Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)

Comments are due by August 21, 2020.
Please see https://csrc.nist.gov/publications/detail/sp/800-172/draft for more information, the draft publication, and directions for submitting comments.

Background:

“In certain situations, CUI may be associated with a critical program6 or a high value asset7. These critical programs and high value assets are potential targets for the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. While the category of CUI itself does not require greater protection, CUI associated with critical programs or high value assets is at greater risk because the APT is more likely to target such information and therefore requires additional protection.
6 The definition of a critical program may vary from organization to organization. For example, the Department of Defense defines a critical program as a program which significantly increases capabilities and mission effectiveness or extends the expected effective life of an essential system/capability [DOD ACQ].
7 See [OMB M-19-03] and [OCIO HVA].”

-NIST SP 800-172 (Daft) Lines 223-235

CUI Metadata standard available for review

The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.

The draft standard can be found here and is available for comment until July 17, 2020.

​FCI and CUI, what is the difference?

Buckle up, this is a long one…

First, a disclaimer:

This blog post does not constitute CUI guidance.  This post is solely an effort to provide helpful information and context.

Then on to some definitions!

Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]

When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.

In short:  All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.

So, what does this mean for safeguarding in a non-federal system?

Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.

Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).

TODAY: Q3 Stakeholders Update!

Slides can be downloaded here: CUI Update to Stakeholders Q3 2020

The conference is today from 1:00 – 3:00 PM Eastern Time; you may join the conference 10 minutes prior to the start time.

Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0496807##

Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/823604

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.

CUI Program Implementation Deadlines issued

ISOO issued CUI Notice 2020-01 to facilitate a coordinated transition to the CUI Program.

Implementation Deadlines

Awareness campaign – By June 30, 2020, agencies must initiate an awareness campaign that informs their entire workforce of the coming transition to the standards of the CUI Program.

Policy – By December 31, 2020, agencies must issue policies that implement the CUI Program. Agencies may implement the CUI Program through a single policy or through multiple policies that address specific elements of the CUI Program. If an agency has sub-agencies, all those subordinate components must develop and publish implementing policies and/or modify or rescind all affected policies by June 30, 2021. 

Classification marking tools and commingling – By December 31, 2020, agencies that manage, own, or control Classification Marking Tools (CMT) used to mark Classified National Security Information must have initiated any modification of such CMTs as necessary to begin accounting for CUI markings described on the CUI Registry and the standards described in 32 CFR 2002.20(g).

Training – By December 31, 2021, agencies (including any sub-agencies or components) must deploy CUI training to all affected employees. Agencies may implement CUI training through a single module or through multiple modules. CUI training may be incorporated into existing agency training (such as privacy, information systems, or records management training).

Physical safeguarding – By December 31, 2021, agencies (including any sub-agencies or components) must implement or verify that all physical safeguarding requirements, as described in 32 CFR 2002 and in agency policies, are in place.

Information systems – By December 31, 2021, agencies (including any sub-agencies or components) must modify all Federal information systems to the standards identified in 32 CFR 2002. Federal and contractor information systems that are used to store, process, or transmit CUI must be configured at no less than the Moderate Confidentiality impact value (see 32 CFR 2002.14).

Reporting – CUI Senior Agency Officials must submit an annual report on the CUI Program to ISOO no later than November 1 each year, and report on implementation during the preceding fiscal year. Reports must cover all implementation and program activities from October 1 to September 30 of the preceding fiscal year. Only parent agencies are required to report directly to ISOO. Agency components, elements, sub-agencies, regional locations, divisions, and/or internal lines of business must report to their parent agency.

Agencies that anticipate delays in implementing any of the above deadlines must include a narrative in their annual report submission that describes the issue giving rise to the delay and projects when they expect to implement the delayed program element. They  must also include a copy of their implementation plan or strategy. ISOO will evaluate and formally approve delays on a case-by-case basis and may report such delays to the President.

 

 

Using CUI while teleworking during Coronavirus social distancing common issues: Cohabitants

There is an increased potential for CUI to be overheard or observed with more people likely to be in the home.

Many people used to have the house to themselves while teleworking and now in many households’ spouses, kids, and housemates are home.

Even in homes with a room that can be used as an office, it might be a room shared by both spouses. In this situation, even if both spouses work for the government, one spouse may not have a lawful government purpose to have access to information the other spouse has access to. Special attention should be paid to dissemination controls, particularly FED ONLY, NOCON, DL ONLY, Attorney-Client, Attorney-WP, and Deliberative.

Other employees do not live in a home with even the option of an extra room to serve as an office. This might include a couple living in a studio apartment or just a very full house.

Some employees also might live with housemates that are not of their choosing because of financial constraints. Nearly all of us can think back to the days — at some point in our life — that we were in this situation.

So how do agencies and employees establish a controlled environment to effectively safeguard CUI when it is used during telework?

There are lots of deeply personal reasons an employee might have to make the judgment call they need to take extra precautions in order to achieve a controlled environment. Just to name a few examples: a kid who tells everything to their friends or random strangers they walk by, an untrustworthy roommate, a family member with mental illness, or a divorce in progress.

In most cases an employee will prefer not to go into these details with a supervisor, the same way they might be willing to say they “live in a studio apartment with a parakeet”…though some employees might not even be comfortable saying that. 

Though the personal situation can be generalized to protect employee personal privacy, there are three steps that should occur:

  1. the employee should notify their supervisor they feel a need to take extra precautions and what those precautions are,
  2. the employee acknowledges it is their responsibility to achieve a controlled environment that effectively safeguards the information and the supervisor recognizes that part of their own obligation to safeguard the information is to empower the employee with the work time and resources to do this,
  3. the agency provides supplemental training on the safeguarding needed to achieve a controlled environment is given before CUI is used.  

An employee knows their home environment best, so be a good listener when an employee says “I cannot talk about that now,” “Can I email you,” “I need to call you back about that,” etc.

Keeping the computer screen from being observed is a different set of challenges and depend greatly on the physical configuration of the work environment.

Different solutions will be right for different employees. Here a couple items supervisors might want to consider:

  • Providing flexible schedules (for example, to work at a time when others aren’t around)
  • Providing flexible range of assignments (so non-CUI work can be done if the environment changes)
  • Providing screen protectors (to limit the angles a computer screen is readable from)
  • Providing headphones (that can be used instead of speaker phones or laptop speakers; note: it remains the employee’s responsibility keep in mind people around them and be mindful of what information they are talking about)
  • Providing refresher training (particularly tailored to our new telework environment)

Employees also need to remember their obligation to report security and safeguarding incidents, even ones that happen at home. It is an essential security and safeguarding practice for agencies to foster a culture of self-reporting.

In addition, telework.gov is a great resource to check out for additional information.

What are other solutions that you have found to be a best practice as we all adjust to teleworking with a full house? What topics would you suggest be included in refresher training about creating a controlled environment while teleworking with a full house?

Save the Date: CUI Marking class (Webex)

CUI Marking Handbook Cover Image

The CUI Program Office will be hosting another

CUI Marking class

Date: May 19, 2020

Time: 11:00 am – 1:00 pm (EST)

You do not have to rsvp for this class, the information  will be posted as soon as it becomes available.

If you have any questions or concerns, please feel free to email us at CUI@nara.gov

 

NOTE: If you attended the CUI Marking class on April 23, 2020; your completion certificate will be emailed to you by the end of this week. 

 

 

Agency Considerations when allowing employees to telework with Controlled Unclassified Information (CUI) during the COVID-19 pandemic

The CUI program has a lot of flexibility built in to allow agencies to accomplish their mission, including while employees are teleworking.

Agencies must ensure CUI is safeguarded in accordance with 32 CFR 2002 (the CUI Program’s implementing directive) and the applicable laws, regulations, and government-wide policies. In doing so agencies must establish controlled environments where CUI can be effectively safeguarded. 

Telework agreements can be used to spell out whether or not CUI is permitted, as well as, which categories of CUI employees can use while teleworking. The agreement should also outline what controls (physical or electronic) need to be in place to ensure adequate protection.

Here are some common issues agencies may encounter as they allow employees to telework with CUI:

1. Increased potential for CUI to be overheard or observed with more people likely to be in the home

2. Difficulty securing devices used for telework (computers, cell phones, tablets, routers, modems)

3. Ensuring compliance with current policies and limiting use of unauthorized equipment and media

4. Enabling employees to accomplish their tasks and adjusting expectations limit use of unauthorized workarounds

Agencies, in consultation with CUI Program Officials, should develop additional guidance that addresses each of the issues described above.  Front-line supervisors should initiate discussions with their employees to assist and determine the best ways to ensure the protection of CUI while teleworking.