Using CUI while teleworking : Microphones and Cameras in Our Homes

When working with CUI, it is required you establish a controlled environment that will safeguard CUI.

This means not just using information systems that have the necessary safeguards in place, it also means being aware of the other potential risks to CUI such as the presence of microphones and cameras in our homes. The microphones and cameras on our computers and mobile devices (phones and tablets) could place CUI at risk.  If it is an electronic device it can be hacked, if it connects to the internet it can be hacked remotely. What level of safeguarding do you have on your devices with microphones and cameras?

Take a moment to think about how many internet connected microphones and cameras you have in your house.

Of course, we have our phones and computers, but what else are around?

Is the remote control to your TV voice controlled? What about your thermostat?

Do you have a voice activated personal assistant service?

How about devices other than your phone and computer that are voice activated and you can use WiFi to stream music on?

Some people even have appliances that are voice activated and connected to home WiFi, like refrigerators.

There are often more of these in our homes these days than we might realize at first glance.

Cyber criminals and foreign intelligence services know that with everyone at home they have rich and often less secured targets.

And it isn’t just these threats. If you read many application user agreements, they allow the application to collect data from device cameras and microphones even when the application isn’t in use.

These vary in how anonymized they are. Even if the user agreements say they are anonymized, there is a long history of business intelligence gathering to gain business advantage and contracts that were violated to obtain advantage.

To achieve a controlled environment it is important to be aware of your surroundings. If you have microphones in internet connected devices around, then take action to protect CUI. Keep conversations containing CUI to emails or other written communication on information systems that your agency approved to meet the requirements to handle CUI.

Though internet connected cameras are rare on anything other than phones, computers, baby monitors, and doorbells, if you have CUI on your computer screen or desk then make sure it isn’t visible to cameras on unsecured devices.

Some quick things you can do to make your home and devices more secure are:

  1. Make sure to change the default username and passwords for all internet connected devices .
  2. Make sure you update the firmware on your router, modem, and all connected devices regularly. Many of these updates are pushed out to address known security vulnerabilities. If you don’t know how, check the device website or call customer service.
  3. Turn off and unplug unused devices, consider disabling or covering cameras when not in use.
  4. Keep any security software or firewalls updated to the latest version.

There is a lot more you can do and some great information about how to do it found in the additional resources below:

Consult with your agency or organization’s security office if you have specific questions or concerns.

CUI Coversheet and Labels

sf combimed

There’s a completely new look on the horizon for the identification of CUI products.  One part involves the individual document(s); the other involves all the other media forms.  Also, the color for the new forms is purple, and thus it will be instantly distinguishable from all other forms!

The CUI coversheets themselves  have been reduced to one, and while that one is reminiscent of the Optional Forms (OF) 901, OF 902 and OF 903, and OF 903, it has evolved into the Standard Form (SF) 901.  It can be downloaded from either the ISOO or General Services Administration (GSA) website.  It is still a fillable form and is provided at no cost (see ISOO Notice 2019-01).  You may continue to use the old forms until existing supplies have been depleted, however they can no longer be downloaded.  The SF 901 is available for download immediately, and as before, once it is affixed to the top of the document(s), it remains attached until the document(s) no longer requires protection, is properly secured, and/or is decontrolled or destroyed.

coversheet image

The new SF 902 is is a standard size label, much like the ones authorized for classified media, and is used to identify and protect electronic media and other media that contain CUI.  It is used instead of the SF 901 for media other than documents.  If your agency determines, as part of its risk management strategy, that a standard size label is required, the SF 902 will be used.  It must be affixed to the medium containing CUI in a manner that would not adversely affect operation of the equipment in which the medium is used, and once it has been applied, it cannot be removed.  This form is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Also it will be not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of six 2-1/8 X 1-1/4″ labels), and its cost is to be approximately $25.00 per pad.

sf902big

The new SF 903 is a thumb drive size label  The SF 903 is used to identify and protect electronic media that contains CUI.  If your agency determines, as part of its risk management strategy, that a thumb drive size label is required, the SF 903 will be used.  The SF 903 is affixed to a thumb drive containing CUI in a manner that would not adversely affect either operation of the drive or operation of the medium in which it is inserted, and as with the SF 902, once it has been applied, it cannot be removed.  This form also is not yet available, but soon will be.  It is expected to be available for purchase through GSA, but the exact date is yet to be determined.  Similar to the SF 902,  this form will not be downloadable, as it comes in a pad of about 50 sheets (5-1/4 X 4-1/4″ sheet of twelve 2-1/8 X 5/8″ labels), and its cost is to be approximately $25.00 per pad.

sf903big

Please direct any questions regarding this post to: CUI@nara.gov

Questions and answers: CUI Program

1. What is the Controlled Unclassified Information (CUI) Program?

The CUI Program is a Government-wide program that standardizes the way the executive branch manages unclassified information that requires safeguarding or dissemination controls required by law, Federal regulation, and Government-wide policy. This Program replaces existing agency programs like For Official Use Only (FOUO), Sensitive But Continue reading “Questions and answers: CUI Program”