The conference is from 1:00 – 3:00 PM Eastern Time on August 19, 2020. Step 1: Dial into the conference. Dial-in: 888-251-2949 or 215-861-0694 Access Code: 2563977# Step 2: Join the conference on your computer. Entry Link: https://ems8.intellor.com/login/830824
The Spring 2020 Unified Agenda of Regulatory and Deregulatory Actions has been published and with it comes a new, estimated, notice of proposed rulemaking (NPRM) date as well as a new, estimated, NPRM comment period end for the Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI).
The comment period is from Oct 2020 to Dec 2020 (these dates are an estimate and are subject to change).
Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118
The Ad Hoc Stakeholder Update will have two parts followed by a short Q&A:
(10-15 min) An introduction to the CUI Program and how metadata markings can help support CUI Marking and Sharing Requirements. By Devin Casey, Program Analyst.
DEVIN CASEY is the lead for agency implementation and oversight activities for the Controlled Unclassified Information (CUI) Program. Since joining the CUI Program, Devin has authored numerous policies and guidance documents that have aided stakeholders, agencies and industry, in the implementation and management of the CUI Program.
(30 min) An overview of the CUI additions to the upcoming NIEM 5.0 as well as instructions on how to submit comments to NIEM 5.0 Beta 1. By Charles Chipman, Senior Research Scientist.
CHARLES “CHUCK” CHIPMAN is a senior research scientist working for Georgia Tech Research Institute (GTRI) supporting the Joint Staff J6 Data and Services Division, which serves as the NIEM Management Office and MilOps Domain steward. He is retired Air Force (C4ISR) and before GTRI spent 10 years as a contractor supporting the AF’s Joint Interoperability of Tactical Command and Control Systems (JINTACCS) program, primarily providing configuration management of the U.S. Message Text Format Program (MilStd6040), an XML-based exchange standard, which is where he was introduced to NIEM/GTRI.
“In certain situations, CUI may be associated with a critical program6 or a high value asset7. These critical programs and high value assets are potential targets for the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. While the category of CUI itself does not require greater protection, CUI associated with critical programs or high value assets is at greater risk because the APT is more likely to target such information and therefore requires additional protection. 6 The definition of a critical program may vary from organization to organization. For example, the Department of Defense defines a critical program as a program which significantly increases capabilities and mission effectiveness or extends the expected effective life of an essential system/capability [DOD ACQ]. 7 See [OMB M-19-03] and [OCIO HVA].”
The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls. NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.
The draft standard can be found here and is available for comment until July 17, 2020.
This blog post does not constitute CUI guidance. This post is solely an effort to provide helpful information and context.
Then on to some definitions!
Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information(from 32 CFR 2002.4)is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]
When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.
In short: All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.
So, what does this mean for safeguarding in a non-federal system?
Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.
Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).
On June 3, 2020, ISOO issued CUI Notice 2020-02, Alternative Marking Methods. This notice provides agencies with additional marking guidance for when it is impractical to individually mark CUI due to its quantity, the nature of the information, or when the agency has issued a limited CUI marking waiver.