Introduction
Today, we’re going to talk about controlled unclassified information. Controlled unclassified information (CUI) is a data category in the United States that categorizes information that is not classified but still important to the government. It’s not quite at the classified level, but it needs safeguarding. Organizations like DornaWorks and others can take several important steps to protect this data.
If you work for the government or interact with it at all, you need to be aware of these requirements. Today, we’re going to discuss that and the safeguards we can put in place at DornaWorks. If you’re interested in reaching out to or using DornaWorks to safeguard your CUI data, fantastic.
Identifying CUI Data
How does a company identify CUI data?
That’s a great question. CUI data comes in various formats. One of the things we’ve done is work on a data flow diagram.
Where does that CUI data come into the network?
Is it primarily through email, a customer share, or mail? Identifying where that data comes into the network and then how to control it from there is crucial. We’ll talk about that too.
Standards for Protecting CUI Data
What are some of the standards being released to protect this data?
That’s a great question too. The government is in the process of releasing some final clarifications and rulings. Their ruling process takes a while, and there’s been some back and forth. We started with the NIST 800-171 standard, which is the foundation of CUI protection. Actually, NIST 800-171 comes out of the NIST 853 standard. We’re working on a model called the Cybersecurity Maturity Model Certification (CMMC). In 2020, we had CMMC, which then evolved to CMMC 2.0.
There are three levels in CMMC 2.0:
- Level 1: This level is not necessarily for CUI data but requires basic controls like authentication and password complexity for those working with the government.
- Level 2: This level involves CUI data and builds off the NIST 800-171 with 110 requirements, which we will discuss today.
- Level 3: This level includes more advanced security data classification, which we don’t handle at Dornaworks. It requires third-party verification every three years to ensure compliance with NIST 800-171 standards. This is crucial because it means a third party verifies your compliance before the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) conducts assessments. Now, anyone handling CUI data needs to undergo an assessment if they meet the level two standard.
Risks of Mishandling CUI Data
What are some of the risks of mishandling CUI data?
The risks could include prison time. There have been several cases highlighting the importance of this. Recently, some mishandling of CUI data resulted in prison sentences or heavy fines. Other risks include legal action, loss of organizational reputation, and threats to national security.
Controlling classified information is vital as it holds value for the government from a privacy or national security perspective. Ensuring the safety of this information is crucial.
NIST 800-171 provides an excellent standard with controls like two-factor authentication, password complexity, access control to buildings, and a checklist for new and departing employees to ensure separation of duties. At DornaWorks, we see this government standard as an opportunity to enhance our security maturity.
Author Profile
- Hi, I'm John, the creator of "I Hate CBTs." With a background in Computers, I've experienced the highs and lows of Computer-Based Training (CBTs). This platform explores the challenges of CBTs and encourages diverse learning discussions.
Latest entries
- I hate CBT'sAugust 13, 2024I Hate CBTs on SERE: Here’s How to Make Them Bearable
- I hate CBT'sAugust 13, 2024I Hate CBTs on Cyber Awareness 2024: Here’s How to Make Them Bearable
- I hate CBT'sAugust 13, 2024I Hate CBTs on OPSEC: Here’s How to Get Through Them
- I hate CBT'sAugust 13, 2024I Hate CBTs on Derivative Classification: Here’s Why and How to Cope