This is the second in a series of posts on the notice of proposed rulemaking (NPRM) recently published by the National Archives and Records Administration’s (NARA) Information Security Oversight Office (ISOO) on the establishment and harmonization of controls on controlled unclassified information (CUI). Other posts in the series include:
In this post I will look at one of the key elements that make up the CUI program, the requirements for safeguarding CUI outlined in §2002.12. The guiding principle that must be remembered when considering the safeguarding requirements is that CUI must be protected at all times in a manner that “minimizes the risk of unauthorized disclosure while allowing for access by authorized holders”.
In all discussions about CUI protections it must be remembered that the CUI regulation will only apply to federal government agencies. Any agency that shares or discloses CUI to an entity outside of the federal government is encouraged by NARA to “enter formal information-sharing agreements and include a requirement that any non-executive branch party to the agreement comply with the Order, this part, and the CUI Registry”. Such language should also be part of any contractor agreement where CUI could be shared.
What Standards Apply
There are actually two sets of safeguarding standards that can apply to CUI information. The first is CUI Basic. These standards are outlined in the CUI regulations. The second is CUI Specified. These standards are set by law, regulation, or government wide policy. The agencies may only apply CUI Specified standards if the category or subcategory listed in the CUI Registry notes that the particular CUI is specified. When the underlying law, regulation or policy for a specified CUI is silent on a particular standard set in the CUI Basic, then the CUI Basic requirements apply to that safeguarding method.
This rulemaking would require that authorized holders of CUI must have access to a controlled environment in which to access CUI while protecting it from unauthorized access or observation. In addition authorized holders having conversations about CUI need to take reasonable precautions against the conversation being overheard by unauthorized individuals.
When CUI is handled outside of a controlled environment it must either be under the direct control of an authorized holder or must be protected by at least one physical barrier that reasonably protects the information from unauthorized access or observation.
When CUI is processed, stored or transmitted via a federal information system it must be protected in accordance with FIPS Publications 199 and 200 as well as NIST SP 800-53. NIST is currently in the process of developing NIST SP 800-171 as a standard for non-federal information systems processing, storing or transmitting CUI. Again this standard should be specified by federal agencies in agreements with outside entities handling CUI.
When CUI is physically transferred outside of the control of an authorized person, it may be done by US Mail or commercial delivery service. The use of interoffice and interagency mail systems is also authorized. No CUI markings should be on the outside of the envelope or package. They should be marked, however, that they are intended for the recipient only and should not be forwarded.
CUI can only be reproduced (by copying, scanning, printing, or electronically duplicating) in “furtherance of a lawful Government purpose”. When using copying devices you must ensure that a copy is not retained in the device or the device must be ‘sanitized’ in accordance with NIST SP 800-53.
The rulemaking would allow agencies to destroy CUI only when the agency no longer needs the information and records retention rules no longer require it to be held. When destroying electronic versions of CUI it must be done in a manner that “makes it unreadable, indecipherable, and irrecoverable” in accordance with established procedures. There is no discussion of standards for the destruction of physical versions of CUI.