How to know if your business handles CUI (and what to do about it).
We recently talked about the NIST 800-171 cybersecurity standards which the DoD requires all contractors and subcontractors to implement by the end of 2017. They apply to any business contracting with the DoD or the federal government, and any business which subcontracts with these business to handle these government contracts. But a key part of understanding if these security standards apply to your business is understanding what they’re meant to protect: Controlled Unclassified Information (CUI).
Why does the CUI category exist?
The government began the CUI program as a way of simplifying the way in which they mark and safeguard sensitive documents. In the past, the handling of these documents was agency-specific, and could be labeled anything from “For Official Use Only,” “Sensitive but Unclassified,” or “Law Enforcement Sensitive.” The confusion resulting from these different standards led to poor implementation practices, including the mishandling of these documents, or else unnecessary restrictions on access.
So the new category of “Controlled Unclassified Information” is meant to replace previous forms of marking sensitive information, while also standardizing across agencies how these documents are disseminated and secured.
What is included in the CUI category?
Broadly speaking, Controlled Unclassified Information consists of sensitive items pertaining to privacy, security, proprietary business interests, or law enforcement investigations. But since that is a broad and somewhat abstract way of describing CUI, let us help by providing practical examples:
–Personal information. Think about health documents, legal documents, social security numbers, credit card information, or other personal information that isn’t publically available.
–Financial information. Purchase orders, bank transactions, or information which could be used to compromise the US economy.
–IT security. Anything which might compromise the integrity of information systems or the way in which data is gathered, processed, or disseminated.
–Law enforcement. Juvenile court records, information relating to the production of controlled substances, and the identities of certain whistleblowers, informants, or victims of certain crimes.
–Patents. This includes patent applications, technical drawings of the inventions themselves, and secrecy orders pertaining to the products.
This is just a small sample, but in other words, Controlled Unclassified Information consists of anything which cannot legally be made public, but which also isn’t sensitive enough to require high-level security clearance. You probably don’t need to go through a rigorous background check to work with it, and you can’t withhold it from a judge should it be requested in court. But it is the kind of information which could be damaging, if leaked.
It’s not hard to imagine how someone with malicious intent might exploit some of this information. But it’s also clear that many people have legitimate reasons for accessing it, and that putting up too many safeguards would limit the efficiency of many organizations. So the CUI category is intended to facilitate the safe use of this information without unduly hampering business processes.
Does your business need help safeguarding CUI?
Now that you have some idea of what Controlled Unclassified Information consists of, you may be wondering how you can better protect it. At Brightline, we have the expertise to guide you through the process of properly assessing your current setup, and setting in place the safeguards you need to meet the new government security standards. Read our FAQ page for more information, or contact us to get your assessment process started.