CUI Marking class

CUI-Marking-Handbook-Cover-Image

We will be offering a CUI Marking fundamentals webex on  

October 22, 2020 from 11 am – 1 pm (EDT).  

Participants will receive a completion certificate for attending the webex. In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.  

During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on October 22, 2020; you may join the conference 10 minutes prior.

The conference begins at 11:00 AM Eastern Time on October 22, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.

Dial-in: 888-251-2949 or 215-861-0694

Access Code: 7280179#
Step 2: Join the conference on your computer.

Entry Link: https://ems8.intellor.com/login/834138

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

https://isoo.blogs.archives.gov/wp-content/uploads/2020/08/Marking-class-presentation-USE-ONLY-.pdf

CUI Marking class (Webex)

CUI-Marking-Handbook-Cover-Image

 

We will be offering a CUI Marking fundamentals webex on
August 28, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex.
In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on August 28, 2020; you may join the conference 10 minutes prior.

 

The conference begins at 11:00 AM Eastern Time on August 28, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 9214891#
Need an international dial-in number?

Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/831806

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

 

June Marking class presentationMarking class presentation (USE ONLY)

CUI Marking Class Q&A (From May 19)

Q&A from May 19 class

Question: Will unclassified contracts have DD 254s issued to provide CUI Guidance or will unclassified contracts have simple attachments similar to the current FOUO for guidance??

Answer: DD 254’s are only to be used with contracts that include CNSI requirements. The CUI EA has been working to develop a FAR case(with GSA, DoD, NASA, DHS) that will be used to standardize the way Executive branch agencies convey safeguarding guidance for CUI.  This FAR case includes a draft standard form,similar to the DD 254,  that is intended to consolidate where contract related CUI requirements are conveyed).

Question: Will CUI Training be available through CDSE?

Answer: Likely. . It is our understanding that DoD is working to develop CUI Training and that some CUI Training may be included on CDSE, who will be required to take the training and what training requirements it will meet are still to be decided by DoD. Specific questions regarding DoD’s implementation can be directed to: osd.pentagon.ousd-intel-sec.mbx.dod-cui@mail.mil Current information about CUI on the CDSE platform can be found at https://www.cdse.edu/toolkits/cui/index.php

Question: Who is the responsible party for issuing Legacy CUI marking waivers?

Answer: Per 32 CFR 2002.38  agency Senior Agency Officials (SAO) may issue marking waivers for CUI while it remains under agency control.

Question:  Can you point out the agency CUI POC list?

Answer: https://www.archives.gov/cui/about/contact.html#contact-an-agency

Question: who is responsible for marking CUI.  We have run into agencies failing to do so.  If we don’t generate the material what is contractor responsibility?

Answer: Upon implementation, agencies are responsible for marking or identifying any CUI shared with non-federal entities. Questions regarding the status of information (marked or unmarked) should be directed back to the contracting activity. Keep in mind, many agencies are not yet marking CUI and are still implementing the elements of the CUI program. Contractors should not follow CUI program requirements or markings until directed to do so in a contract or agreement.

Question: Define AGENCY when discussing Legacy Information

Answer: Agency (also Federal agency, executive agency, executive branch agency) is any “executive agency,” as defined in 5 U.S.C. 105; the United States Postal Service; and any other independent entity within the executive branch that designates or handles CUI.

Question: What do you consider reuse of CUI?

Answer: Re-use means incorporating, restating, or paraphrasing information from its originally designated form into a newly created document.

Question: What’s the difference between CUI and Controlled?

Answer: There is no difference, both are authorized CUI Control Markings and can be used interchangeably unless limited by agency policy

Question: You authorize “NOFORN” and “REL TO” as dissemination control markings. Why don’t we have a marking equivalent to “RELIDO” (which is an intelligence marking that allows authorized people downstream to further disseminate as needed without going back to the originator)?

Answer: The only authorized Limited Dissemination Control (LDC) markings that can be used with CUI are those found on the CUI Registry. CUI Notice 2018-07(https://www.archives.gov/files/cui/documents/20181116-cui-notice-2018-07-limited-dissemination-controls.pdf) describes the proper use of LDC and also the process for submitting new/additional LDCs for use with CUI. The dissemination of all CUI is governed by the principle of “Lawful Government Purpose” this means that any recipient of CUI be deemed to have a mission related purpose to receive the information and that there must be no prohibition to that dissemination in law, regulation, or governmentwide policy. If an agency wishes to communicate a restriction beyond this, any of the above mentioned dissemination controls can be applied as appropriate.

Question: Can you give a few examples of CUI Basic?

Answer: The CUI Registry lists all authorized CUI Categories (basic and specified).  https://www.archives.gov/cui/registry/category-marking-list The categories on this page that do not have a marking with “SP-” are CUI basic categories, like the Agriculture category and the Asylee category.

Question: For Industry Contractors, do we ever mark CUI?

Answer: Yes, but only when instructed to do so in the contract or supporting documentation.

Question: Are we basically only concerned with protecting CUI that we actually receive from our government customer?

Answer: CUI must be safeguarded in accordance with the contract, whether it is created or collected for the government or shared from the government to the contractor.

Question: Especially when talking about Legacy information, do we just wait until the government agency sends us new documents that are marked CUI?

Answer:  Any information received or created as part of a current or previous contract should be protected in accordance with the terms of the contract under which it was received or created.As agencies implement, CUI requirements will be added to existing and new contracts.

Question: What do you do if you have your customer marking every document as CONTROLLED with no true banner marking. Is that considered Basic? The word Controlled is an authorized bannermarking for Basic CUI.

Answer: Under the CUI program, information marked “CONTROLLED” without additional markings would be CUI basic. Confirm with your customer and your contract that they are using CUI markings and ensure you follow any and all requirements in your contract or agreement.

Question: How do you navigate a situation where you feel you have CUI but it hasn’t been marked appropriately?

Answer: Questions regarding the status of CUI should be directed to the originator of the information or the contracting activity.

Question: What is the difference between U//FOUO and CUI?

Answer: U//FOUO is a legacy marking used to indicate sensitivity based on agency policy or practice. CUI is a marking that is used to indicate the presence of CUI basic information.  CUI Markings are applied only to those information types (categories) found on the CUI Registry and can be linked to laws, regulations, or Government wide policies calling for protection or control of the information. As the CUI Program is implemented U//FOUO will cease to be an authorized marking, but you may still see it on legacy documents as we transition to CUI.

Question: Banner Marking and document marking works for unstructured data? What about marking structured data such as databases?

Answer: For databases or applications, splash screens or banner marking can be used to satisfy the marking and identification requirements of the CUI Program.  System outputs can also be modified to apply markings upon printing or downloading from the application. The CUI office is working with NIEM to create a CUI Metadata standard that can be used to indicate CUI markings. Check the CUI blog for updates on this project,

Question: Do you mark/tag fields in the Database or categorize the system itself?

Answer: Individual fields can be marked or a general alert can be placed on entry into the database/system.  System outputs should be modified to include applicable CUI markings as needed.

Question: How would I mark/tag a system?

Answer: See the CUI Marking handbook, page 27

Question: What you’re saying is purple is recommended, but not required?

Answer:  The SF 901 is Purple.  If color printing is not available, the form can be printed using a black and white printer.

Question: To clarify Contractors only have to mark CUI if their contract requires it?

Answer:  Yes. Contractors need to follow whatever guidelines are in their contract, as the CUI program is an executive branch program CUI requirements do not bind the public, except as authorized by law or regulation or as incorporated into a contract or agreement.

Question: Are there reporting requirements and corrective actions for CUI spillage, similar to those present for Classified information?

Answer:  Agencies/organizations should develop reporting requirements/mechanisms for CUI incidents.  Certain categories of CUI (like Privacy) have special reporting requirements for loss or incidents.

Question: So CUI designation is replacing anything that we would have labeled FOUO//?

Answer:  Once agencies implement the CUI Program, legacy markings such as FOUO or SBU will no longer be used.  In many cases what was previously marked as FOUO would align and be able to be marked as CUI.  There are some information types currently marked as FOUO that may not qualify as CUI.

Question: How should industry label their computers or usb containing cui. what should the label contain?

Answer:  SF 902 and 903 can be used by industry to label hard drives or USBs (media) that contain CUI. They can be ordered from GSA here https://www.gsaadvantage.gov/advantage/ws/search/advantage_search?q=0:27540-01-679-3318&db=0&searchType=0

Question: What about ITAR controls?

Answer:  Please see the Export Control Category of CUI. https://www.archives.gov/cui/registry/category-detail/export-control.html

Question: Do Industry personnel (FSO, etc) have authority to generate original CUI?

Answer:  Maybe. Depending on the terms of the contract, industry may have the authority to generate CUI on behalf of the USG.

Question: What’s the difference between CUI, FOUO, and the Privacy Act Coversheets and markings?

Answer:  The CUI Coversheet (SF 901) is authorized for use with CUI.  Upon the implementation of the CUI Program, coversheets (and markings) that are not required per underlying authorities, such as FOUO and Privacy Act, may no longer be used.

Question: As a subcontractor, doesn’t our customer have to flow down what is CUI?

Answer:  The Draft CUI FAR case will have strict flowdown requirements much like the DFARs 252.204-7012. Flowdown requirements should be reflected in the primary contract.

Question: Are you familiar with any solutions that can automate the process of email marking?

Answer:  We are aware of a number of efforts within industry and within agencies to develop automated/assisted marking solutions for CUI. There are no plans, by the CUI Executive Agent/ISOO, to publish an evaluated or approved list of vendors who have developed automated/assisted marking tools for CUI.

Question: Our activity uses the NOFORN marking for Naval Nuclear Propulsion Information category CUI, but we do not use the CUI//SP-NNPI for the marking, we use NOFORN.  Should we switch over to using SP-NNPI?

We also use a GREEN NOFORN Cover Sheet instead of the purple CUI one.

Answer:  Industry should continue to follow the terms of existing contracts.  As agencies implement the CUI Program, contacts will be modified to reflect CUI requirements.

Question: Can we use the coversheet instead of marking each page of the document or do we need to use both the cover sheet and also mark each page?

Answer:  A coversheet (SF 901) may be used in lieu of marking every page of a document. Be sure to list (on the SF 901) any Specified categories, limited dissemination controls, or requirements called for by underlying, related laws, regulations, or government wide policies.

Question: Is it required that CUI be stored in an GSA approved safe?

Answer:  No. CUI Must be stored behind a locking barrier inside of a controlled environment that prevents unauthorized access.  Organizations have some flexibility in determining what qualifies as a controlled environment.  CUI specified categories may have additional physical security requirements.

Question: Where can we access the CUI Marking Handbook?

Answer:  https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf

Question: What is the mechanism for removing markings or lifting restrictions on documents if/when the restriction has expired or no longer applies?

Answer:  CUI Markings can be removed (or stuck through) when the information has been decontrolled. Decontrolling occurs when an authorized holder, consistent with 32 CFR 2002 and the CUI Registry,  removes safeguarding or dissemination controls from CUI that no longer require such controls. Decontrol may occur automatically or through agency action. See § 2002.18.

Question: If you use a Coversheet for a multipage document, do you still need to mark every page?

Answer:  No, if you use a CUI coversheet (SF 901) marking every page is not required.

Question: Are there specific/special Record Retention issues/timeframes specific to CUI?

Answer:  No. Records retention issues/timeframes are not impacted by a records status as CUI.

Question: (If you asked a DoD specific question your answer is here)what about DoD?

Answer:For answers about compliance with your dod contracts, the first place to check is the contract itself or the POC for the contract.

For questions about compliance with DFARs 7012 check out the DoD Procurement Toolbox at: https://dodprocurementtoolbox.com/faqs/cybersecurity/cybersecurity-faqs.

“osd.dibcsia@mail.mil” can be contacted for clarification on DFARS 252.204-7012 or NIST SP 800-171 in support of DFARS 252.204-7012. Emails sent to that address are reviewed frequently and distributed as appropriate to a cross-functional team of subject matter experts for action.

For questions about the planned CMMC program please see the CMMC website at: https://www.acq.osd.mil/cmmc/

Training specific information will likely be included on the CDSE CUI page at: https://www.cdse.edu/toolkits/cui/index.php

 

 

CUI Marking Class (Webex)

CUI Marking Handbook Cover Image

We will be offering a CUI Marking fundamentals webex on
July 23, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex.
In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on July 23, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 1399154#
Need an international dial-in number?

Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/829785

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

 

***NOTE: You do NOT have to RSVP for this class, you may just dial in, and the slides will be posted prior to the Webex***

 

 

 

Reminder: CUI Marking Webex (Tomorrow)

CUI Marking Handbook Cover Image

We will be offering a CUI Marking fundamentals webex on
June 18, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex.
In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on June 18, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0449805##
Need an international dial-in number?
Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/827980

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.

 

June Marking class presentation

 

 

 

CUI Marking Class (Webex)

 

CUI Marking Handbook Cover Image

We will be offering a CUI Marking fundamentals webex on
June 18, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex.
In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on June 18, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0449805##
Need an international dial-in number?
Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/827980

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.

 

REMINDER: You do NOT have to RSVP for this webex. 

 

 

CUI Marking class Q&A (From April 23)

Below are answers to the questions that were asked during April 23rd CUI marking class (Webex).

Click here for a link to the slides.

Question: What do you mean “when it CUI leaves the agency”. Does this mean as an example when it CUI leaves “DoD” ?

Answer:  Generally, when an agency issues a limited waiver for marking CUI that remains under their control, CUI does not need to be marked.  When the information is shared with outside entities (outside the agency, or an internal component of the agency) the CUI must be marked or identified in accordance with the CUI Program.  Agencies can establish limited waivers for their entire agency or to select components within their agency.  If an agency elects to issue such waivers, it must still take reasonable steps to inform the users of the existence of CUI upon transmission to external entities. 

Question: Can CUI be stored on a shared network by industry contractors if strong protections are applied, or should it be kept on a separate secured system or network?

Answer: CUI can be stored on industry systems provided it is permitted by the contract or agreement and that the systems align to the minimum requirements, as described in the contract or agreement. The NIST SP 800-171 is the minimum standard for protecting CUI on non-federal systems. There is no prohibition on sharing or providing access to industry contractors, as long as all of the cyber security requirements are met and the information is shared in accordance with any limited dissemination control markings, contract stipulations, and a lawful government purpose determination. All of this must be accomplished in accordance with agency policy and the content of the contract or agreement.

Question: If CUI basic must be marked “CUI” or “Controlled”, when will all CFRs (online and hardcopy) be appropriately marked. Note: Marking Basic in this way creates issues for DLP systems as Basic does not require additional protections.

Answer: CFRs (code of federal regulations) are not Controlled Unclassified Information. Current CFRs can be found on publicly available websites [https://gov.ecfr.io/cgi-bin/ECFR?page=browse]

Question: Can CUI information be shared on WebEx?

Answer: Maybe. Employees should verify that the webex technology aligns to the safeguards prescribed by the agency and by those described by 32 CFR 2002 (i.e. the moderate confidentiality baseline). Please refer to the CUI blog post on NSA Article: “Working from Home? Select and Use Collaboration Services More Securely”  Employees should consult with their designated program office prior to sharing CUI via webex. Generally, the sharing of CUI should be limited to only the degree necessary to support current operations. As always, contractors must follow all of the requirements in their contracts or agreements which may provide more detailed guidance. 

Question: Do we have a list of items that fall under CUI?

Answer: The CUI Registry lists all approved categories of CUI. 

Question:: Our company uses WebEx so it is approved on our systems. The questions my leader asked today was if CUI can be shared on WebEx, so it looks like as long as the markings are on presentations?

Answer: CUI Markings are not sufficient to ensure the protection of the information. Markings do serve as an alert to users of what is being shared. Prior to using any Webex technology to share CUI, we advise verifying with organization/agency officials to ensure that proper safeguards are in place on the system and that the technology has been cleared/authorized for use with CUI.  Please also see CUI blog post titled: NSA Article: “Working from Home? Select and Use Collaboration Services More Securely”

Question:: How does CUI marking enable compliance with 5 U.S.C. 552, Freedom of Information Act?

Answer: CUI markings do not speak directly to FOIA exemptions. While many CUI Categories would align to exemptions under FOIA, there is not a direct relationship between CUI categories and FOIA exemptions. Agency personnel should follow their agency release procedures. Our office has developed a number of resources that can assist users in understanding the relationship between FOIA and CUI. See: https://www.archives.gov/cui/training.html

Question: CUI can be shared in collaborative environments and forums that meet the required cyber-security requirements. (NIST SP 800-53 moderate confidentiality, NIST 800-171, or fedramp moderate depending on what the system is and who owns it).

Answer: CUI should not be shared on a webex that is accessible to the public or that does not meet the above requirements.

Question: Can you advise whether today’s scope is only CUI / DFARS (NIST 800-171) or covering some of the overlapping domains with CMMC L3 too, as the later became mandatory for DoD Government contracts from 07/2020

Answer: The scope of the session was on the markings of the CUI Program, as described in 32 CFR 2002 and the guidance published on the CUI Registry. These markings are not yet in use at all agencies, as such all employees should continue to follow existing agency policy until directed to use the new markings. Non-federal entities (including contractors) should continue to follow the requirements as outlined in their contracts or agreements and not use these markings unless directed to do so.

Question: Does that include within components of an agency as well?

Answer: This question likely relates to limited waivers issued within the agency. Parent agencies can authorize component elements to waive markings while it remains within their control. Upon transmission outside of the component element, the CUI must be marked or identified in accordance with the standards of the CUI Program. 

Question: When contractors generate and mark CUI, what designator should be used?

Answer: The designation indicator can be the company name and also the agency associated with the contract. If possible, specific contact information should be included (name, phone number, email address, etc). Agency policies, contracts, or agreements may contain more specific guidance as to how this element should be filled out. 

Question: Would the designation indicator be used with CUI Basic or only CUI Specified controls?

Answer: The designation indicator requirements for CUI basic and specified are identical and must be included for both.

Question: So would the CMMC certification level requirements be reflected in the “Limited Distribution” section?

Answer: No. CMMC certification levels are not dissemination controls. The only limited dissemination controls authorized for use with CUI are those found on the CUI Registry.

Question: It has been difficult to determine basic or specified; for example, it seems some ITAR information is basic, other is specified, but it’s not very clear to determine.

Answer: The CUI Registry provides information on whether a category is basic or specified. What determines whether a category is basic or specified is the underlying authority. The CUI Registry contains information on what the banner markings should be based on the authorities. For Export Control information, see: https://www.archives.gov/cui/registry/category-detail/export-control.html

Question: Is CDI (what we use ) the same as CUI?

Answer: CDI (covered defense information) is not a category of CUI but rather an overarching term that could include CUI. CDI or FOUO as terms will eventually be phased out and replaced with CUI terminology and category designations. 

Question: When does the CUI Program go into effect?

Answer: For agencies, the CUI Program will go into effect when the agency issues a policy that reflects the standards of the program. Most agencies have already issued policies and most are projected to have policies issued by December of 2020. For industry, the program goes into effect when referenced in contracts and agreements. 

Question: The legacy waiver is sought by the agency, right? Not the contractor/licensee?

Answer: Yes. Legacy waivers are issued by agencies. Contractors do not have to remark sensitive information shared or produced by them in association with existing or prior contracts. The terms of those contracts remain in effect until modified by the USG. 

Question: For contracts with DoD agencies, should the contracting officer tell the contractor what is CUI and how it should be marked?

Answer: Yes, that is the goal. However, as agencies are still in the process of implementing the CUI program, be sure to follow any existing requirements directing the marking or protection of unclassified information. Under the new Federal Acquisition Regulation (FAR), a standard form is being contemplated that will require this level of granularity in all contracts where CUI is involved. The FAR is expected to be released for public comment in the summer of 2020. 

Question: My company interacts with the NRC. Who is responsible for marking documents as CUI? Our company, or the NRC, or both of us?

Answer: It depends on the terms of the contract. Some contracts may require industry to generate CUI, if so, they would be responsible to apply markings. Any CUI shared with industry should be marked accordingly. Any and all USG markings should only be applied in accordance with the contract or agreement.

Question: On DoD contracts, we’ve seen CUI checked in the DD254 for over a year now but DoD hasn’t adopted this. It’s very confusing as to when we are supposed to start seeing/marking CUI on these contracts.

Answer: Questions regarding the pace and plans to implement the CUI Program within the DOD can be directed to: osd.pentagon.ousd-intel-sec.mbx.dod-cui@mail.mil

Question: Is there a lists of agencies that have adopted CUI?

Answer: Currently, there is not a list of agencies that have adopted the CUI Program. Every agency of the executive branch is required to implement the CUI Program (https://www.usa.gov/branches-of-government). ISOO monitors implementation actions by parent agencies. The CUI Registry maintains a list of all registered program officials or contact information. https://www.archives.gov/cui/about/contact.html#contact-an-agency 

Question: These are fairly significant changes to the marking system. What, if anything, precipitated them?

Answer: Executive order 13556, Purpose, section 1 : “At present, executive departments and agencies (agencies) employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency specific policies are often hidden from public view has only aggravated these issues. To address these problems, this order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information, that emphasizes the openness and uniformity of Government-wide practice.”

Question: Does CUI have the same “Need-to-Know” requirements as FOUO?

Answer: The CUI policy does not mention “Need-to-Know”, but it does have a very similar concept “Lawful Government Purpose”. Under the CUI Program, Lawful Government Purpose is the access and sharing standard. Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).

Question: CUI can be shared in collaborative environments and forums, to include a teleconference, that meet the required cybersecurity requirements. (NIST SP 800-53 moderate confidentiality, NIST 800-171, or fedramp moderate depending on what the system is and who owns it). CUI should not be shared on a webex that is accessible to the public or that does not meet the above requirements.

Answer: Yes, collaborative environments used to share or process CUI must meet the minimum standards for protecting CUI. See NIST SP 800-53, NIST SP 800-171. 

Question: We’re being told in the DIB TAWG that WebEx is not approved for CUI and that O365 GCC High or DoD has to be used to be CUI compliant.

Answer: Agencies (and organizations) must provide guidance to employees regarding approved/authorized systems where CUI can be handled. Follow all agency policy regarding approved systems or applications  for CUI. 

Question: Is this also related to CMMC (katie arrington)

Answer: CMMC uses some of the requirements found in the 32 CFR 2002 (CUI Implementing directive), specifically, the NIST SP 800-171. 

Question: Will there be information/guidance regarding products that automate tagging for emails and documents?

Answer:The CUI EA is available to assist agencies in the evaluation of products and services related to the CUI program. There are plans to publish a meta-data tagging standard for CUI Categories. We expect this standard to be available for public comment in the coming months (May/June). The meta-data standard should assist developers in creating automated/assisted marking tools. 

Question: We utilize an on-site shredding service, is this method approved for destroying CUI?

Answer: As organizations implement they should ensure that products and services for destruction align to the standards of the CUI Program. See CUI Notice 2019-03 and NIST SP 800-88

Question:Will USCIS apply this program to the applicant files? Currently we mark SBU or FOUO because of the PII contained within.

Answer: Yes. Applicant files that contain CUI should be marked as such. Legacy practices must remain in effect until USCIS implements the standards of the CUI Program. 

Question: ITAR Technical Data has its own protections from DDTC. Is ITAR data always CUI Specific, or only when designated by a government agency? In other words, if we as a contractor are doing an internal R&D effort with ITAR data, would this be CUI//SP?

Answer: Depending on which legal authority applies to the ITAR information in question, it could be either basic or specified. See the Export control category: https://www.archives.gov/cui/registry/category-detail/export-control.html. Banner markings appear next to each applicable authority, indicating how they should be marked. 

Question: What about those that have in their signature line that their correspondence is FOUO? Will that practice need to stop upon implementation and will there be a digital tool to assist in proper marking of CUI in outlook and other document creation tools like MS Word

Answer: Upon the implementation of the CUI Program within agencies, legacy practices (for marking) must cease. As the agency transitions to the standards of the CUI Program, FOUO/SBU-type markings will eventually be phased out. 

Question: If you use the coversheet, do you also have to mark all of the pages?

Answer: No. If a coversheet is used, interior pages do not need to be marked. 

Question: Is PII now marked CUI//SP-PRVCY?

Answer: Please see the Privacy categories listed on the CUI Registry. Underlying authorities will determine whether or not a category will be marked as specified or basic. 

Question: Does the Agency determine if CUI is Specified vs Basic?

Answer: No. The underlying authority (as listed on the CUI Registry) determines whether a category is basic or specified. Agency policy/procedure should reflect this distinction and where applicable, cite specific handling or dissemination requirements.

Question: If information I work on is considered export controlled, can it still be basic, or is it automatically specified?

Answer: Export control information may be either basic or specified, depending on the underlying authority that applies to the information in question.  See the Export Controlled category: https://www.archives.gov/cui/registry/category-detail/export-control.html

Question: Is portion marking optional? Or is it required to have a marking preceding each paragraph, table, figure containing CUI?

Answer: Portion marking in the CUI Program is optional, though it may be directed in agency policy or contracts/agreements. Please see the CUI Marking Handbook for specific guidance on portion marking.

Question: If a Contractor develops CUI under a contract (i.e. a report or deliverable submitted under the contract) does the contractor decide the marking or does the contractor ask the contracting officer to provide the category and correct marking?

Answer: Contracting authorities should provide guidance on how CUI should be marked in association with contracts. CUI Markings should align to the marking requirements found on the CUI Registry. See list of approved banner markings for CUI Categories: https://www.archives.gov/cui/registry/category-marking-list

Question: I understand that CUI comes from the agency in a contract; if we create a document or material that helps support the execution of a contract, is that CUI?

Answer: In association with a contract, it would be CUI if the information in question aligned to an existing category of CUI. Questions regarding the status and marking requirements should be directed to contracting activities. 

Question: When there is CUI//SP in a classified doc, is a CUI header required alongside the class marking? Section marking required?

Answer: The CUI Marking handbook has specific guidance regarding the commingling of CUI and CNSI. See: https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf

Question: The DoD has a DoD CUI registry, how does it relate to the NARA CUI registry

Answer: Many agencies have elected to develop a mirror registry that reflects the CUI Categories commonly handled by their workforce. Categories reflected on agency CUI Registry should be based on those listed on the national CUI Registry. 

Question: How would contractor generated drawings be marked if they fall into controlled technical information?

Answer: Specific questions regarding the marking should be directed to contracting activities.

Question: Is there a list of executive agencies CUI covers?

Answer: All agencies of the Executive branch are required to implement the CUI Program. See https://www.usa.gov/branches-of-government

Question: I am relatively new to CUI, we use the Law Enforcement practice of “protecting the identity of Confidential Informants” currently classified as “Law Enforcement Sensitive LES” information, to my knowledge this is NOT protected under existing statutory law, regulation, or Government-wide policy, and therefore, would possibly not meet the requirements for protection under CUI controls. What is the best way to capture the LES information as CUI or is it anticipated to be standalone with legacy markings ?

Answer: There are a number of Law Enforcement categories listed on the CUI Registry. Upon the implementation of the CUI Program within an agency, the use of legacy markings must cease. If the information type you are needing to protect is not reflected on the CUI Registry and you believe there is a gap, please contact your agency’s CUI Program Manager so they can initiate a formal review and if needed start the process to establish a provisional category of CUI. Please see: https://www.archives.gov/files/cui/documents/20181116-cui-notice-2018-04-provisional-categories.pdf

Question: You just said use of CUI is only mandatory for the government. But what about it being contractually enforced when giving sponsored projects to companies and universities? I think it still applies, right?

Answer: The CUI Program is mandatory for Executive branch agencies and to any non-federal entities and their subcontractors who contract with and act on behalf of the Federal Government.

Question: Could you clarify the statement that the average user isn’t intended to use the registry but that the Agency program office should say what is CUI?

Answer: The CUI Registry was not intended to be a resource for the average user of CUI. The Registry is meant for program officials who are responsible for developing policy and procedure for their agency. The reason for this is that the CUI Registry cites to applicable laws, regulations, and government wide policies. Program officials, when developing policy and procedure, must examine these underlying documents and reflect those requirements in agency policy (and training). This being said, there have been recent enhancements (in 2020) to the CUI Registry that would assist employees with applying the proper markings for CUI. Please see the marking list that contains banner markings that can be applied for CUI Categories. 

Question: Is it true that banner is mandatory…except when you’ve chosen to use a cover sheet only?

Answer: For documents, yes

Question: If it is not marked CUI from the Agency and we assume it is CUI, as a contractor, can I mark it or do I need to go back to the originator for guidance. And if it is probably CUI and not marked, am I as a contractor liable for protecting the information on my network as CUI

Answer: Any questions regarding the status of information should be directed to the originator. Any requirements to safeguard CUI on systems should be conveyed in applicable contracts or agreements with the government. 

Question: If you have multiple page documents with CUI, should you also use Portion Markings to identify the particular paragraph or item that contains CUI?

Answer: Portion markings, in the unclassified environment, are optional. If portion markings are used or required under your contract with an agency, they must be used throughout the document. Please see the CUI Marking Handbook for specific guidance. 

Question: For call in only certificates, who do we email for the certificate?

Answer: To receive a certificate for participating through the call (not able to connect to the webex), please send an email to cui@nara.gov. 

Question: Is there a tool for email marking?

Answer: Some agencies and vendors have been working to develop an automated tool to assist employees with marking CUI. The CUI EA is available to assist with the evaluation of automated marking tools. 

Question: If an Agency adopts CUI, and the clause is included in the contract, then is the Contractor required to adopt correct? Also, what if the Contract has the clause, but the Agency has not provided documentation marked CUI, but the Contractor believes they are developing CUI internally, are they required to mark accordingly?

Answer: Questions regarding the marking/protection of CUI in association with a contract should be directed to the contracting activity. 

Question: Do emails containing CUI need to be encrypted?

Answer: Yes. 

Question: If a document is marked CUI//SP-PRVCY//Fed Only, do you still have to encrypt or password protect the document?

Answer: Yes. CUI must be encrypted in transit. 

Question: Coversheet = the first tab you see when you open a spreadsheet?

Answer: Not necessarily for spreadsheets, markings can be applied to the headers of the document. Coversheets or transmittals can be used to convey the status as CUI. 

Question: Are there specific requirements on how to destroy CUI physical documents?

Answer: Yes. See NIST SP 800-88.   Also see CUI Notice 2019-03

Question: When sharing legacy documents via email (e.g. FOUO), should I use CUI banner markings in the subject/filename, or is that considered remarking?

Answer: When sharing legacy documents (as attachments) via email, the CUI banner in the email itself can serve as the alert of sensitivity, much like the SF 901 in hard copy transmissions. 

Question: Is PII always considered CUI?

Answer: Yes. PII is considered CUI. There are numerous Privacy categories listed on the CUI Registry. See: https://www.archives.gov/cui/registry/category-list

Question: What is the banner configuration when you have classified and CUI in the same document. Does it follow current classification guidance or is there an additional requirement for CUI. Bottom line, do i have to id CUI in a class banner.

Answer: Please see part two of the CUI Marking Handbook. This section describes how CUI Markings should appear when commingled with CNSI markings. 

Question: If portion marking is not required how is the recipient supposed to know what data needs to be marked as a carry forward derivative marking?

Answer: In documents, most elements that contain CUI would be easily identifiable (for example, Privacy information). When there is a question regarding the status of information contained within a document that will be used, consult the originator. Agencies or organizations that produce CUI products that will likely be used to create additional documents (as described) should apply portion marking to facilitate the proper application of markings.

Question: As to PII, is it CUI basic or specified (is that the same as the category SP-Privacy Information)?

Answer: It depends on which CUI category applies to the information in question, there are numerous Privacy categories of CUI. Categories are either basic or specified depending on the underlying authority. The CUI Registry provides guidance on how to mark CUI based on the underlying authorities. 

Question: Our contracting officer is not providing the category of CUI. We have asked for it, based on the registry. What is our responsibility under our contract. Do we have to go to the registry and determine it, or do we press the contracting officer to tell us if it is CUI and what category it is.

Answer: Contractors are bound by the terms of their contracts or agreements with the government. Questions regarding the status of CUI and marking requirements should be directed to the contracting activity. 

Question: What are the storage requirements for CUI in hard copy form (paper, disk, media)? Does it have to be stored in a GSA container, locked in an office cabinet, etc. or can it be left on a desktop overnight in a locked office?

Answer: Hard copy CUI must be stored in an area or container that would prevent unauthorized access. GSA Containers are not required to store CUI. CUI may be stored in controlled environments. Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers or managed access controls) to protect CUI from unauthorized access or disclosure. Please see the Controlled Environments video for additional guidance: https://www.archives.gov/cui/training.html

Question: You just mentioned that there is training you can give. Can you send more details, please

Answer: Upon request and based on available resources, the CUI Executive Agent is available to provide additional briefings and training to stakeholders. Send requests to cui@nara.gov. 

CUI Marking class (Webex)

CUI Marking Handbook Cover Image

 

We will be offering a CUI Marking fundamentals webex on
May 19, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex.
In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.

The conference begins at 11:00 AM Eastern Time on May 19, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0205164##
Need an international dial-in number?
Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/826851

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.

Marking class presentation April

****NOTE:  You do NOT have to RSVP for this event.  When logging in to participate in the webex, log in with your full name and email address.  Your completion certificate will be filled out and emailed to you from this information. Your certificate will be emailed to you 3-4 weeks after this event***** 

 

Save the Date: CUI Marking class (Webex)

CUI Marking Handbook Cover Image

The CUI Program Office will be hosting another

CUI Marking class

Date: May 19, 2020

Time: 11:00 am – 1:00 pm (EST)

You do not have to rsvp for this class, the information  will be posted as soon as it becomes available.

If you have any questions or concerns, please feel free to email us at CUI@nara.gov

 

NOTE: If you attended the CUI Marking class on April 23, 2020; your completion certificate will be emailed to you by the end of this week.