The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls. NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.
The draft standard can be found here and is available for comment until July 17, 2020.
ISOO issued CUI Notice 2020-01 to facilitate a coordinated transition to the CUI Program.
Implementation Deadlines
Awareness campaign – By June 30, 2020, agencies must initiate an awareness campaign that informs their entire workforce of the coming transition to the standards of the CUI Program.
Policy – By December 31, 2020, agencies must issue policies that implement the CUI Program. Agencies may implement the CUI Program through a single policy or through multiple policies that address specific elements of the CUI Program. If an agency has sub-agencies, all those subordinate components must develop and publish implementing policies and/or modify or rescind all affected policies by June 30, 2021.
Classification marking tools and commingling – By December 31, 2020, agencies that manage, own, or control Classification Marking Tools (CMT) used to mark Classified National Security Information must have initiated any modification of such CMTs as necessary to begin accounting for CUI markings described on the CUI Registry and the standards described in 32 CFR 2002.20(g).
Training – By December 31, 2021, agencies (including any sub-agencies or components) must deploy CUI training to all affected employees. Agencies may implement CUI training through a single module or through multiple modules. CUI training may be incorporated into existing agency training (such as privacy, information systems, or records management training).
Physical safeguarding – By December 31, 2021, agencies (including any sub-agencies or components) must implement or verify that all physical safeguarding requirements, as described in 32 CFR 2002 and in agency policies, are in place.
Information systems – By December 31, 2021, agencies (including any sub-agencies or components) must modify all Federal information systems to the standards identified in 32 CFR 2002. Federal and contractor information systems that are used to store, process, or transmit CUI must be configured at no less than the Moderate Confidentiality impact value (see 32 CFR 2002.14).
Reporting – CUI Senior Agency Officials must submit an annual report on the CUI Program to ISOO no later than November 1 each year, and report on implementation during the preceding fiscal year. Reports must cover all implementation and program activities from October 1 to September 30 of the preceding fiscal year. Only parent agencies are required to report directly to ISOO. Agency components, elements, sub-agencies, regional locations, divisions, and/or internal lines of business must report to their parent agency.
Agencies that anticipate delays in implementing any of the above deadlines must include a narrative in their annual report submission that describes the issue giving rise to the delay and projects when they expect to implement the delayed program element. They must also include a copy of their implementation plan or strategy. ISOO will evaluate and formally approve delays on a case-by-case basis and may report such delays to the President.
Today, in response to the COVID-19 pandemic, ISOO issued CUI Memo 2020-03-30 that clarifies issues concerning the application of an exigent circumstances waiver to CUI safeguarding requirements while teleworking.
ISOO Director Mark A. Bradley today (March 20, 2020) is launching The ISOO Overview Blog, as a new forum for engaging with the public, and all ISOO stakeholders, including everyone in the CUI community of interest. The new blog welcomes comments, which all components of the ISOO staff will review as part of their work.
From now and beyond the current public health emergency, The ISOO Overview Blog will post information at least once a week, including notifications of relevant events, ISOO policy, guidance, and activities; and ISOO reports and perspectives on ISOO’s lines of business and matters related to ISOO’s roles and authorities.
We look forward to brighter days ahead, and continuously expanding conversation in the public interest about how the Federal Government manages, protects, classifies, declassifies, shares and releases its vastly increasing information assets.
Be well and remain engaged.
The Information Security Oversight Office (ISOO) released its Fiscal Year (FY) 2018 Annual Report to the President today and posted it here. In his Letter to the President, ISOO Director Mark A. Bradley highlighted the challenges the Government faces in trying to safeguard and manage petabytes of electronic data using antiquated systems meant for paper. He also stressed the need for the Government to modernize its information security and information management policies, and to adopt a technology and investment strategy to accomplish it.
The report featured both an update on ISOO’s efforts to implement recommendations from its FY 2017 Annual Report to the President and a high-level assessment of the various programs in ISOO’s portfolio, including the Controlled Unclassified Information (CUI) Program. The first page of the FY 2018 report is dedicated to an evaluation of agency CUI implementation efforts and ISOO’s work supporting implementation. The report noted that agencies have made significant progress since last year, but work remains to be done.
Specifically, many agencies still have not submitted CUI budget estimates to the Office of Management and Budget (OMB). To aid agencies, ISOO worked with OMB to modify section 31.15 of Circular A-11, Preparation, Submission, and Execution of the Budget. This guidance now includes details meant to inform what agencies need to include in submitting their CUI implementation budget estimates: hiring staff to implement and manage the program; developing and deploying automated marking tools; and creating training programs for agency staff. ISOO also worked with the Departments of Homeland Security and Defense, the National Aeronautical and Space Administration, and the General Services Administration to draft standard safeguarding requirements for inclusion in a Federal Acquisition Regulation (FAR). ISOO and its partners hope to finalize these requirements in FY 2019 so it is ready for use by agencies.
We hope you take time to read both the Director’s Letter to the President as well as the full report.
SF 902 (NSN: 7540-01-679-3318) and SF 903 (NSN: 7540-01-679-3319) are now available for purchase from https://www.gsaadvantage.gov
CUI Notice 2019-01: CUI Coversheets and Labels
https://csrc.nist.gov/News/2019/draft-sp-800-171-rev-2-and-sp-800-171b
NIST is seeking comments on Draft NIST Special Publication (SP) 800-171 Revision 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.
The public comment period for both publications ends on July 19, 2019. See the publication details for SP 800-171 Rev. 2 and SP 800-171B for document files and instructions on submitting comments.
Details
Draft NIST SP 800-171 Revision 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Revision 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.
Draft NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher-than-usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.
The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.
by Mark Bradley, Director, ISOO
The Wall Street Journal reported in its April 29, 2019, edition that American intelligence chiefs now believe that Chinese espionage is the most significant long-term threat facing the country. This threat encompasses traditional spy craft, which is aimed at stealing government secrets, and the theft of intellectual property and research from corporations and universities. China’s effort is being aided and abetted by oceans of stolen personal data, such as the heist in 2015 of more than 20 million files from the Office of Personnel Management. Counterintelligence experts believe that such grand scale thefts help Chinese intelligence officers pinpoint who may be the most vulnerable to recruitment.
The Information Security Oversight Office is the Executive Agent of the government’s Controlled Unclassified Information program. This program’s primary aim is to enhance the government’s protection of sensitive but unclassified information.
The Department of Veteran Affairs will host a CUI Symposium on November 8, 2018, 2:30 -4:00 pm at 810 Vermont Avenue NW, Washington DC 20420, in the G.V. “Sonny” Montgomery Veterans Auditorium, Room 230.
Panel members from DOI, IRS and CUI Executive Agent will also share their CUI Deployment knowledge and experiences.
To register go to:
https://www.eventbrite.com/e/va-cui-symposium-tickets-51290317721
