This is the second in a series of posts on the notice of
proposed rulemaking (NPRM) recently published by the National Archives and
Records Administration’s (NARA) Information Security Oversight Office (ISOO) on
the establishment and harmonization of controls on controlled unclassified
information (CUI). Other posts in the series include:
In this post I will look at one of the key elements that
make up the CUI program, the requirements for safeguarding CUI outlined in §2002.12.
The guiding principle that must be remembered when considering the safeguarding
requirements is that CUI must be protected at all times in a manner that “minimizes
the risk of unauthorized disclosure while allowing for access by authorized
holders”.
In all discussions about CUI protections it must be
remembered that the CUI regulation will only apply to federal government
agencies. Any agency that shares or discloses CUI to an entity outside of the
federal government is
encouraged by NARA to “enter formal information-sharing agreements and
include a requirement that any non-executive branch party to the agreement
comply with the Order, this part, and the CUI Registry”. Such language should
also be part of any contractor agreement where CUI could be shared.
What Standards Apply
There are actually two sets of safeguarding standards that
can apply to CUI information. The first is CUI Basic. These
standards are outlined in the CUI regulations. The second is CUI Specified.
These standards are set by law, regulation, or government wide policy. The
agencies may only apply CUI Specified standards if the category or subcategory
listed in the CUI
Registry notes that the particular CUI is specified. When the underlying
law, regulation or policy for a specified CUI is silent on a particular
standard set in the CUI Basic, then the CUI Basic requirements apply to
that safeguarding method.
Controlled
Environment
This rulemaking would require that authorized holders of CUI
must have access
to a controlled
environment in which to access CUI while protecting it from unauthorized
access or observation. In addition authorized holders having conversations
about CUI need to take reasonable precautions against the conversation
being overheard by unauthorized individuals.
When CUI is handled outside of a
controlled environment it must either be under the direct control of an
authorized holder or must be protected by at least one physical barrier that
reasonably protects the information from unauthorized access or observation.
Transmitting CUI
When CUI is processed, stored or
transmitted via a federal information system it must be protected in
accordance with FIPS Publications 199 and 200 as well as NIST SP 800-53. NIST
is currently in the process
of developing NIST SP 800-171 as a standard for non-federal information
systems processing, storing or transmitting CUI. Again this standard should be
specified by federal agencies in agreements with outside entities handling CUI.
When CUI is physically transferred outside of
the control of an authorized person, it may be done by US Mail or
commercial delivery service. The use of interoffice and interagency mail
systems is also authorized. No CUI markings
should be on the outside of the envelope or package. They should be marked,
however, that they are intended for the recipient only and should not be
forwarded.
Reproducing CUI
CUI can only be reproduced
(by copying, scanning, printing, or electronically duplicating) in “furtherance
of a lawful Government purpose”. When using copying devices you must ensure
that a copy is not
retained in the device or the device must be ‘sanitized’ in accordance with
NIST SP 800-53.
Destroying CUI
The rulemaking would allow agencies to destroy CUI only when
the agency no longer needs the information and records retention rules no longer require it
to be held. When destroying electronic versions of CUI it must be done in a
manner that “makes it unreadable, indecipherable, and irrecoverable” in
accordance with
established procedures. There is no discussion of standards for the
destruction of physical versions of CUI.
Posts
No comments:
Post a Comment