CUI Program Update for Stakeholders

The webinar is April 17, 2019,  (1-3 EDT).

Topics include:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • The status and plans for a CUI Federal Acquisition Regulation Rule;
  • CUI Industry Day; and,
  • Time for Questions and Answers.

Hosted by: Devin Casey/Charlene Wallace/Joseph Taylor

Participant Instructions

The conference begins at 1:00 PM Eastern Time on April 17, 2019; you may join the conference 10 minutes prior.
Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0506395##
Need an international dial-in number?

Step 2: Join the conference on your computer.

Entry Link: http://ems8.intellor.com/login/812719

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance? Call the AT&T Help Desk at 1-888-796-6118 or 1-847-562-7015.

CUI Coversheet and Labels

sf combimed

There’s a completely new look on the horizon for the identification of CUI products.  One part involves the individual document(s); the other involves all the other media forms.  Also, the color for the new forms is purple, and thus it will be instantly distinguishable from all other forms!

The CUI coversheets themselves  have been reduced to one, and while that one is reminiscent of the Optional Forms (OF) 901, OF 902 and OF 903, and OF 903, it has evolved into the Standard Form (SF) 901.  It can be downloaded from either the ISOO or General Services Administration (GSA) website.  It is still a fillable form and is provided at no cost (see ISOO Notice 2019-01).  You may continue to use the old forms until existing supplies have been depleted, however they can no longer be downloaded.  The SF 901 is available for download immediately, and as before, once it is affixed to the top of the document(s), it remains attached until the document(s) no longer requires protection, is properly secured, and/or is decontrolled or destroyed.

coversheet image

The new SF 902 is is a standard size label, much like the ones authorized for classified media, and is used to identify and protect electronic media and other media that contain CUI.  It is used instead of the SF 901 for media other than documents.  If your agency determines, as part of its risk management strategy, that a standard size label is required, the SF 902 will be used.  It must be affixed to the medium containing CUI in a manner that would not adversely affect operation of the equipment in which the medium is used, and once it has been applied, it cannot be removed.  This form is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Also it will be not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of six 2-1/8 X 1-1/4″ labels), and its cost is to be approximately $25.00 per pad.

sf902big

The new SF 903 is a thumb drive size label  The SF 903 is used to identify and protect electronic media that contains CUI.  If your agency determines, as part of its risk management strategy, that a thumb drive size label is required, the SF 903 will be used.  The SF 903 is affixed to a thumb drive containing CUI in a manner that would not adversely affect either operation of the drive or operation of the medium in which it is inserted, and as with the SF 902, once it has been applied, it cannot be removed.  This form also is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Similar to the SF 902,  this form will not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of twelve 2-1/8 X 5/8″ labels), and its cost is to be approximately $25.00 per pad.

sf903big

Please direct any questions regarding this post to: CUI@nara.gov

14 Nov 2018 (1-3 EDT) CUI Program Update to Stakeholders​​ (Webinar link and call-in ​information)

The webinar is tomorrow, 14 Nov 2018 (1-3 EDT).

Topics include:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • The status and plans for a CUI Federal Acquisition Regulation Rule;
  • CUI Industry Day Agenda; and,
  • Time for Questions and Answers.

Hosted by: Devin Casey

Participant Instructions

Step 1: Dial into the conference (you may join the conference up to 10 minutes prior.)

Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0317561##
Need an international dial-in number?

Step 2: Join the conference on your computer.

Entry Link: http://ems8.intellor.com/login/809667

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance? Call the AT&T Help Desk at 1-888-796-6118 or 1-847-562-7015.

 

CUI Updated Training Videos

ISOO has developed seven new training modules. These videos offer the most up-to-date information about the CUI Program.

Agencies (and stakeholders) may wish to use these videos to supplement their CUI Program training. However, it is important to note that ISOO does not track completion of these modules, so if your organization wishes to require viewing of these videos as part of your CUI training program, you must download and run them from organization’s training platform.  MP4 versions will be made available for download from the CUI Registry in the coming weeks.

NIST Special Publications Update

Two major NIST publications are about to be finalized on June 14: NIST Special Publication (SP) 800-171A, “Assessing Security Requirements for Controlled Unclassified Information”; and an update to the NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.” The draft 171A text may be found on the NIST site: https://csrc.nist.gov/publications/detail/sp/800-171a/draft.  The 800-171A is intended to help organizations develop assessment plans and conduct assessments of the security requirements in NIST SP 800-171, which defines the requirements for protecting CUI on non-Federal systems consistent with the CUI Federal regulation (32 CFR 2002.14h2).

​CUI Program Update to Stakeholders​​ (Slides and the Next Update)

Thank you to all those who joined us for the 15 May 2018 webinar! As promised here are the slides from that presentation which covered:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • A review of all existing notices, policies, training and resources currently available from the CUI Registry;
  • The status and plans for a CUI Federal Acquisition Regulation rule; and
  • Questions and Answers.

Q&As from the webinar will be posted soon.

The next Update to Stakeholders will be 15 August 2018 (1-3 pm EST).

​CUI Program Update to Stakeholders​​ (Webinar link and call-in ​information)

​​The next scheduled webinar will be 15 May 2018 (1-3 EDT). 
P​lease use the following to access the webinar:
Dial-in Number:  800-988-0218
Audience passcode: 2160962

Conference number: PWXW7483514

Participants can join the event directly at:
https://www.mymeetings.com/nc/join.php?i=PWXW7483514&p=2160962&t=c

 

The webinar will include:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • A review of all existing notices, policies, training and resources currently available from the CUI Registry;
  • The status and plans for a CUI Federal Acquisition Regulation Rule; and
  • Time for Questions and Answers.  Note:  During the webinar, participants may submit questions through the instant messenger feature.

Slides from CUI Briefing to Stakeholders on 2/15/2018

We had great attendance in our webinar yesterday with some great participation in the Q&A period. Thank you to all those who attended. The following topics were covered during the webinar:

A brief overview of the CUI program;
A summary of the upcoming changes to the CUI Registry;
An update on agency implementation efforts;
A review of all existing notices, policies, training and resources currently available from the CUI Registry;
The status and plans for a CUI Federal Acquisition Regulation Rule; and
Time for Questions and Answers.
Please see the slides attached: Feb 15, 2018 Webex

Q&As from the webinar will be posted soon.

CUI Program update to stakeholders

​The next scheduled webinar will be February 15, 2018 (1-3 EDT). All subscribers to the CUI Blog will receive links and call-in information to access the webinar prior to the event. The webinar will include:

  • A brief overview of the CUI program;
  • A summary of the upcoming changes to the CUI Registry;
  • An update on agency implementation efforts;
  • A review of all existing notices, policies, training and resources currently available;
  • from the CUI Registry;
  • The status and plans for a CUI Federal Acquisition Regulation Rule; and
  • Time for Questions and Answers.

ISOO Issues First CUI Notices of 2018

On January 24, 2018, ISOO issued two CUI Notices, one with recommendations for CUI Basic Training, and another regarding the agreements required for sharing CUI between Executive Branch entities and their non-Executive Branch partners.

The Notice on CUI Basic Training (CUI Notice 2018-02) recommends common learning objectives and curriculum design content, training delivery methods, and testing objectives, for Executive Branch entities to incorporate in their required basic-training courses on CUI.  The Notice presents these recommendations in the form of a table based on the first three levels of Bloom’s Taxonomy, a classification benchmark for learning objectives that is widely accepted by training professionals.

The Notice on Agreements (CUI Notice 2018-01) provides guidance and recommendations on how information-sharing agreements between Executive Branch entities and their non-Executive Branch partners must convey CUI Program requirements.  The Notice excludes reference to guidance for information-sharing with foreign entities.

The Notice explains that as Executive Branch entities implement their own CUI policies, they must negotiate modifications to existing agreements in compliance with the CUI Program.  When feasible, Executive Branch entities should enter into written agreements that include explicit CUI requirements.

Such agreements must require non-Executive Branch partners to handle CUI in accord with the CUI Program, subject to applicable penalties, while also stipulating that non-Executive Branch partners must follow methods approved by the Executive Branch entity in reporting any non-compliance with CUI requirements.

As a best practice, the Notice recommends that agreements between Executive Branch entities and their non-Executive Branch partners: 1) identify categories of CUI and specific handling, safeguarding, or dissemination requirements for CUI shared under the agreement; 2) state where the terms of the agreement will be performed; and, 3) indicate specific technical requirements for protecting the CUI, as well as whether a federal or non-federal information system will be used to process, store or transmit it.