Q1 Stakeholders Meeting 12/17/2020

The conference is going to be from 1:00 – 3:00 PM Eastern Time on December 17, 2020.

Topics include:

  • CUI and Metadata (update)
  • CUI Federal Acquisition Regulation case (update)
  • NIST SP 800-172 (update)
  • NIST SP 800-171A and CUI Notice 2020-04 discussion
  • Recent CUI Notices (2020-06 and 7)
  • Live Question and Answer period

Call in / Webex information will be posted closer to the date of the event.

CUI Q4 Stakeholders Update! Wednesday@1:00(ET)

The conference is from 1:00 – 3:00 PM Eastern Time on August 19, 2020.
Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 2563977#
Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/830824

Topics include:

  • CUI and Metadata (update)
  • CUI Federal Acquisition Regulation case (update)
  • Recent CUI Notices
  • An overview of some frequently asked questions
  • Live Question and Answer period

New ESTIMATED Comment Period for CUI FAR Case

The Spring 2020 Unified Agenda of Regulatory and Deregulatory Actions has been published and with it comes a new, estimated, notice of proposed rulemaking (NPRM) date as well as a new, estimated, NPRM comment period end for the Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI).

The comment period is from Oct 2020 to Dec 2020 (these dates are an estimate and are subject to change).

More information can be found here:  https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202004&RIN=9000-AN56

AD HOC STAKEHOLDER UPDATE: CUI Metadata markings and NIEM 5.0 beta 1 Release (Presentation with Q&A)

Join us on Monday for a quick presentation and some Q&A!

The conference begins at 2:30 PM Eastern Time on July 13, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 2367572#

Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/829772

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

The Ad Hoc Stakeholder Update will have two parts followed by a short Q&A:

  • (10-15 min) An introduction to the CUI Program and how metadata markings can help support CUI Marking and Sharing Requirements. By Devin Casey, Program Analyst.

DEVIN CASEY is the lead for agency implementation and oversight activities for the Controlled Unclassified Information (CUI) Program. Since joining the CUI Program, Devin has authored numerous policies and guidance documents that have aided stakeholders, agencies and industry, in the implementation and management of the CUI Program.

  • (30 min) An overview of the CUI additions to the upcoming NIEM 5.0 as well as instructions on how to submit comments to NIEM 5.0 Beta 1. By Charles Chipman, Senior Research Scientist.

CHARLES “CHUCK” CHIPMAN is a senior research scientist working for Georgia Tech Research Institute (GTRI) supporting the Joint Staff J6 Data and Services Division, which serves as the NIEM Management Office and MilOps Domain steward. He is retired Air Force (C4ISR) and before GTRI spent 10 years as a contractor supporting the AF’s Joint Interoperability of Tactical Command and Control Systems (JINTACCS) program, primarily providing configuration management of the U.S. Message Text Format Program (MilStd6040), an XML-based exchange standard, which is where he was introduced to NIEM/GTRI.

  • (15-20 min) Q&A

Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)

Comments are due by August 21, 2020.
Please see https://csrc.nist.gov/publications/detail/sp/800-172/draft for more information, the draft publication, and directions for submitting comments.


“In certain situations, CUI may be associated with a critical program6 or a high value asset7. These critical programs and high value assets are potential targets for the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. While the category of CUI itself does not require greater protection, CUI associated with critical programs or high value assets is at greater risk because the APT is more likely to target such information and therefore requires additional protection.
6 The definition of a critical program may vary from organization to organization. For example, the Department of Defense defines a critical program as a program which significantly increases capabilities and mission effectiveness or extends the expected effective life of an essential system/capability [DOD ACQ].
7 See [OMB M-19-03] and [OCIO HVA].”

-NIST SP 800-172 (Daft) Lines 223-235

CUI Metadata standard available for review

The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.

The draft standard can be found here and is available for comment until July 17, 2020.

​FCI and CUI, what is the difference?

Buckle up, this is a long one…

First, a disclaimer:

This blog post does not constitute CUI guidance.  This post is solely an effort to provide helpful information and context.

Then on to some definitions!

Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]

When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.

In short:  All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.

So, what does this mean for safeguarding in a non-federal system?

Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.

Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).

TODAY: Q3 Stakeholders Update!

Slides can be downloaded here: CUI Update to Stakeholders Q3 2020

The conference is today from 1:00 – 3:00 PM Eastern Time; you may join the conference 10 minutes prior to the start time.

Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0496807##

Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/823604

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.