Transitioning to CUI: When Organizations are Moving at Different Paces

Moving the entire Executive branch to change course is similar to getting an aircraft carrier battle group to turn. Each component element has unique specs and circumstances, but they must function as a unified whole.

Not surprisingly as agencies move forward with their implementation, we are getting questions about the interaction between organizations that are at different stages of implementation.

The simple answer is:

  • Follow any specific requirements as needed and apply your agency’s existing policies and practices that are in effect at the time you are taking your action.

The more complex answer is:

  • If you and the organization you receive the information from have an information sharing agreement in place, then follow the information sharing agreement.
  • If no information sharing agreement governs the situation, then follow the best practices below.
    • If your agency has not yet implemented, but you receive CUI from an organization that has, then use your existing pre-CUI policies to safeguard according to the law, regulation, or government-wide policy that authorizes that CUI category.
    • If your agency has implemented, but receive CUI marked with Legacy Markings from an organization that has not yet implemented, then use your existing CUI policies to safeguard according to the law, regulation, or government-wide policy that authorizes that CUI category.

Please note that since all CUI categories are based on requirements in law, regulation, or government-wide policy, those authorities and their requirements existed prior to CUI implementation and must be followed regardless of CUI implementation status.

CUI Marking Class Q&A (From May 19)

Q&A from May 19 class

Question: Will unclassified contracts have DD 254s issued to provide CUI Guidance or will unclassified contracts have simple attachments similar to the current FOUO for guidance??

Answer: DD 254’s are only to be used with contracts that include CNSI requirements. The CUI EA has been working to develop a FAR case(with GSA, DoD, NASA, DHS) that will be used to standardize the way Executive branch agencies convey safeguarding guidance for CUI.  This FAR case includes a draft standard form,similar to the DD 254,  that is intended to consolidate where contract related CUI requirements are conveyed).

Question: Will CUI Training be available through CDSE?

Answer: Likely. . It is our understanding that DoD is working to develop CUI Training and that some CUI Training may be included on CDSE, who will be required to take the training and what training requirements it will meet are still to be decided by DoD. Specific questions regarding DoD’s implementation can be directed to: osd.pentagon.ousd-intel-sec.mbx.dod-cui@mail.mil Current information about CUI on the CDSE platform can be found at https://www.cdse.edu/toolkits/cui/index.php

Question: Who is the responsible party for issuing Legacy CUI marking waivers?

Answer: Per 32 CFR 2002.38  agency Senior Agency Officials (SAO) may issue marking waivers for CUI while it remains under agency control.

Question:  Can you point out the agency CUI POC list?

Answer: https://www.archives.gov/cui/about/contact.html#contact-an-agency

Question: who is responsible for marking CUI.  We have run into agencies failing to do so.  If we don’t generate the material what is contractor responsibility?

Answer: Upon implementation, agencies are responsible for marking or identifying any CUI shared with non-federal entities. Questions regarding the status of information (marked or unmarked) should be directed back to the contracting activity. Keep in mind, many agencies are not yet marking CUI and are still implementing the elements of the CUI program. Contractors should not follow CUI program requirements or markings until directed to do so in a contract or agreement.

Question: Define AGENCY when discussing Legacy Information

Answer: Agency (also Federal agency, executive agency, executive branch agency) is any “executive agency,” as defined in 5 U.S.C. 105; the United States Postal Service; and any other independent entity within the executive branch that designates or handles CUI.

Question: What do you consider reuse of CUI?

Answer: Re-use means incorporating, restating, or paraphrasing information from its originally designated form into a newly created document.

Question: What’s the difference between CUI and Controlled?

Answer: There is no difference, both are authorized CUI Control Markings and can be used interchangeably unless limited by agency policy

Question: You authorize “NOFORN” and “REL TO” as dissemination control markings. Why don’t we have a marking equivalent to “RELIDO” (which is an intelligence marking that allows authorized people downstream to further disseminate as needed without going back to the originator)?

Answer: The only authorized Limited Dissemination Control (LDC) markings that can be used with CUI are those found on the CUI Registry. CUI Notice 2018-07(https://www.archives.gov/files/cui/documents/20181116-cui-notice-2018-07-limited-dissemination-controls.pdf) describes the proper use of LDC and also the process for submitting new/additional LDCs for use with CUI. The dissemination of all CUI is governed by the principle of “Lawful Government Purpose” this means that any recipient of CUI be deemed to have a mission related purpose to receive the information and that there must be no prohibition to that dissemination in law, regulation, or governmentwide policy. If an agency wishes to communicate a restriction beyond this, any of the above mentioned dissemination controls can be applied as appropriate.

Question: Can you give a few examples of CUI Basic?

Answer: The CUI Registry lists all authorized CUI Categories (basic and specified).  https://www.archives.gov/cui/registry/category-marking-list The categories on this page that do not have a marking with “SP-” are CUI basic categories, like the Agriculture category and the Asylee category.

Question: For Industry Contractors, do we ever mark CUI?

Answer: Yes, but only when instructed to do so in the contract or supporting documentation.

Question: Are we basically only concerned with protecting CUI that we actually receive from our government customer?

Answer: CUI must be safeguarded in accordance with the contract, whether it is created or collected for the government or shared from the government to the contractor.

Question: Especially when talking about Legacy information, do we just wait until the government agency sends us new documents that are marked CUI?

Answer:  Any information received or created as part of a current or previous contract should be protected in accordance with the terms of the contract under which it was received or created.As agencies implement, CUI requirements will be added to existing and new contracts.

Question: What do you do if you have your customer marking every document as CONTROLLED with no true banner marking. Is that considered Basic? The word Controlled is an authorized bannermarking for Basic CUI.

Answer: Under the CUI program, information marked “CONTROLLED” without additional markings would be CUI basic. Confirm with your customer and your contract that they are using CUI markings and ensure you follow any and all requirements in your contract or agreement.

Question: How do you navigate a situation where you feel you have CUI but it hasn’t been marked appropriately?

Answer: Questions regarding the status of CUI should be directed to the originator of the information or the contracting activity.

Question: What is the difference between U//FOUO and CUI?

Answer: U//FOUO is a legacy marking used to indicate sensitivity based on agency policy or practice. CUI is a marking that is used to indicate the presence of CUI basic information.  CUI Markings are applied only to those information types (categories) found on the CUI Registry and can be linked to laws, regulations, or Government wide policies calling for protection or control of the information. As the CUI Program is implemented U//FOUO will cease to be an authorized marking, but you may still see it on legacy documents as we transition to CUI.

Question: Banner Marking and document marking works for unstructured data? What about marking structured data such as databases?

Answer: For databases or applications, splash screens or banner marking can be used to satisfy the marking and identification requirements of the CUI Program.  System outputs can also be modified to apply markings upon printing or downloading from the application. The CUI office is working with NIEM to create a CUI Metadata standard that can be used to indicate CUI markings. Check the CUI blog for updates on this project,

Question: Do you mark/tag fields in the Database or categorize the system itself?

Answer: Individual fields can be marked or a general alert can be placed on entry into the database/system.  System outputs should be modified to include applicable CUI markings as needed.

Question: How would I mark/tag a system?

Answer: See the CUI Marking handbook, page 27

Question: What you’re saying is purple is recommended, but not required?

Answer:  The SF 901 is Purple.  If color printing is not available, the form can be printed using a black and white printer.

Question: To clarify Contractors only have to mark CUI if their contract requires it?

Answer:  Yes. Contractors need to follow whatever guidelines are in their contract, as the CUI program is an executive branch program CUI requirements do not bind the public, except as authorized by law or regulation or as incorporated into a contract or agreement.

Question: Are there reporting requirements and corrective actions for CUI spillage, similar to those present for Classified information?

Answer:  Agencies/organizations should develop reporting requirements/mechanisms for CUI incidents.  Certain categories of CUI (like Privacy) have special reporting requirements for loss or incidents.

Question: So CUI designation is replacing anything that we would have labeled FOUO//?

Answer:  Once agencies implement the CUI Program, legacy markings such as FOUO or SBU will no longer be used.  In many cases what was previously marked as FOUO would align and be able to be marked as CUI.  There are some information types currently marked as FOUO that may not qualify as CUI.

Question: How should industry label their computers or usb containing cui. what should the label contain?

Answer:  SF 902 and 903 can be used by industry to label hard drives or USBs (media) that contain CUI. They can be ordered from GSA here https://www.gsaadvantage.gov/advantage/ws/search/advantage_search?q=0:27540-01-679-3318&db=0&searchType=0

Question: What about ITAR controls?

Answer:  Please see the Export Control Category of CUI. https://www.archives.gov/cui/registry/category-detail/export-control.html

Question: Do Industry personnel (FSO, etc) have authority to generate original CUI?

Answer:  Maybe. Depending on the terms of the contract, industry may have the authority to generate CUI on behalf of the USG.

Question: What’s the difference between CUI, FOUO, and the Privacy Act Coversheets and markings?

Answer:  The CUI Coversheet (SF 901) is authorized for use with CUI.  Upon the implementation of the CUI Program, coversheets (and markings) that are not required per underlying authorities, such as FOUO and Privacy Act, may no longer be used.

Question: As a subcontractor, doesn’t our customer have to flow down what is CUI?

Answer:  The Draft CUI FAR case will have strict flowdown requirements much like the DFARs 252.204-7012. Flowdown requirements should be reflected in the primary contract.

Question: Are you familiar with any solutions that can automate the process of email marking?

Answer:  We are aware of a number of efforts within industry and within agencies to develop automated/assisted marking solutions for CUI. There are no plans, by the CUI Executive Agent/ISOO, to publish an evaluated or approved list of vendors who have developed automated/assisted marking tools for CUI.

Question: Our activity uses the NOFORN marking for Naval Nuclear Propulsion Information category CUI, but we do not use the CUI//SP-NNPI for the marking, we use NOFORN.  Should we switch over to using SP-NNPI?

We also use a GREEN NOFORN Cover Sheet instead of the purple CUI one.

Answer:  Industry should continue to follow the terms of existing contracts.  As agencies implement the CUI Program, contacts will be modified to reflect CUI requirements.

Question: Can we use the coversheet instead of marking each page of the document or do we need to use both the cover sheet and also mark each page?

Answer:  A coversheet (SF 901) may be used in lieu of marking every page of a document. Be sure to list (on the SF 901) any Specified categories, limited dissemination controls, or requirements called for by underlying, related laws, regulations, or government wide policies.

Question: Is it required that CUI be stored in an GSA approved safe?

Answer:  No. CUI Must be stored behind a locking barrier inside of a controlled environment that prevents unauthorized access.  Organizations have some flexibility in determining what qualifies as a controlled environment.  CUI specified categories may have additional physical security requirements.

Question: Where can we access the CUI Marking Handbook?

Answer:  https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf

Question: What is the mechanism for removing markings or lifting restrictions on documents if/when the restriction has expired or no longer applies?

Answer:  CUI Markings can be removed (or stuck through) when the information has been decontrolled. Decontrolling occurs when an authorized holder, consistent with 32 CFR 2002 and the CUI Registry,  removes safeguarding or dissemination controls from CUI that no longer require such controls. Decontrol may occur automatically or through agency action. See § 2002.18.

Question: If you use a Coversheet for a multipage document, do you still need to mark every page?

Answer:  No, if you use a CUI coversheet (SF 901) marking every page is not required.

Question: Are there specific/special Record Retention issues/timeframes specific to CUI?

Answer:  No. Records retention issues/timeframes are not impacted by a records status as CUI.

Question: (If you asked a DoD specific question your answer is here)what about DoD?

Answer:For answers about compliance with your dod contracts, the first place to check is the contract itself or the POC for the contract.

For questions about compliance with DFARs 7012 check out the DoD Procurement Toolbox at: https://dodprocurementtoolbox.com/faqs/cybersecurity/cybersecurity-faqs.

“osd.dibcsia@mail.mil” can be contacted for clarification on DFARS 252.204-7012 or NIST SP 800-171 in support of DFARS 252.204-7012. Emails sent to that address are reviewed frequently and distributed as appropriate to a cross-functional team of subject matter experts for action.

For questions about the planned CMMC program please see the CMMC website at: https://www.acq.osd.mil/cmmc/

Training specific information will likely be included on the CDSE CUI page at: https://www.cdse.edu/toolkits/cui/index.php

 

 

​FCI and CUI, what is the difference?

Buckle up, this is a long one…

First, a disclaimer:

This blog post does not constitute CUI guidance.  This post is solely an effort to provide helpful information and context.

Then on to some definitions!

Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]

When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.

In short:  All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.

So, what does this mean for safeguarding in a non-federal system?

Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.

Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).

CUI Marking class Q&A (From April 23)

Below are answers to the questions that were asked during April 23rd CUI marking class (Webex).

Click here for a link to the slides.

Question: What do you mean “when it CUI leaves the agency”. Does this mean as an example when it CUI leaves “DoD” ?

Answer:  Generally, when an agency issues a limited waiver for marking CUI that remains under their control, CUI does not need to be marked.  When the information is shared with outside entities (outside the agency, or an internal component of the agency) the CUI must be marked or identified in accordance with the CUI Program.  Agencies can establish limited waivers for their entire agency or to select components within their agency.  If an agency elects to issue such waivers, it must still take reasonable steps to inform the users of the existence of CUI upon transmission to external entities. 

Question: Can CUI be stored on a shared network by industry contractors if strong protections are applied, or should it be kept on a separate secured system or network?

Answer: CUI can be stored on industry systems provided it is permitted by the contract or agreement and that the systems align to the minimum requirements, as described in the contract or agreement. The NIST SP 800-171 is the minimum standard for protecting CUI on non-federal systems. There is no prohibition on sharing or providing access to industry contractors, as long as all of the cyber security requirements are met and the information is shared in accordance with any limited dissemination control markings, contract stipulations, and a lawful government purpose determination. All of this must be accomplished in accordance with agency policy and the content of the contract or agreement.

Question: If CUI basic must be marked “CUI” or “Controlled”, when will all CFRs (online and hardcopy) be appropriately marked. Note: Marking Basic in this way creates issues for DLP systems as Basic does not require additional protections.

Answer: CFRs (code of federal regulations) are not Controlled Unclassified Information. Current CFRs can be found on publicly available websites [https://gov.ecfr.io/cgi-bin/ECFR?page=browse]

Question: Can CUI information be shared on WebEx?

Answer: Maybe. Employees should verify that the webex technology aligns to the safeguards prescribed by the agency and by those described by 32 CFR 2002 (i.e. the moderate confidentiality baseline). Please refer to the CUI blog post on NSA Article: “Working from Home? Select and Use Collaboration Services More Securely”  Employees should consult with their designated program office prior to sharing CUI via webex. Generally, the sharing of CUI should be limited to only the degree necessary to support current operations. As always, contractors must follow all of the requirements in their contracts or agreements which may provide more detailed guidance. 

Question: Do we have a list of items that fall under CUI?

Answer: The CUI Registry lists all approved categories of CUI. 

Question:: Our company uses WebEx so it is approved on our systems. The questions my leader asked today was if CUI can be shared on WebEx, so it looks like as long as the markings are on presentations?

Answer: CUI Markings are not sufficient to ensure the protection of the information. Markings do serve as an alert to users of what is being shared. Prior to using any Webex technology to share CUI, we advise verifying with organization/agency officials to ensure that proper safeguards are in place on the system and that the technology has been cleared/authorized for use with CUI.  Please also see CUI blog post titled: NSA Article: “Working from Home? Select and Use Collaboration Services More Securely”

Question:: How does CUI marking enable compliance with 5 U.S.C. 552, Freedom of Information Act?

Answer: CUI markings do not speak directly to FOIA exemptions. While many CUI Categories would align to exemptions under FOIA, there is not a direct relationship between CUI categories and FOIA exemptions. Agency personnel should follow their agency release procedures. Our office has developed a number of resources that can assist users in understanding the relationship between FOIA and CUI. See: https://www.archives.gov/cui/training.html

Question: CUI can be shared in collaborative environments and forums that meet the required cyber-security requirements. (NIST SP 800-53 moderate confidentiality, NIST 800-171, or fedramp moderate depending on what the system is and who owns it).

Answer: CUI should not be shared on a webex that is accessible to the public or that does not meet the above requirements.

Question: Can you advise whether today’s scope is only CUI / DFARS (NIST 800-171) or covering some of the overlapping domains with CMMC L3 too, as the later became mandatory for DoD Government contracts from 07/2020

Answer: The scope of the session was on the markings of the CUI Program, as described in 32 CFR 2002 and the guidance published on the CUI Registry. These markings are not yet in use at all agencies, as such all employees should continue to follow existing agency policy until directed to use the new markings. Non-federal entities (including contractors) should continue to follow the requirements as outlined in their contracts or agreements and not use these markings unless directed to do so.

Question: Does that include within components of an agency as well?

Answer: This question likely relates to limited waivers issued within the agency. Parent agencies can authorize component elements to waive markings while it remains within their control. Upon transmission outside of the component element, the CUI must be marked or identified in accordance with the standards of the CUI Program. 

Question: When contractors generate and mark CUI, what designator should be used?

Answer: The designation indicator can be the company name and also the agency associated with the contract. If possible, specific contact information should be included (name, phone number, email address, etc). Agency policies, contracts, or agreements may contain more specific guidance as to how this element should be filled out. 

Question: Would the designation indicator be used with CUI Basic or only CUI Specified controls?

Answer: The designation indicator requirements for CUI basic and specified are identical and must be included for both.

Question: So would the CMMC certification level requirements be reflected in the “Limited Distribution” section?

Answer: No. CMMC certification levels are not dissemination controls. The only limited dissemination controls authorized for use with CUI are those found on the CUI Registry.

Question: It has been difficult to determine basic or specified; for example, it seems some ITAR information is basic, other is specified, but it’s not very clear to determine.

Answer: The CUI Registry provides information on whether a category is basic or specified. What determines whether a category is basic or specified is the underlying authority. The CUI Registry contains information on what the banner markings should be based on the authorities. For Export Control information, see: https://www.archives.gov/cui/registry/category-detail/export-control.html

Question: Is CDI (what we use ) the same as CUI?

Answer: CDI (covered defense information) is not a category of CUI but rather an overarching term that could include CUI. CDI or FOUO as terms will eventually be phased out and replaced with CUI terminology and category designations. 

Question: When does the CUI Program go into effect?

Answer: For agencies, the CUI Program will go into effect when the agency issues a policy that reflects the standards of the program. Most agencies have already issued policies and most are projected to have policies issued by December of 2020. For industry, the program goes into effect when referenced in contracts and agreements. 

Question: The legacy waiver is sought by the agency, right? Not the contractor/licensee?

Answer: Yes. Legacy waivers are issued by agencies. Contractors do not have to remark sensitive information shared or produced by them in association with existing or prior contracts. The terms of those contracts remain in effect until modified by the USG. 

Question: For contracts with DoD agencies, should the contracting officer tell the contractor what is CUI and how it should be marked?

Answer: Yes, that is the goal. However, as agencies are still in the process of implementing the CUI program, be sure to follow any existing requirements directing the marking or protection of unclassified information. Under the new Federal Acquisition Regulation (FAR), a standard form is being contemplated that will require this level of granularity in all contracts where CUI is involved. The FAR is expected to be released for public comment in the summer of 2020. 

Question: My company interacts with the NRC. Who is responsible for marking documents as CUI? Our company, or the NRC, or both of us?

Answer: It depends on the terms of the contract. Some contracts may require industry to generate CUI, if so, they would be responsible to apply markings. Any CUI shared with industry should be marked accordingly. Any and all USG markings should only be applied in accordance with the contract or agreement.

Question: On DoD contracts, we’ve seen CUI checked in the DD254 for over a year now but DoD hasn’t adopted this. It’s very confusing as to when we are supposed to start seeing/marking CUI on these contracts.

Answer: Questions regarding the pace and plans to implement the CUI Program within the DOD can be directed to: osd.pentagon.ousd-intel-sec.mbx.dod-cui@mail.mil

Question: Is there a lists of agencies that have adopted CUI?

Answer: Currently, there is not a list of agencies that have adopted the CUI Program. Every agency of the executive branch is required to implement the CUI Program (https://www.usa.gov/branches-of-government). ISOO monitors implementation actions by parent agencies. The CUI Registry maintains a list of all registered program officials or contact information. https://www.archives.gov/cui/about/contact.html#contact-an-agency 

Question: These are fairly significant changes to the marking system. What, if anything, precipitated them?

Answer: Executive order 13556, Purpose, section 1 : “At present, executive departments and agencies (agencies) employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency specific policies are often hidden from public view has only aggravated these issues. To address these problems, this order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information, that emphasizes the openness and uniformity of Government-wide practice.”

Question: Does CUI have the same “Need-to-Know” requirements as FOUO?

Answer: The CUI policy does not mention “Need-to-Know”, but it does have a very similar concept “Lawful Government Purpose”. Under the CUI Program, Lawful Government Purpose is the access and sharing standard. Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).

Question: CUI can be shared in collaborative environments and forums, to include a teleconference, that meet the required cybersecurity requirements. (NIST SP 800-53 moderate confidentiality, NIST 800-171, or fedramp moderate depending on what the system is and who owns it). CUI should not be shared on a webex that is accessible to the public or that does not meet the above requirements.

Answer: Yes, collaborative environments used to share or process CUI must meet the minimum standards for protecting CUI. See NIST SP 800-53, NIST SP 800-171. 

Question: We’re being told in the DIB TAWG that WebEx is not approved for CUI and that O365 GCC High or DoD has to be used to be CUI compliant.

Answer: Agencies (and organizations) must provide guidance to employees regarding approved/authorized systems where CUI can be handled. Follow all agency policy regarding approved systems or applications  for CUI. 

Question: Is this also related to CMMC (katie arrington)

Answer: CMMC uses some of the requirements found in the 32 CFR 2002 (CUI Implementing directive), specifically, the NIST SP 800-171. 

Question: Will there be information/guidance regarding products that automate tagging for emails and documents?

Answer:The CUI EA is available to assist agencies in the evaluation of products and services related to the CUI program. There are plans to publish a meta-data tagging standard for CUI Categories. We expect this standard to be available for public comment in the coming months (May/June). The meta-data standard should assist developers in creating automated/assisted marking tools. 

Question: We utilize an on-site shredding service, is this method approved for destroying CUI?

Answer: As organizations implement they should ensure that products and services for destruction align to the standards of the CUI Program. See CUI Notice 2019-03 and NIST SP 800-88

Question:Will USCIS apply this program to the applicant files? Currently we mark SBU or FOUO because of the PII contained within.

Answer: Yes. Applicant files that contain CUI should be marked as such. Legacy practices must remain in effect until USCIS implements the standards of the CUI Program. 

Question: ITAR Technical Data has its own protections from DDTC. Is ITAR data always CUI Specific, or only when designated by a government agency? In other words, if we as a contractor are doing an internal R&D effort with ITAR data, would this be CUI//SP?

Answer: Depending on which legal authority applies to the ITAR information in question, it could be either basic or specified. See the Export control category: https://www.archives.gov/cui/registry/category-detail/export-control.html. Banner markings appear next to each applicable authority, indicating how they should be marked. 

Question: What about those that have in their signature line that their correspondence is FOUO? Will that practice need to stop upon implementation and will there be a digital tool to assist in proper marking of CUI in outlook and other document creation tools like MS Word

Answer: Upon the implementation of the CUI Program within agencies, legacy practices (for marking) must cease. As the agency transitions to the standards of the CUI Program, FOUO/SBU-type markings will eventually be phased out. 

Question: If you use the coversheet, do you also have to mark all of the pages?

Answer: No. If a coversheet is used, interior pages do not need to be marked. 

Question: Is PII now marked CUI//SP-PRVCY?

Answer: Please see the Privacy categories listed on the CUI Registry. Underlying authorities will determine whether or not a category will be marked as specified or basic. 

Question: Does the Agency determine if CUI is Specified vs Basic?

Answer: No. The underlying authority (as listed on the CUI Registry) determines whether a category is basic or specified. Agency policy/procedure should reflect this distinction and where applicable, cite specific handling or dissemination requirements.

Question: If information I work on is considered export controlled, can it still be basic, or is it automatically specified?

Answer: Export control information may be either basic or specified, depending on the underlying authority that applies to the information in question.  See the Export Controlled category: https://www.archives.gov/cui/registry/category-detail/export-control.html

Question: Is portion marking optional? Or is it required to have a marking preceding each paragraph, table, figure containing CUI?

Answer: Portion marking in the CUI Program is optional, though it may be directed in agency policy or contracts/agreements. Please see the CUI Marking Handbook for specific guidance on portion marking.

Question: If a Contractor develops CUI under a contract (i.e. a report or deliverable submitted under the contract) does the contractor decide the marking or does the contractor ask the contracting officer to provide the category and correct marking?

Answer: Contracting authorities should provide guidance on how CUI should be marked in association with contracts. CUI Markings should align to the marking requirements found on the CUI Registry. See list of approved banner markings for CUI Categories: https://www.archives.gov/cui/registry/category-marking-list

Question: I understand that CUI comes from the agency in a contract; if we create a document or material that helps support the execution of a contract, is that CUI?

Answer: In association with a contract, it would be CUI if the information in question aligned to an existing category of CUI. Questions regarding the status and marking requirements should be directed to contracting activities. 

Question: When there is CUI//SP in a classified doc, is a CUI header required alongside the class marking? Section marking required?

Answer: The CUI Marking handbook has specific guidance regarding the commingling of CUI and CNSI. See: https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf

Question: The DoD has a DoD CUI registry, how does it relate to the NARA CUI registry

Answer: Many agencies have elected to develop a mirror registry that reflects the CUI Categories commonly handled by their workforce. Categories reflected on agency CUI Registry should be based on those listed on the national CUI Registry. 

Question: How would contractor generated drawings be marked if they fall into controlled technical information?

Answer: Specific questions regarding the marking should be directed to contracting activities.

Question: Is there a list of executive agencies CUI covers?

Answer: All agencies of the Executive branch are required to implement the CUI Program. See https://www.usa.gov/branches-of-government

Question: I am relatively new to CUI, we use the Law Enforcement practice of “protecting the identity of Confidential Informants” currently classified as “Law Enforcement Sensitive LES” information, to my knowledge this is NOT protected under existing statutory law, regulation, or Government-wide policy, and therefore, would possibly not meet the requirements for protection under CUI controls. What is the best way to capture the LES information as CUI or is it anticipated to be standalone with legacy markings ?

Answer: There are a number of Law Enforcement categories listed on the CUI Registry. Upon the implementation of the CUI Program within an agency, the use of legacy markings must cease. If the information type you are needing to protect is not reflected on the CUI Registry and you believe there is a gap, please contact your agency’s CUI Program Manager so they can initiate a formal review and if needed start the process to establish a provisional category of CUI. Please see: https://www.archives.gov/files/cui/documents/20181116-cui-notice-2018-04-provisional-categories.pdf

Question: You just said use of CUI is only mandatory for the government. But what about it being contractually enforced when giving sponsored projects to companies and universities? I think it still applies, right?

Answer: The CUI Program is mandatory for Executive branch agencies and to any non-federal entities and their subcontractors who contract with and act on behalf of the Federal Government.

Question: Could you clarify the statement that the average user isn’t intended to use the registry but that the Agency program office should say what is CUI?

Answer: The CUI Registry was not intended to be a resource for the average user of CUI. The Registry is meant for program officials who are responsible for developing policy and procedure for their agency. The reason for this is that the CUI Registry cites to applicable laws, regulations, and government wide policies. Program officials, when developing policy and procedure, must examine these underlying documents and reflect those requirements in agency policy (and training). This being said, there have been recent enhancements (in 2020) to the CUI Registry that would assist employees with applying the proper markings for CUI. Please see the marking list that contains banner markings that can be applied for CUI Categories. 

Question: Is it true that banner is mandatory…except when you’ve chosen to use a cover sheet only?

Answer: For documents, yes

Question: If it is not marked CUI from the Agency and we assume it is CUI, as a contractor, can I mark it or do I need to go back to the originator for guidance. And if it is probably CUI and not marked, am I as a contractor liable for protecting the information on my network as CUI

Answer: Any questions regarding the status of information should be directed to the originator. Any requirements to safeguard CUI on systems should be conveyed in applicable contracts or agreements with the government. 

Question: If you have multiple page documents with CUI, should you also use Portion Markings to identify the particular paragraph or item that contains CUI?

Answer: Portion markings, in the unclassified environment, are optional. If portion markings are used or required under your contract with an agency, they must be used throughout the document. Please see the CUI Marking Handbook for specific guidance. 

Question: For call in only certificates, who do we email for the certificate?

Answer: To receive a certificate for participating through the call (not able to connect to the webex), please send an email to cui@nara.gov. 

Question: Is there a tool for email marking?

Answer: Some agencies and vendors have been working to develop an automated tool to assist employees with marking CUI. The CUI EA is available to assist with the evaluation of automated marking tools. 

Question: If an Agency adopts CUI, and the clause is included in the contract, then is the Contractor required to adopt correct? Also, what if the Contract has the clause, but the Agency has not provided documentation marked CUI, but the Contractor believes they are developing CUI internally, are they required to mark accordingly?

Answer: Questions regarding the marking/protection of CUI in association with a contract should be directed to the contracting activity. 

Question: Do emails containing CUI need to be encrypted?

Answer: Yes. 

Question: If a document is marked CUI//SP-PRVCY//Fed Only, do you still have to encrypt or password protect the document?

Answer: Yes. CUI must be encrypted in transit. 

Question: Coversheet = the first tab you see when you open a spreadsheet?

Answer: Not necessarily for spreadsheets, markings can be applied to the headers of the document. Coversheets or transmittals can be used to convey the status as CUI. 

Question: Are there specific requirements on how to destroy CUI physical documents?

Answer: Yes. See NIST SP 800-88.   Also see CUI Notice 2019-03

Question: When sharing legacy documents via email (e.g. FOUO), should I use CUI banner markings in the subject/filename, or is that considered remarking?

Answer: When sharing legacy documents (as attachments) via email, the CUI banner in the email itself can serve as the alert of sensitivity, much like the SF 901 in hard copy transmissions. 

Question: Is PII always considered CUI?

Answer: Yes. PII is considered CUI. There are numerous Privacy categories listed on the CUI Registry. See: https://www.archives.gov/cui/registry/category-list

Question: What is the banner configuration when you have classified and CUI in the same document. Does it follow current classification guidance or is there an additional requirement for CUI. Bottom line, do i have to id CUI in a class banner.

Answer: Please see part two of the CUI Marking Handbook. This section describes how CUI Markings should appear when commingled with CNSI markings. 

Question: If portion marking is not required how is the recipient supposed to know what data needs to be marked as a carry forward derivative marking?

Answer: In documents, most elements that contain CUI would be easily identifiable (for example, Privacy information). When there is a question regarding the status of information contained within a document that will be used, consult the originator. Agencies or organizations that produce CUI products that will likely be used to create additional documents (as described) should apply portion marking to facilitate the proper application of markings.

Question: As to PII, is it CUI basic or specified (is that the same as the category SP-Privacy Information)?

Answer: It depends on which CUI category applies to the information in question, there are numerous Privacy categories of CUI. Categories are either basic or specified depending on the underlying authority. The CUI Registry provides guidance on how to mark CUI based on the underlying authorities. 

Question: Our contracting officer is not providing the category of CUI. We have asked for it, based on the registry. What is our responsibility under our contract. Do we have to go to the registry and determine it, or do we press the contracting officer to tell us if it is CUI and what category it is.

Answer: Contractors are bound by the terms of their contracts or agreements with the government. Questions regarding the status of CUI and marking requirements should be directed to the contracting activity. 

Question: What are the storage requirements for CUI in hard copy form (paper, disk, media)? Does it have to be stored in a GSA container, locked in an office cabinet, etc. or can it be left on a desktop overnight in a locked office?

Answer: Hard copy CUI must be stored in an area or container that would prevent unauthorized access. GSA Containers are not required to store CUI. CUI may be stored in controlled environments. Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers or managed access controls) to protect CUI from unauthorized access or disclosure. Please see the Controlled Environments video for additional guidance: https://www.archives.gov/cui/training.html

Question: You just mentioned that there is training you can give. Can you send more details, please

Answer: Upon request and based on available resources, the CUI Executive Agent is available to provide additional briefings and training to stakeholders. Send requests to cui@nara.gov. 

CUI Program Implementation Deadlines issued

ISOO issued CUI Notice 2020-01 to facilitate a coordinated transition to the CUI Program.

Implementation Deadlines

Awareness campaign – By June 30, 2020, agencies must initiate an awareness campaign that informs their entire workforce of the coming transition to the standards of the CUI Program.

Policy – By December 31, 2020, agencies must issue policies that implement the CUI Program. Agencies may implement the CUI Program through a single policy or through multiple policies that address specific elements of the CUI Program. If an agency has sub-agencies, all those subordinate components must develop and publish implementing policies and/or modify or rescind all affected policies by June 30, 2021. 

Classification marking tools and commingling – By December 31, 2020, agencies that manage, own, or control Classification Marking Tools (CMT) used to mark Classified National Security Information must have initiated any modification of such CMTs as necessary to begin accounting for CUI markings described on the CUI Registry and the standards described in 32 CFR 2002.20(g).

Training – By December 31, 2021, agencies (including any sub-agencies or components) must deploy CUI training to all affected employees. Agencies may implement CUI training through a single module or through multiple modules. CUI training may be incorporated into existing agency training (such as privacy, information systems, or records management training).

Physical safeguarding – By December 31, 2021, agencies (including any sub-agencies or components) must implement or verify that all physical safeguarding requirements, as described in 32 CFR 2002 and in agency policies, are in place.

Information systems – By December 31, 2021, agencies (including any sub-agencies or components) must modify all Federal information systems to the standards identified in 32 CFR 2002. Federal and contractor information systems that are used to store, process, or transmit CUI must be configured at no less than the Moderate Confidentiality impact value (see 32 CFR 2002.14).

Reporting – CUI Senior Agency Officials must submit an annual report on the CUI Program to ISOO no later than November 1 each year, and report on implementation during the preceding fiscal year. Reports must cover all implementation and program activities from October 1 to September 30 of the preceding fiscal year. Only parent agencies are required to report directly to ISOO. Agency components, elements, sub-agencies, regional locations, divisions, and/or internal lines of business must report to their parent agency.

Agencies that anticipate delays in implementing any of the above deadlines must include a narrative in their annual report submission that describes the issue giving rise to the delay and projects when they expect to implement the delayed program element. They  must also include a copy of their implementation plan or strategy. ISOO will evaluate and formally approve delays on a case-by-case basis and may report such delays to the President.

 

 

NSA Article: “Working from Home? Select and Use Collaboration Services More Securely”

A recently published article at the National Security Agency (NSA) Central Security Service (CSS) promotes newly issued guidance entitled Selecting and Safely Using Collaboration Services for Telework.  This guidance  provides simple, actionable, considerations for individual government users and can be found here: Working from Home? Select and Use Collaboration Services More Securely.

 

 

”UNCLASSIFIED”, “(U)”, and “Unclassified”

  • “UNCLASSIFIED” in the banner marking indicates the absence of CUI and classified information.
  • “(U)” as a portion marking indicates the absence of CUI and classified information.
  • “Unclassified” when not used in a marking, indicates that the information being referred to is not classified, but does not indicate whether or not the information is controlled (CUI) or not.

Background:

Prior to the CUI Program, the term “unclassified” was used to describe information that did not meet the standards to be classified under Executive Order 13526. In classified environments, the banner marking of “UNCLASSIFIED” was placed at the top and bottom of pages to indicate the absence of classified information in documents. In portions of documents, a “(U)” indicated that a portion did not contain classified information.

In the absence of Government-wide guidance regarding the handling and marking of sensitive but unclassified information, Executive branch departments and agencies started applying additional indicators to convey the status of sensitive but unclassified information in classified documents. Markings such as “U//FOUO” and “U//LES” became commonly used in commingled documents (documents that contain both sensitive but unclassified, as well as classified information).

As agencies implement the CUI Program and modify marking standards to comply with those in 32 CFR Part 2002, the use of legacy markings, such as FOUO and LES, to describe sensitive but unclassified information will be phased out.

As part of this transition to the CUI Program, agencies should convey – through policy and training – that the term Unclassified (or Uncontrolled Unclassified Information, as described in 32 CFR Part 2002) refers to information that: is neither CUI nor classified, but is still subject to agency public release policies.

Reference: CUI Marking Handbook

CUI Coversheet and Labels

sf combimed

There’s a completely new look on the horizon for the identification of CUI products.  One part involves the individual document(s); the other involves all the other media forms.  Also, the color for the new forms is purple, and thus it will be instantly distinguishable from all other forms!

The CUI coversheets themselves  have been reduced to one, and while that one is reminiscent of the Optional Forms (OF) 901, OF 902 and OF 903, and OF 903, it has evolved into the Standard Form (SF) 901.  It can be downloaded from either the ISOO or General Services Administration (GSA) website.  It is still a fillable form and is provided at no cost (see ISOO Notice 2019-01).  You may continue to use the old forms until existing supplies have been depleted, however they can no longer be downloaded.  The SF 901 is available for download immediately, and as before, once it is affixed to the top of the document(s), it remains attached until the document(s) no longer requires protection, is properly secured, and/or is decontrolled or destroyed.

coversheet image

The new SF 902 is is a standard size label, much like the ones authorized for classified media, and is used to identify and protect electronic media and other media that contain CUI.  It is used instead of the SF 901 for media other than documents.  If your agency determines, as part of its risk management strategy, that a standard size label is required, the SF 902 will be used.  It must be affixed to the medium containing CUI in a manner that would not adversely affect operation of the equipment in which the medium is used, and once it has been applied, it cannot be removed.  This form is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Also it will be not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of six 2-1/8 X 1-1/4″ labels), and its cost is to be approximately $25.00 per pad.

sf902big

The new SF 903 is a thumb drive size label  The SF 903 is used to identify and protect electronic media that contains CUI.  If your agency determines, as part of its risk management strategy, that a thumb drive size label is required, the SF 903 will be used.  The SF 903 is affixed to a thumb drive containing CUI in a manner that would not adversely affect either operation of the drive or operation of the medium in which it is inserted, and as with the SF 902, once it has been applied, it cannot be removed.  This form also is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Similar to the SF 902,  this form will not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of twelve 2-1/8 X 5/8″ labels), and its cost is to be approximately $25.00 per pad.

sf903big

Please direct any questions regarding this post to: CUI@nara.gov