Why Ownership Questions Reveal Governance Gaps Sarah was preparing documentation for an upcoming compliance review…
CUI: What is it?
According to the National Archives, Controlled Unclassified Information (CUI) is “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified” by executive order or statute. But how are specific instances of CUI recognizable? How can you generally identify CUI? Further, how does the existence of CUI affect your company?
Considering these questions, we should start with a CUI definition stated in more layman’s terms. Borrowing the simple expression captured in the National Archives introductory publication explaining CUI, it is simply “[i]nformation that requires protections.” In essence, CUI is merely a genre of regulated content. Think of CUI as the middle ground between private (and public domain, for that matter) information and classified information. The “unclassified” part means that, while this information is deemed controlled, it does not meet the required standards to be classified under Executive Order 13526.
Click Here to learn more about the difference between CUI and Classified Information
Just because CUI does not reach the standard of classified, this does not mean this information isn’t critical or potentially dangerous if wantonly disclosed. The criteria and regulations for protecting and handling of CUI are comprehensive and strict, as they should be. The consequences of breaching these regulations injure the breacher by diminishing their reputation and ability to secure other deals. Further, it also exposes the malefactor to levies, considerable fines, and suspensions.
With all of this considered, it is critical to understand how CUI should be handled and why these protocols are essential. For those purposes, the DoD issued its Instruction (DoDI) 5200.48 in March 2020. This DoDI outlined the CUI requirements for DoD contractors by covering five main activities:
Identification:
The DoD is responsible for identifying whether any information they provide contractors is CUI. This identification is done by marking the information.
Protection:
Any legal agreement must include what controls (rules within a regulation) apply to all identified CUI. These controls must be met.
Monitoring:
DoD contractors must monitor all created and collected CUI to ensure that if any individual item exceeds the standards of CUI and begins to cross over into classified territory, it can be reported to the DoD and thus handled accordingly.
Review:
Both the DoD and the contractors must perform reviews of the CUI under DoDI 5230.09 before release.
Disposition:
Based on whether the CUI is provided by the DoD or created by the contractor, the disposition (destruction) of the CUI must follow the appropriate disposition authority.
DoD Instruction 5200.48 outlines the fundamental processes and necessities involved with protecting and handling of CUI. But in reading it, you will see further questions remain to be answered. One series of such questions is “How do I know, as ,or representing, a contractor, if I am creating CUI? How do I identify it?” Another is, “What steps can I take to adhere to the outlined controls and protect my data? How do I set up my company to properly handle CUI?”
Let’s start with the first series, Identification:
CUI has a broad definition, including “any information that a contractor processes, stores, or transmits on behalf of the government as part of fulfilling a contract.” The breadth of this definition makes it more likely than not that, as a contractor, you will be creating CUI. The information could include reports, standards, drawings, research data, and more. If the information relates to the explicit completion of the contract, it’s CUI. Now that we know how to recognize CUI, the more important question must be considered:
How Does My Company Adhere to Regulations and Protect CUI?
The specific controls needed to protect CUI are outlined in DFARS 252.204-7012. One such control states that a data center is required for all a contractor’s internal IT systems. This requirement, however, can also be satisfied with a cloud service provider or a hybrid/private cloud solution that uses both on-premises and CSP solutions. Regardless of the solution, the environment must be protected with the 110 controls in NIST SP 800-171 as enhanced by NIST SP 800-172. These controls are not optional; they must be adhered to. The complexity, and at times details, can make adherence seem daunting, but by making the right choice when picking your solution, most complications and risk can be entirely avoided.
Such a solution is the RegDOX Secure Data Room. RegDOX’s CUI solution automatically supports 85 out of the 110 NIST SP 800-171 controls. Beyond this, RegDOX’s Data Room solution boasts features and benefits that can be found in no other solution. These include the ability to securely collaborate compliantly with third parties, a protective service called LockBox that nullifies the threat of a ransomware attack, and so much more. And if your company wants to adhere to CUI regulations, you need to know about that “so much more”.
To Try Out Our Solution For Free: Click Here
To Get in Contact with Us: Click Here or Reach us by:
Phone: (800) 517-3171
Email: sales@regdox.com
Click to rate this post!
[Total: 0 Average: 0]

This Post Has 0 Comments