The conference is from 1:00 – 3:00 PM Eastern Time on August 19, 2020. Step 1: Dial into the conference. Dial-in: 888-251-2949 or 215-861-0694 Access Code: 2563977# Step 2: Join the conference on your computer. Entry Link: https://ems8.intellor.com/login/830824
On June 3, 2020, ISOO issued CUI Notice 2020-03. This notice provides an optional Controlled Unclassified Information (CUI) non-disclosure agreement (NDA) template for executive branch agency use. Executive branch agencies may use the template when they determine that a CUI NDA is appropriate. The template is optional, and agencies can modify it if needed. A list of all CUI Notices can be found here
When working with CUI, it is required you establish a controlled environment that will safeguard CUI.
This means not just using information systems that have the necessary safeguards in place, it also means being aware of the other potential risks to CUI such as the presence of microphones and cameras in our homes. The microphones and cameras on our computers and mobile devices (phones and tablets) could place CUI at risk. If it is an electronic device it can be hacked, if it connects to the internet it can be hacked remotely. What level of safeguarding do you have on your devices with microphones and cameras?
Take a moment to think about how many internet connected microphones and cameras you have in your house.
Of course, we have our phones and computers, but what else are around?
Is the remote control to your TV voice controlled? What about your thermostat?
Do you have a voice activated personal assistant service?
How about devices other than your phone and computer that are voice activated and you can use WiFi to stream music on?
Some people even have appliances that are voice activated and connected to home WiFi, like refrigerators.
There are often more of these in our homes these days than we might realize at first glance.
Cyber criminals and foreign intelligence services know that with everyone at home they have rich and often less secured targets.
And it isn’t just these threats. If you read many application user agreements, they allow the application to collect data from device cameras and microphones even when the application isn’t in use.
These vary in how anonymized they are. Even if the user agreements say they are anonymized, there is a long history of business intelligence gathering to gain business advantage and contracts that were violated to obtain advantage.
To achieve a controlled environment it is important to be aware of your surroundings. If you have microphones in internet connected devices around, then take action to protect CUI. Keep conversations containing CUI to emails or other written communication on information systems that your agency approved to meet the requirements to handle CUI.
Though internet connected cameras are rare on anything other than phones, computers, baby monitors, and doorbells, if you have CUI on your computer screen or desk then make sure it isn’t visible to cameras on unsecured devices.
Some quick things you can do to make your home and devices more secure are:
Make sure to change the default username and passwords for all internet connected devices .
Make sure you update the firmware on your router, modem, and all connected devices regularly. Many of these updates are pushed out to address known security vulnerabilities. If you don’t know how, check the device website or call customer service.
Turn off and unplug unused devices, consider disabling or covering cameras when not in use.
Keep any security software or firewalls updated to the latest version.
There is a lot more you can do and some great information about how to do it found in the additional resources below:
FTC’s Online Security website: including information on Mobile Apps (applications) and IP Cameras, such as the ones used in baby monitors, toys, and door bells
FTC’s Video and Media website: including videos and games to help educate your family about a wide variety of topics including cybersecurity
GAO’s report in Information Security: including a look at mobile device security threats and vulnerabilities
The CUI program has a lot of flexibility built in to allow agencies to accomplish their mission, including while employees are teleworking.
Agencies must ensure CUI is safeguarded in accordance with 32 CFR 2002 (the CUI Program’s implementing directive) and the applicable laws, regulations, and government-wide policies. In doing so agencies must establish controlled environments where CUI can be effectively safeguarded.
Telework agreements can be used to spell out whether or not CUI is permitted, as well as, which categories of CUI employees can use while teleworking. The agreement should also outline what controls (physical or electronic) need to be in place to ensure adequate protection.
Here are some common issues agencies may encounter as they allow employees to telework with CUI:
1. Increased potential for CUI to be overheard or observed with more people likely to be in the home
2. Difficulty securing devices used for telework (computers, cell phones, tablets, routers, modems)
3. Ensuring compliance with current policies and limiting use of unauthorized equipment and media
4. Enabling employees to accomplish their tasks and adjusting expectations limit use of unauthorized workarounds
Agencies, in consultation with CUI Program Officials, should develop additional guidance that addresses each of the issues described above. Front-line supervisors should initiate discussions with their employees to assist and determine the best ways to ensure the protection of CUI while teleworking.
As we all work to do our jobs in the changing work environment during the COVID-19 crisis, those who work with CUI should continue to make sure they safeguard CUI.
In many cases, CUI can be worked on, in a telework environment, as long as the proper controls are in place to achieve a controlled environment (physical and electronic) and agency policies allow it.
Make sure to follow any agency policy or guidance, especially interim guidance issued in response to COVID-19 as standard practices may have been changed to allow for greater telework participation. If needed, employees should consult their supervisor if they have any questions regarding the proper handling of sensitive information.
Here are some general guidelines to consider as you telework with CUI:
CUI should not be stored on personal systems.
Printing and hard copy storage should be kept to a minimum.
Agency sponsored/approved virtual desktops (or similar) should be used.
Personal email accounts should not be used to store or transmit CUI.
When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.
Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118
Note: If you attend the CUI Marking class 101, you will receive a completion certificate
Guest speaker:
Regan Edens, Chief Transformation Officer, DTC Global
10:00 – 2:00 (Presidential Conference rooms)
Vendor and Agency Exhibits Open
Learn about products and services that have been developed for the CUI Program
12:00 – 2:00 (Presidential Conference rooms)
Networking in all NARA Presidential Conference rooms
If you are interested in attending this event, please RSVP to cui@nara.gov
Reminder: ISOO, as the Executive Agent for the CUI Program, does not endorse nor evaluates any of the products and/or services being offered by Presenters or vendors.
When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.
Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118
Topics include:
CUI Implementation Projections: based on FY 19 Annual Report
Update on: CUI and Metadata Plans/Discussion
Update on: the CUI Federal Acquisition Regulation case
Common misconceptions regarding implementation
Consistency in Agency Programs
Leveraging Existing Resources
CUI and Background Investigations
Is my Proprietary Information CUI?
Supply Chain and Flow Down Requirements
Legacy Information (FOUO, SBU, etc) and Expectations for Safeguarding
Assessing Compliance Related to Non-Federal Systems
Questions and Answers.
Please submit questions that you would like addressed during the session to cui@nara.gov NLT February 7, 2020.
The next CUI Program update will be held on February 12, 2020 (1-3 EST). The link, call-in number, and pass-code will be posted to the blog prior to the meeting.
Topics include:
CUI Implementation Projections: based on FY 19 Annual Report
Update on: CUI and Metadata Plans/Discussion
Update on: the CUI Federal Acquisition Regulation case
Common misconceptions regarding implementation
Consistency in Agency Programs
Leveraging Existing Resources
CUI and Background Investigations
Is my Proprietary Information CUI?
Supply Chain and Flow Down Requirements
Legacy Information (FOUO, SBU, etc) and Expectations for Safeguarding
Assessing Compliance Related to Non-Federal Systems
Questions and Answers. Please submit questions that you would like addressed during the session to cui@nara.gov NLT February 7, 2020.
On Thursday the 29th of August from 1-3, the CUI Program office will host a in person training session on the implementation of the CUI program. The training will include a brief background of the program, an update on the status of implementation, and a program elements overview.
The training will be held in the Washington Room at the National Archives building, 701 Constitution Ave NW (please use the special events entrance). We are not offering a call in number for this session.
This event is open to the first 55 people who RSVP to cui@nara.gov and it is intended for those who are supporting or developing a CUI program at their agency or organization.