Information is one of the greatest assets of any company in the modern age. As such, protecting said information should be a legitimate priority for all kinds of companies, no matter what industry they’re working in. However, not all information is equal – some of it is far more valuable than the rest.
This kind of information is often something that is not supposed to be public, for one reason or another. It may be a person’s billing information, medical information, as well as several other data types that have to be prioritized in terms of protection from malicious events.
All of these valuable data types are covered by at least one government or international standard that explains the baseline for data protection with specific data types. HIPAA is a good example of that – a US-based act that translates as “Health Insurance Portability and Accountability Act”, covering healthcare information and the necessary precautions when it comes to companies handling such information.
Another data type of similar, if not bigger importance, is all of the information that is related to national security. A notable example of that is the United States and their DFARS – Defense Federal Acquisition Regulation Supplement, a set of standards that are aimed at the defense contractors and/or suppliers. It regulates all of the information about the Department of Defense’s operations that contractors participate in, such as contracts, purchases, and so on. Failure to adhere to DFARS rules and regulations results in an immediate contract termination for the contractor in question.
Of course, the passage of time changes many different things all over the world, including the capabilities of someone who may have a malicious intent towards the DoD information. As such, it is only natural that the security standards have to constantly evolve and improve themselves to make sure that all of the potential threats and loopholes are closed when it comes to important data.
Speaking of data, the Pentagon’s acquisition office issued a memorandum this summer that covers a lot of the data security measures, with a lot of focus on CUI handling. CUI is Controlled Unclassified Information, a type of information that is either owned or created by the government and requires proper safeguarding (as well as other security controls, such as dissemination) in accordance with applicable policies and regulations. ITAR, NIST SP 800-171 and DFARS 252.204-7012 are on the list of policies that work with CUI, as well as other laws and policies.
The umbrella of CUI covers specific types of information that is not classified on its own – and yet it is extremely sensitive, may be sought after by various adversaries and is valuable to the security of the nation as a whole. One of the main goals of CUI as a policy is to create one standard for data marking that would work for the entirety of the Federal Government as a whole – as a replacement for a variety of markings that are specific to a certain agency, such as SBU, LES, FOUO, etc.
As a standard, CUI offers over one hundred different data categories (125, to be specific) that are segregated into twenty groups. Here is the full list of these data groups:
- Defense
- Financial
- Intelligence
- Law Enforcement
- Natural and Cultural Resources
- Nuclear
- Privacy
- Proprietary Business Information
- Statistical
- Transportation
- Critical Infrastructure
- Export Control
- Immigration
- International Agreements
- Legal
- NATO-related (North Atlantic Treaty Organization)
- Patent
- Procurement and Acquisition
- Provisional (DHS-specific group)
- Tax
While we have already mentioned that the failure to provide a proper security system in accordance to DFARS requirements would result in an immediate contract termination for the contractor, the consequences of CUI loss on its own are far greater than that – with the potential harm to organizational assets, massive financial losses, harm to individuals, and many other serious scenarios.
The main purpose of Controlled Unclassified Information marking is in alerting the users that interact with a specific data piece about the presence of the CUI, as well as about potential dissemination limitations. As such, proper CUI marking is a necessity for any organization that handles information that falls under the umbrella of Controlled Unclassified Information.
Additionally, CUI marking rules tend to differ depending on if the document that contains a CUI is classified as a whole or not. Unclassified documents have to have a “CUI” marking twice at each page of the document – at the top and at the bottom. Marking specific portions of a document as CUI is optional, but all CUI portions have to be marked in the entire document if at least one portion has been marked already. Each unclassified document also has to have a CUI designation indicator at the start of a document (cover or first page) that includes the DoD component name, applicable distribution controls, identification of the document’s creator and their office, and so on.
Classified documents, on the other hand, do not have to mark each page with “CUI”. What they have to have is a CUI designation indicator (same place as with unclassified documents), as well as a mandatory marking for specific parts of a document that are considered CUI. Additionally, a warning about the presence of a CUI in this DoD document needs to be placed at the bottom of the first page if a document has multiple pages.
