New ESTIMATED Comment Period for CUI FAR Case

The Spring 2020 Unified Agenda of Regulatory and Deregulatory Actions has been published and with it comes a new, estimated, notice of proposed rulemaking (NPRM) date as well as a new, estimated, NPRM comment period end for the Federal Acquisition Regulation (FAR); FAR Case 2017-016, Controlled Unclassified Information (CUI).

The comment period is from Oct 2020 to Dec 2020 (these dates are an estimate and are subject to change).

More information can be found here:  https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202004&RIN=9000-AN56

AD HOC STAKEHOLDER UPDATE: CUI Metadata markings and NIEM 5.0 beta 1 Release (Presentation with Q&A)

Join us on Monday for a quick presentation and some Q&A!

The conference begins at 2:30 PM Eastern Time on July 13, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 2367572#

Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/829772

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

The Ad Hoc Stakeholder Update will have two parts followed by a short Q&A:

  • (10-15 min) An introduction to the CUI Program and how metadata markings can help support CUI Marking and Sharing Requirements. By Devin Casey, Program Analyst.

DEVIN CASEY is the lead for agency implementation and oversight activities for the Controlled Unclassified Information (CUI) Program. Since joining the CUI Program, Devin has authored numerous policies and guidance documents that have aided stakeholders, agencies and industry, in the implementation and management of the CUI Program.

  • (30 min) An overview of the CUI additions to the upcoming NIEM 5.0 as well as instructions on how to submit comments to NIEM 5.0 Beta 1. By Charles Chipman, Senior Research Scientist.

CHARLES “CHUCK” CHIPMAN is a senior research scientist working for Georgia Tech Research Institute (GTRI) supporting the Joint Staff J6 Data and Services Division, which serves as the NIEM Management Office and MilOps Domain steward. He is retired Air Force (C4ISR) and before GTRI spent 10 years as a contractor supporting the AF’s Joint Interoperability of Tactical Command and Control Systems (JINTACCS) program, primarily providing configuration management of the U.S. Message Text Format Program (MilStd6040), an XML-based exchange standard, which is where he was introduced to NIEM/GTRI.

  • (15-20 min) Q&A

Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)

Comments are due by August 21, 2020.
Please see https://csrc.nist.gov/publications/detail/sp/800-172/draft for more information, the draft publication, and directions for submitting comments.

Background:

“In certain situations, CUI may be associated with a critical program6 or a high value asset7. These critical programs and high value assets are potential targets for the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. While the category of CUI itself does not require greater protection, CUI associated with critical programs or high value assets is at greater risk because the APT is more likely to target such information and therefore requires additional protection.
6 The definition of a critical program may vary from organization to organization. For example, the Department of Defense defines a critical program as a program which significantly increases capabilities and mission effectiveness or extends the expected effective life of an essential system/capability [DOD ACQ].
7 See [OMB M-19-03] and [OCIO HVA].”

-NIST SP 800-172 (Daft) Lines 223-235

CUI Metadata standard available for review

The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.

The draft standard can be found here and is available for comment until July 17, 2020.

CUI Program Implementation Deadlines issued

ISOO issued CUI Notice 2020-01 to facilitate a coordinated transition to the CUI Program.

Implementation Deadlines

Awareness campaign – By June 30, 2020, agencies must initiate an awareness campaign that informs their entire workforce of the coming transition to the standards of the CUI Program.

Policy – By December 31, 2020, agencies must issue policies that implement the CUI Program. Agencies may implement the CUI Program through a single policy or through multiple policies that address specific elements of the CUI Program. If an agency has sub-agencies, all those subordinate components must develop and publish implementing policies and/or modify or rescind all affected policies by June 30, 2021. 

Classification marking tools and commingling – By December 31, 2020, agencies that manage, own, or control Classification Marking Tools (CMT) used to mark Classified National Security Information must have initiated any modification of such CMTs as necessary to begin accounting for CUI markings described on the CUI Registry and the standards described in 32 CFR 2002.20(g).

Training – By December 31, 2021, agencies (including any sub-agencies or components) must deploy CUI training to all affected employees. Agencies may implement CUI training through a single module or through multiple modules. CUI training may be incorporated into existing agency training (such as privacy, information systems, or records management training).

Physical safeguarding – By December 31, 2021, agencies (including any sub-agencies or components) must implement or verify that all physical safeguarding requirements, as described in 32 CFR 2002 and in agency policies, are in place.

Information systems – By December 31, 2021, agencies (including any sub-agencies or components) must modify all Federal information systems to the standards identified in 32 CFR 2002. Federal and contractor information systems that are used to store, process, or transmit CUI must be configured at no less than the Moderate Confidentiality impact value (see 32 CFR 2002.14).

Reporting – CUI Senior Agency Officials must submit an annual report on the CUI Program to ISOO no later than November 1 each year, and report on implementation during the preceding fiscal year. Reports must cover all implementation and program activities from October 1 to September 30 of the preceding fiscal year. Only parent agencies are required to report directly to ISOO. Agency components, elements, sub-agencies, regional locations, divisions, and/or internal lines of business must report to their parent agency.

Agencies that anticipate delays in implementing any of the above deadlines must include a narrative in their annual report submission that describes the issue giving rise to the delay and projects when they expect to implement the delayed program element. They  must also include a copy of their implementation plan or strategy. ISOO will evaluate and formally approve delays on a case-by-case basis and may report such delays to the President.

 

 

CUI Q3 Stakeholders Update!

The conference is from 1:00 – 3:00 PM Eastern Time on May 20, 2020; you may join the conference 10 minutes prior to the start time.

Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0496807##
Need an international dial-in number?
Step 2: Join the conference on your computer.
Entry Link: https://ems8.intellor.com/login/823604

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.

Topics include:

  • CUI and A Metadata Standard (update)
  • CUI Federal Acquisition Regulation case (update)
  • Recent and planned CUI blog posts
  • An overview of frequently asked questions
  • Live Question and Answer period

NSA Article: “Working from Home? Select and Use Collaboration Services More Securely”

A recently published article at the National Security Agency (NSA) Central Security Service (CSS) promotes newly issued guidance entitled Selecting and Safely Using Collaboration Services for Telework.  This guidance  provides simple, actionable, considerations for individual government users and can be found here: Working from Home? Select and Use Collaboration Services More Securely.

 

 

The ISOO Overview Blog Launches Today

ISOO Director Mark A. Bradley today (March 20, 2020) is launching The ISOO Overview Blog, as a new forum for engaging with the public, and all ISOO stakeholders, including everyone in the CUI community of interest.  The new blog welcomes comments, which all components of the ISOO staff will review as part of their work.

From now and beyond the current public health emergency, The ISOO Overview Blog will post information at least once a week, including notifications of relevant events, ISOO policy, guidance, and activities; and ISOO reports and perspectives on ISOO’s lines of business and matters related to ISOO’s roles and authorities.

We look forward to brighter days ahead, and continuously expanding conversation in the public interest about how the Federal Government manages, protects, classifies, declassifies, shares and releases its vastly increasing information assets.

Be well and remain engaged.