In the modern world it is easy to see how information became the most important resource out there, since the overwhelming majority of companies would be under the threat of shutting down completely if their data somehow gets corrupted or stolen. However, that’s not to say that this principle only applies to commercial companies.
Governments are a great example of that, having a wealth of incredibly sensitive information in all shapes and forms – data that no one but a specific group of people should be able to see in the first place. As such, it is fairly common to see governments issuing data security standards to make sure that both the government itself and companies that work with it as contractors know how to handle this kind of sensitive information.
The Department of Defense is one such government structure, issuing standards in terms of handling CUI (Controlled Unclassified Information) for its Defense contractors. The origin of this kind of approach to sensitive information as a whole can be traced back to DFARS 252.204-7012 (Defense Federal Acquisition Regulation Supplement), which has been effective since 2017, and has been expanded upon with newer standards multiple times.
CUI itself is information that is either owned or created by the government itself – if that information has safety or disposal requirements in accordance with laws or regulations. These regulations and policies include the aforementioned DFARS clause 252.204-7012, as well as ITAR (International Traffic in Arms Regulations), CMMC 2.0 (Cybersecurity Maturity Model Certification) and NIST 800-171 (National Institute of Standards and Technology).
The idea behind these standards and the concept of CUI is that there can be some information that is not classified on its own – but it has an extremely high level of sensitivity, being extremely valuable for national security interests and sought out by various adversaries and competitors. The goal of CUI as a policy is to make one unified standard for marking this information type throughout the entire Federal Government – since right now there are quite a lot of markings that are specific to just one agency, such as SBU, LES, FOUO, and so on.
Controlled unclassified information marking has 125 different categories of data – these categories are then combined into twenty different groups. Some examples of these groups are:
- Transportation, and more.
A proper categorization is necessary for CUI to ensure that the information in question is handled and protected in accordance with its importance as a whole, since the ramifications for improper information control can be quite severe when it comes to CUI. It could negatively affect organizational operations, decrease mission capability, damage organizational assets, deal financial damage, and so on.
The idea behind CUI is simple – all data that falls under the umbrella of Controlled Unclassified Information should be marked in a specific way. The main purpose of the marking is to inform users that would be interacting with said information about information that is considered CUI, as well as the potential limitations when it comes to information sharing.
The Department of Defense has its own guidance when it comes to CUI markings, which can be separated into two different groups – classified documents and unclassified ones.
Unclassified documents, for example, have to have a “CUI” marking both at the top and at the bottom of each page of the document. Since these documents are unclassified, portion markings are not required, although it is necessary to mark either none or all of the sensitive portions, with no in-between.
There is also a special CUI designator indicator that is supposed to be placed at the beginning of any unclassified document that has CUI – it includes the DoD component name, the office identifier (the one that created the document), a list of document’s categories, information about Limited Dissemination Control (LDC), if necessary, and information about the POC (Point of Contact), such as a name, a phone number, or an email.
Classified documents, on the other hand, do not have to have a “CUI” marking in the banner line, and their CUI designation indicator should be in the same location as with unclassified documents. However, this is where the similarities end between the two – since classified documents are required to have portion markings, as well as warning statements at the bottom of the first page of each document that has CUI, along with several other additions.
Solutions such as NC Protect are extremely helpful when it comes to discovering and properly marking both CUI and other sensitive data types. NC Protect can also apply dynamic protection levels depending on the level of CUI and the security privileges of the user, offering a lot of flexibility when it comes to information with this level of secrecy. Additional features that NC Protect offers are dynamic labeling, support for GCC and GCC High, change protection levels depending on the geographical location of a user, and more.