Below are answers to the questions that were asked during April 23rd CUI marking class (Webex).
Click here for a link to the slides.
Question: What do you mean “when it CUI leaves the agency”. Does this mean as an example when it CUI leaves “DoD” ?
Answer: Generally, when an agency issues a limited waiver for marking CUI that remains under their control, CUI does not need to be marked. When the information is shared with outside entities (outside the agency, or an internal component of the agency) the CUI must be marked or identified in accordance with the CUI Program. Agencies can establish limited waivers for their entire agency or to select components within their agency. If an agency elects to issue such waivers, it must still take reasonable steps to inform the users of the existence of CUI upon transmission to external entities.
Question: Can CUI be stored on a shared network by industry contractors if strong protections are applied, or should it be kept on a separate secured system or network?
Answer: CUI can be stored on industry systems provided it is permitted by the contract or agreement and that the systems align to the minimum requirements, as described in the contract or agreement. The NIST SP 800-171 is the minimum standard for protecting CUI on non-federal systems. There is no prohibition on sharing or providing access to industry contractors, as long as all of the cyber security requirements are met and the information is shared in accordance with any limited dissemination control markings, contract stipulations, and a lawful government purpose determination. All of this must be accomplished in accordance with agency policy and the content of the contract or agreement.
Question: If CUI basic must be marked “CUI” or “Controlled”, when will all CFRs (online and hardcopy) be appropriately marked. Note: Marking Basic in this way creates issues for DLP systems as Basic does not require additional protections.
Answer: CFRs (code of federal regulations) are not Controlled Unclassified Information. Current CFRs can be found on publicly available websites [https://gov.ecfr.io/cgi-bin/ECFR?page=browse]
Question: Can CUI information be shared on WebEx?
Answer: Maybe. Employees should verify that the webex technology aligns to the safeguards prescribed by the agency and by those described by 32 CFR 2002 (i.e. the moderate confidentiality baseline). Please refer to the CUI blog post on NSA Article: “Working from Home? Select and Use Collaboration Services More Securely” Employees should consult with their designated program office prior to sharing CUI via webex. Generally, the sharing of CUI should be limited to only the degree necessary to support current operations. As always, contractors must follow all of the requirements in their contracts or agreements which may provide more detailed guidance.
Question: Do we have a list of items that fall under CUI?
Answer: The CUI Registry lists all approved categories of CUI.
Question:: Our company uses WebEx so it is approved on our systems. The questions my leader asked today was if CUI can be shared on WebEx, so it looks like as long as the markings are on presentations?
Answer: CUI Markings are not sufficient to ensure the protection of the information. Markings do serve as an alert to users of what is being shared. Prior to using any Webex technology to share CUI, we advise verifying with organization/agency officials to ensure that proper safeguards are in place on the system and that the technology has been cleared/authorized for use with CUI. Please also see CUI blog post titled: NSA Article: “Working from Home? Select and Use Collaboration Services More Securely”
Question:: How does CUI marking enable compliance with 5 U.S.C. 552, Freedom of Information Act?
Answer: CUI markings do not speak directly to FOIA exemptions. While many CUI Categories would align to exemptions under FOIA, there is not a direct relationship between CUI categories and FOIA exemptions. Agency personnel should follow their agency release procedures. Our office has developed a number of resources that can assist users in understanding the relationship between FOIA and CUI. See: https://www.archives.gov/cui/training.html
Question: CUI can be shared in collaborative environments and forums that meet the required cyber-security requirements. (NIST SP 800-53 moderate confidentiality, NIST 800-171, or fedramp moderate depending on what the system is and who owns it).
Answer: CUI should not be shared on a webex that is accessible to the public or that does not meet the above requirements.
Question: Can you advise whether today’s scope is only CUI / DFARS (NIST 800-171) or covering some of the overlapping domains with CMMC L3 too, as the later became mandatory for DoD Government contracts from 07/2020
Answer: The scope of the session was on the markings of the CUI Program, as described in 32 CFR 2002 and the guidance published on the CUI Registry. These markings are not yet in use at all agencies, as such all employees should continue to follow existing agency policy until directed to use the new markings. Non-federal entities (including contractors) should continue to follow the requirements as outlined in their contracts or agreements and not use these markings unless directed to do so.
Question: Does that include within components of an agency as well?
Answer: This question likely relates to limited waivers issued within the agency. Parent agencies can authorize component elements to waive markings while it remains within their control. Upon transmission outside of the component element, the CUI must be marked or identified in accordance with the standards of the CUI Program.
Question: When contractors generate and mark CUI, what designator should be used?
Answer: The designation indicator can be the company name and also the agency associated with the contract. If possible, specific contact information should be included (name, phone number, email address, etc). Agency policies, contracts, or agreements may contain more specific guidance as to how this element should be filled out.
Question: Would the designation indicator be used with CUI Basic or only CUI Specified controls?
Answer: The designation indicator requirements for CUI basic and specified are identical and must be included for both.
Question: So would the CMMC certification level requirements be reflected in the “Limited Distribution” section?
Answer: No. CMMC certification levels are not dissemination controls. The only limited dissemination controls authorized for use with CUI are those found on the CUI Registry.
Question: It has been difficult to determine basic or specified; for example, it seems some ITAR information is basic, other is specified, but it’s not very clear to determine.
Answer: The CUI Registry provides information on whether a category is basic or specified. What determines whether a category is basic or specified is the underlying authority. The CUI Registry contains information on what the banner markings should be based on the authorities. For Export Control information, see: https://www.archives.gov/cui/registry/category-detail/export-control.html
Question: Is CDI (what we use ) the same as CUI?
Answer: CDI (covered defense information) is not a category of CUI but rather an overarching term that could include CUI. CDI or FOUO as terms will eventually be phased out and replaced with CUI terminology and category designations.
Question: When does the CUI Program go into effect?
Answer: For agencies, the CUI Program will go into effect when the agency issues a policy that reflects the standards of the program. Most agencies have already issued policies and most are projected to have policies issued by December of 2020. For industry, the program goes into effect when referenced in contracts and agreements.
Question: The legacy waiver is sought by the agency, right? Not the contractor/licensee?
Answer: Yes. Legacy waivers are issued by agencies. Contractors do not have to remark sensitive information shared or produced by them in association with existing or prior contracts. The terms of those contracts remain in effect until modified by the USG.
Question: For contracts with DoD agencies, should the contracting officer tell the contractor what is CUI and how it should be marked?
Answer: Yes, that is the goal. However, as agencies are still in the process of implementing the CUI program, be sure to follow any existing requirements directing the marking or protection of unclassified information. Under the new Federal Acquisition Regulation (FAR), a standard form is being contemplated that will require this level of granularity in all contracts where CUI is involved. The FAR is expected to be released for public comment in the summer of 2020.
Question: My company interacts with the NRC. Who is responsible for marking documents as CUI? Our company, or the NRC, or both of us?
Answer: It depends on the terms of the contract. Some contracts may require industry to generate CUI, if so, they would be responsible to apply markings. Any CUI shared with industry should be marked accordingly. Any and all USG markings should only be applied in accordance with the contract or agreement.
Question: On DoD contracts, we’ve seen CUI checked in the DD254 for over a year now but DoD hasn’t adopted this. It’s very confusing as to when we are supposed to start seeing/marking CUI on these contracts.
Answer: Questions regarding the pace and plans to implement the CUI Program within the DOD can be directed to: email@example.com
Question: Is there a lists of agencies that have adopted CUI?
Answer: Currently, there is not a list of agencies that have adopted the CUI Program. Every agency of the executive branch is required to implement the CUI Program (https://www.usa.gov/branches-of-government). ISOO monitors implementation actions by parent agencies. The CUI Registry maintains a list of all registered program officials or contact information. https://www.archives.gov/cui/about/contact.html#contact-an-agency
Question: These are fairly significant changes to the marking system. What, if anything, precipitated them?
Answer: Executive order 13556, Purpose, section 1 : “At present, executive departments and agencies (agencies) employ ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information, such as information that involves privacy, security, proprietary business interests, and law enforcement investigations. This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing. The fact that these agency specific policies are often hidden from public view has only aggravated these issues. To address these problems, this order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information, that emphasizes the openness and uniformity of Government-wide practice.”
Question: Does CUI have the same “Need-to-Know” requirements as FOUO?
Answer: The CUI policy does not mention “Need-to-Know”, but it does have a very similar concept “Lawful Government Purpose”. Under the CUI Program, Lawful Government Purpose is the access and sharing standard. Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).
Question: CUI can be shared in collaborative environments and forums, to include a teleconference, that meet the required cybersecurity requirements. (NIST SP 800-53 moderate confidentiality, NIST 800-171, or fedramp moderate depending on what the system is and who owns it). CUI should not be shared on a webex that is accessible to the public or that does not meet the above requirements.
Answer: Yes, collaborative environments used to share or process CUI must meet the minimum standards for protecting CUI. See NIST SP 800-53, NIST SP 800-171.
Question: We’re being told in the DIB TAWG that WebEx is not approved for CUI and that O365 GCC High or DoD has to be used to be CUI compliant.
Answer: Agencies (and organizations) must provide guidance to employees regarding approved/authorized systems where CUI can be handled. Follow all agency policy regarding approved systems or applications for CUI.
Question: Is this also related to CMMC (katie arrington)
Answer: CMMC uses some of the requirements found in the 32 CFR 2002 (CUI Implementing directive), specifically, the NIST SP 800-171.
Question: Will there be information/guidance regarding products that automate tagging for emails and documents?
Answer:The CUI EA is available to assist agencies in the evaluation of products and services related to the CUI program. There are plans to publish a meta-data tagging standard for CUI Categories. We expect this standard to be available for public comment in the coming months (May/June). The meta-data standard should assist developers in creating automated/assisted marking tools.
Question: We utilize an on-site shredding service, is this method approved for destroying CUI?
Question:Will USCIS apply this program to the applicant files? Currently we mark SBU or FOUO because of the PII contained within.
Answer: Yes. Applicant files that contain CUI should be marked as such. Legacy practices must remain in effect until USCIS implements the standards of the CUI Program.
Question: ITAR Technical Data has its own protections from DDTC. Is ITAR data always CUI Specific, or only when designated by a government agency? In other words, if we as a contractor are doing an internal R&D effort with ITAR data, would this be CUI//SP?
Answer: Depending on which legal authority applies to the ITAR information in question, it could be either basic or specified. See the Export control category: https://www.archives.gov/cui/registry/category-detail/export-control.html. Banner markings appear next to each applicable authority, indicating how they should be marked.
Question: What about those that have in their signature line that their correspondence is FOUO? Will that practice need to stop upon implementation and will there be a digital tool to assist in proper marking of CUI in outlook and other document creation tools like MS Word
Answer: Upon the implementation of the CUI Program within agencies, legacy practices (for marking) must cease. As the agency transitions to the standards of the CUI Program, FOUO/SBU-type markings will eventually be phased out.
Question: If you use the coversheet, do you also have to mark all of the pages?
Answer: No. If a coversheet is used, interior pages do not need to be marked.
Question: Is PII now marked CUI//SP-PRVCY?
Answer: Please see the Privacy categories listed on the CUI Registry. Underlying authorities will determine whether or not a category will be marked as specified or basic.
Question: Does the Agency determine if CUI is Specified vs Basic?
Answer: No. The underlying authority (as listed on the CUI Registry) determines whether a category is basic or specified. Agency policy/procedure should reflect this distinction and where applicable, cite specific handling or dissemination requirements.
Question: If information I work on is considered export controlled, can it still be basic, or is it automatically specified?
Answer: Export control information may be either basic or specified, depending on the underlying authority that applies to the information in question. See the Export Controlled category: https://www.archives.gov/cui/registry/category-detail/export-control.html
Question: Is portion marking optional? Or is it required to have a marking preceding each paragraph, table, figure containing CUI?
Answer: Portion marking in the CUI Program is optional, though it may be directed in agency policy or contracts/agreements. Please see the CUI Marking Handbook for specific guidance on portion marking.
Question: If a Contractor develops CUI under a contract (i.e. a report or deliverable submitted under the contract) does the contractor decide the marking or does the contractor ask the contracting officer to provide the category and correct marking?
Answer: Contracting authorities should provide guidance on how CUI should be marked in association with contracts. CUI Markings should align to the marking requirements found on the CUI Registry. See list of approved banner markings for CUI Categories: https://www.archives.gov/cui/registry/category-marking-list
Question: I understand that CUI comes from the agency in a contract; if we create a document or material that helps support the execution of a contract, is that CUI?
Answer: In association with a contract, it would be CUI if the information in question aligned to an existing category of CUI. Questions regarding the status and marking requirements should be directed to contracting activities.
Question: When there is CUI//SP in a classified doc, is a CUI header required alongside the class marking? Section marking required?
Answer: The CUI Marking handbook has specific guidance regarding the commingling of CUI and CNSI. See: https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf
Question: The DoD has a DoD CUI registry, how does it relate to the NARA CUI registry
Answer: Many agencies have elected to develop a mirror registry that reflects the CUI Categories commonly handled by their workforce. Categories reflected on agency CUI Registry should be based on those listed on the national CUI Registry.
Question: How would contractor generated drawings be marked if they fall into controlled technical information?
Answer: Specific questions regarding the marking should be directed to contracting activities.
Question: Is there a list of executive agencies CUI covers?
Answer: All agencies of the Executive branch are required to implement the CUI Program. See https://www.usa.gov/branches-of-government
Question: I am relatively new to CUI, we use the Law Enforcement practice of “protecting the identity of Confidential Informants” currently classified as “Law Enforcement Sensitive LES” information, to my knowledge this is NOT protected under existing statutory law, regulation, or Government-wide policy, and therefore, would possibly not meet the requirements for protection under CUI controls. What is the best way to capture the LES information as CUI or is it anticipated to be standalone with legacy markings ?
Answer: There are a number of Law Enforcement categories listed on the CUI Registry. Upon the implementation of the CUI Program within an agency, the use of legacy markings must cease. If the information type you are needing to protect is not reflected on the CUI Registry and you believe there is a gap, please contact your agency’s CUI Program Manager so they can initiate a formal review and if needed start the process to establish a provisional category of CUI. Please see: https://www.archives.gov/files/cui/documents/20181116-cui-notice-2018-04-provisional-categories.pdf
Question: You just said use of CUI is only mandatory for the government. But what about it being contractually enforced when giving sponsored projects to companies and universities? I think it still applies, right?
Answer: The CUI Program is mandatory for Executive branch agencies and to any non-federal entities and their subcontractors who contract with and act on behalf of the Federal Government.
Question: Could you clarify the statement that the average user isn’t intended to use the registry but that the Agency program office should say what is CUI?
Answer: The CUI Registry was not intended to be a resource for the average user of CUI. The Registry is meant for program officials who are responsible for developing policy and procedure for their agency. The reason for this is that the CUI Registry cites to applicable laws, regulations, and government wide policies. Program officials, when developing policy and procedure, must examine these underlying documents and reflect those requirements in agency policy (and training). This being said, there have been recent enhancements (in 2020) to the CUI Registry that would assist employees with applying the proper markings for CUI. Please see the marking list that contains banner markings that can be applied for CUI Categories.
Question: Is it true that banner is mandatory…except when you’ve chosen to use a cover sheet only?
Answer: For documents, yes
Question: If it is not marked CUI from the Agency and we assume it is CUI, as a contractor, can I mark it or do I need to go back to the originator for guidance. And if it is probably CUI and not marked, am I as a contractor liable for protecting the information on my network as CUI
Answer: Any questions regarding the status of information should be directed to the originator. Any requirements to safeguard CUI on systems should be conveyed in applicable contracts or agreements with the government.
Question: If you have multiple page documents with CUI, should you also use Portion Markings to identify the particular paragraph or item that contains CUI?
Answer: Portion markings, in the unclassified environment, are optional. If portion markings are used or required under your contract with an agency, they must be used throughout the document. Please see the CUI Marking Handbook for specific guidance.
Question: For call in only certificates, who do we email for the certificate?
Answer: To receive a certificate for participating through the call (not able to connect to the webex), please send an email to firstname.lastname@example.org.
Question: Is there a tool for email marking?
Answer: Some agencies and vendors have been working to develop an automated tool to assist employees with marking CUI. The CUI EA is available to assist with the evaluation of automated marking tools.
Question: If an Agency adopts CUI, and the clause is included in the contract, then is the Contractor required to adopt correct? Also, what if the Contract has the clause, but the Agency has not provided documentation marked CUI, but the Contractor believes they are developing CUI internally, are they required to mark accordingly?
Answer: Questions regarding the marking/protection of CUI in association with a contract should be directed to the contracting activity.
Question: Do emails containing CUI need to be encrypted?
Question: If a document is marked CUI//SP-PRVCY//Fed Only, do you still have to encrypt or password protect the document?
Answer: Yes. CUI must be encrypted in transit.
Question: Coversheet = the first tab you see when you open a spreadsheet?
Answer: Not necessarily for spreadsheets, markings can be applied to the headers of the document. Coversheets or transmittals can be used to convey the status as CUI.
Question: Are there specific requirements on how to destroy CUI physical documents?
Question: When sharing legacy documents via email (e.g. FOUO), should I use CUI banner markings in the subject/filename, or is that considered remarking?
Answer: When sharing legacy documents (as attachments) via email, the CUI banner in the email itself can serve as the alert of sensitivity, much like the SF 901 in hard copy transmissions.
Question: Is PII always considered CUI?
Answer: Yes. PII is considered CUI. There are numerous Privacy categories listed on the CUI Registry. See: https://www.archives.gov/cui/registry/category-list
Question: What is the banner configuration when you have classified and CUI in the same document. Does it follow current classification guidance or is there an additional requirement for CUI. Bottom line, do i have to id CUI in a class banner.
Answer: Please see part two of the CUI Marking Handbook. This section describes how CUI Markings should appear when commingled with CNSI markings.
Question: If portion marking is not required how is the recipient supposed to know what data needs to be marked as a carry forward derivative marking?
Answer: In documents, most elements that contain CUI would be easily identifiable (for example, Privacy information). When there is a question regarding the status of information contained within a document that will be used, consult the originator. Agencies or organizations that produce CUI products that will likely be used to create additional documents (as described) should apply portion marking to facilitate the proper application of markings.
Question: As to PII, is it CUI basic or specified (is that the same as the category SP-Privacy Information)?
Answer: It depends on which CUI category applies to the information in question, there are numerous Privacy categories of CUI. Categories are either basic or specified depending on the underlying authority. The CUI Registry provides guidance on how to mark CUI based on the underlying authorities.
Question: Our contracting officer is not providing the category of CUI. We have asked for it, based on the registry. What is our responsibility under our contract. Do we have to go to the registry and determine it, or do we press the contracting officer to tell us if it is CUI and what category it is.
Answer: Contractors are bound by the terms of their contracts or agreements with the government. Questions regarding the status of CUI and marking requirements should be directed to the contracting activity.
Question: What are the storage requirements for CUI in hard copy form (paper, disk, media)? Does it have to be stored in a GSA container, locked in an office cabinet, etc. or can it be left on a desktop overnight in a locked office?
Answer: Hard copy CUI must be stored in an area or container that would prevent unauthorized access. GSA Containers are not required to store CUI. CUI may be stored in controlled environments. Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers or managed access controls) to protect CUI from unauthorized access or disclosure. Please see the Controlled Environments video for additional guidance: https://www.archives.gov/cui/training.html
Question: You just mentioned that there is training you can give. Can you send more details, please
Answer: Upon request and based on available resources, the CUI Executive Agent is available to provide additional briefings and training to stakeholders. Send requests to email@example.com.