Protecting Controlled Unclassified Information CUI

Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526,Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended

Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).

32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.

The National Archives and Records Administration, per 32 CFR Part 2002 "Controlled Unclassified Information" establishes policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program.

The CUI Registry includes the CUI Categories, Category Markings, and additional resources.  The CUI Categories are available at: https://www.archives.gov/cui/registry/category-list  

The CUI Executive Agent can be reached at

Information Security Oversight Office - Controlled Unclassified Information
National Archives and Records Administration700 Pennsylvania Ave, N.W., Room 100Washington, DC 20408-0001

E-mail:  cui@nara.gov

 

NIST does not have a role in implementation, assessment, or oversight of the DFARS Clause 252.204-7012. The following resources are available from the Department of Defense (DoD).  

• Procurement Technical Assistance Program (PTAP) and Procurement Technical Assistance Centers (PTACs)
• Nationwide network of centers/counselors experienced in government contracting, many of which are affiliated with Small Business Development Centers and other small business programs 

• Cybersecurity in DoD Acquisition Regulations page at for Related Regulations, Policy, Frequently Asked Questions, and Resources (June 26, 2017)

• DPAP Website for DFARS, Procedures, Guidance and Information (PGI), and Frequently Asked Questions

• DoDI 5230.24, Distribution Statements on Technical Documents

• DoD’s Defense Industrial Base Cybersecurity program (DIB CS Program)

• Questions can be submitted to: osd.dibcsia@mail.mil

 

The CMMC utilizes the publicly available security requirements in NIST Special Publication (SP) 800-171 and draft NIST SP 800-171B.  

NIST is not involved in the design, development, or implementation of the CMMC model, accreditation body, or certification.  

For information about the CMMC program, please see: https://www.acq.osd.mil/cmmc/index.html 

NARA and NIST objected to DFARS’ use of selected subset of 800-53 controls

• Asserted the full moderate impact baseline required for protection of CUI

There was broader stakeholder concern regarding implementation challenges for non-Federal systems

• SP 800-53 controls originally developed for Federal systems
  • Some controls/elements of controls should not apply outside the US Government (Federal-centric)
  • Some controls are overly granular when applied to an ‘as-built’ contractor system
  • Many baseline controls unnecessary (e.g., Availability controls) for protection of CUI

The solution was to develop a separate NIST SP for protection of CUI in nonfederal organizations.

• Based on FIPS 200 with control language from 800-53 to meet moderate impact level

• Performance-based to be applicable to existing nonfederal systems

• Eliminate Federal-centric requirements

• Focus on providing confidentiality protection for CUI

 

Relevant Publications:

• NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI.
• NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171. 
• DRAFT NIST SP 800-171B, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. Note: NIST plans to update the publication number to SP 800-172.

Relevant Templates:

• NIST has developed example templates for system security plans (SSPs) and plans of action.   
• There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.
• The templates are available as MS Word documents at SP 800-171 Rev. 1 publication page and the SP 800-171A publication page.  

Additional Resources

• NIST, in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), hosted the Protecting Controlled Unclassified (CUI) Security Requirements Workshop.  This workshop provided an overview of CUI, the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. This workshop also featured a panel of Federal Government representatives discussing expectations for evaluating evidence and implementing the CUI Security Requirements and industry representatives sharing best practices and lessons learned.  Recordings of the workshop and presentations are available at the above link. 

NIST is a non-regulatory agency under the U.S. Department of Commerce; NIST does not have a role in determining compliance with the security requirements in NIST SP 800-171. If you have questions regarding requirements to protect controlled unclassified information or other regulatory requirements, please contact your prime contractor and/or federal point of contact for the contract.