NARA Publishes CUI Final Rule

Today the National Archives and Records Administration’s (NARA) Information Security Oversight Office (ISOO) published a final rule in the Federal Register (81 FR 63323-63347) to establish oversight regulations for a variety of federal controlled unclassified information (CUI) programs. The new regulation establishes policy (32 CFR 2002) for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The effective date of this rule is November 14^th, 2016.

The notice of proposed rulemaking (NPRM) for this rule was published in May 2015. I did a series of blog posts on the provisions of that NPRM. There were only 14 comments filed in response to the NPMR, but they resulted in a number of changes made in the final rule. This final rule was approved by OMB on August 9^th.

This rulemaking was designed primarily to effect the CUI protection activities of federal agencies, but it also applies to all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.

CUI Registry

Section 2002.10 requires that NARA (the CUI Executive Agency – CUI EA) establish a CUI Registry to act as “the authoritative central repository for all guidance, policy, instructions, and information on CUI” {§2002.10(a)(1). The CUI Registry has been established and among other things it provides the current list of non-classified information protection programs covered under this regulation. Those programs include such critical infrastructure programs as:

• Ammonium Nitrate

• Chemical-terrorism Vulnerability Information*

• Critical Energy Infrastructure Information

• DoD Critical Infrastructure Security Information

• Physical Security*

• Protected Critical Infrastructure Information*

• Water Assessments

The programs marked with an asterisk (*) identify those programs that are codified in the U.S. Code, Code of Federal Regulations, or as a Government-wide policy. This is an important distinction for this regulation. The regulation sets minimum standards for CUI Basic programs, programs while the codifying documents for the CUI Specified programs set program standards that do not conflict with the minimum requirements of the CUI regulations. If existing CUI Specified programs do not meet the minimum security standards set forth in this rule, the programs will have to be updated to come into compliance.

NIST SP 800-171

Federal agencies holding CUI on computer systems are required to conform with the computer system requirements of FIPS Pub 199 at no less than the moderate confidentiality impact level {§2002.14(g)}. For non-federal information systems the computer security standard that must be applied is NIST SP 800-171{§2002.14(h)(2)} for systems used to process, store or transmit CUI.

Commentary

Most private sector organizations are not going to be required to process, store or transmit CUI. With one major exception, CUI information will generally be information that federal agencies will have received from non-federal agencies (including private sector companies). The CUI designation is being used to protect the information while in federal control. Security information that is subsequently shared by the federal agency may have CUI designations to protect the source of the information from public disclosure.

The one major exception is the Chemical-terrorism Vulnerability Information (CVI) program administered under the Chemical Facility Anti-Terrorism Facility Standards (CFATS) program. Again the basis of the CVI (a CUI designation) protections is CFATS security information (Top Screens, Security Vulnerability Assessments and Site Security Plans for instance) being shared by private sector entities to a government agency (DHS Infrastructure Security Compliance Division – ISCD). The CFATS regulations, however, require the originating facility to protect the information using the procedures set forth in the CVI Procedures Manual.

The CVI program is a listed CUI Specific program, so where ever the current CVI procedures meet or exceed the requirements for storage, marking, transmission, sharing, declassifying or destroying the CVI information, no change in the CVI program will be required. The one obvious area where the CVI program does not meet the CUI program requirements is in specifying the NIST 800-171 standard for computer systems used to handle CVI information. Other minor changes may also be necessary.