when not in use.
- Keep any security software or firewalls updated to the latest version.
There is a lot more you can do and some great information about how to do it found in the additional resources below:
- NSA’s Best Practices for Keeping Your Home Network Secure: including Safeguarding against Eavesdropping
- FTC’s Online Security website: including information on Mobile Apps (applications) and IP Cameras, such as the ones used in baby monitors, toys, and door bells
- FTC’s Video and Media website: including videos and games to help educate your family about a wide variety of topics including cybersecurity
- GAO’s report in Information Security: including a look at mobile device security threats and vulnerabilities
- DHS’s Study on Mobile Device Security
- NIST’s NIST SP 800-124: Guidelines for Managing the Security of Mobile Devices in the Enterprise
- DoD CIO’s Social Media Education and Training website
- CISA’s Trusted Internet Connections 3.0: Interim Telework Guidance
Consult with your agency or organization’s security office if you have specific questions or concerns.
Is there explicit guidance that prevents organizations from storing hard-copy CUI in employee’s homes if that organization identifies the risk, takes appropriate actions to minimize that risk, and minimizes the risk of access by unauthorized personnel? Everyone seems to be issuing a lot of guidance about telework, but no Agency has been clear on storage of hard-copy CUI yet.
Thank you. Andy
The CUI program does not prohibit organizations from allowing home storage of CUI. CUI may be stored in a telework location or home in accordance with agency policy that allows for the process and as long the requirements for protecting the CUI in that environment are met. Most agencies have this as an additional step of their telework process for specific positions that have a specific need to work with hard copy CUI while teleworking.