CUI Protection

How Can You Protect Sensitive Unclassified Information?

The term “CUI” refers to Controlled Unclassified Information. CUI is information that is designated by law, regulation, or government-wide policy to require safeguarding and dissemination controls. As such, CUI protection methodologies cover digital and physical locations and assets. Boundaries prevent CUI from being removed without authorization, from inside those boundaries, including networks, devices, locations, media, and people.

There are two types of boundaries—logical and physical.

1. Logical boundaries include:

• Locked cabinets  
• Metal enclosures that protect network devices  
• Conduits around critical cabling on a building’s exterior 
• Unplugging a network cable that is used to run between buildings

2. Logical boundaries include:  

• Firewalls that create logical boundaries
• Wi-Fi networks 
• Cloud gateways 
• Credentials for system login 
• Virtual private networks (VPN) 
• HTTPS connections

There are four main government policies that focus on CUI protection. 

1. Executive Order 13556 “Controlled Unclassified Information” 

2. 32 CFR Part 2002 “Controlled Unclassified Information”: Part 2002 established the CUI Program 

3. DoD Instruction 5200.48 “Controlled Unclassified Information” 

4. NIST Special Publication (SP) 800-171 Rev. 2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”

Why Do We Need CUI Protection?

CUI protection is necessary, because unintentional or malicious release of sensitive data could represent a threat to national security. In addition, CUI that resides in nonfederal systems and organizations may directly impact the ability of the federal government to successfully conduct its assigned missions and business operations, including those related to critical infrastructure.

Five Myths About Storing and CUI Protection

Based on its significance to U.S. national security, several myths exist about CUI and how it should be managed:

Myth 1

Any enterprise that handles CUI must ensure that the entire organization is CMMC 2.0 Level 2 compliant.

In some cases, it makes sense for an enterprise to secure the entire organizational infrastructure to protect CUI. CMMC only requires that all organizational CUI be protected, meaning that the entire enterprise environment does not necessarily need to be held to the CMMC requirements if defense-related data can be separated and protected. CMMC Level 2 compliance is often sufficient to protect CUI and Federal Contract Information (FCI) at most organizations. This is traditionally accomplished by creation of a specialized secure data enclave for defense-related data. 

Myth 2

CMMC dictates the types of storage security solutions that Defense Industrial Base (DIB) contractors must use for CUI protection.

CMMC does not prescribe specific storage solutions that DIB contractors must use. It simply sets forth the security compliance framework for CUI protection within a DIB contractor’s ecosystem.

Myth 3

Any cloud service provider (CSP) can manage your company’s CUI.  

If a CSP is used to store, process, or transmit CUI, the DIB contractor must ensure that the CSP meets security necessary FedRAMP requirements.

The CSPs must also have requisite processes,  which state that “cyber incident reporting, malicious software, media preservation and protection, access to additional information and equipment necessary for forensic analysis, and cyber incident damage assessment” are required. 

Myth 4

In the event that a DoD user sends CUI to a DIB contractor via an unencrypted email, it is automatically considered a data breach.

Sending CUI to a DIB contractor via a single unencrypted email may not be viewed as a data breach incident. It is an issue that is generally referred to as a security incident (depending on the sensitivity of the data that was shared) and should not impact the DIB contractor’s continued ability to bid on DoD contracts. However, it is strongly recommended that proper training and IT Security measures be put into place for DoD users and DIB contractors, to prevent such incidents from occurring again. 

Myth 5

Because of issues with improper or lack of CUI marking on documents, DIB contractors must assume that all content is potentially CUI.

If a DIB contractor receives content that they believe is CUI but may be  mislabeled or require labeling, they should contact the DoD sender and have the sender apply the correct CUI markings or provide additional guidance.

How to Protect Confidentiality of CUI

The methods used to protect CUI are driven by how it is stored and its state. 

The two ways that CUI can be stored are:

1. Non-digital media—e.g., paper and microfilm

2. Digital media—e.g., CDs, DVDs, magnetic tapes, external or removable hard disk drives, flash drives, or data saved on systems and servers (on-premises and cloud)  

CUI protection on non-digital media is performed by using physical security controls. When CUI is stored on non-digital media, it should be held in a controlled environment with strict limitations on access. Only people with authorization should be able to access, observe, or even overhear CUI. To maximize CUI protection, it should be stored in locked rooms, cases, or cabinets.

CUI protection for digital media should leverage encryption. When digital media is moved outside of a controlled environment, it needs to be encrypted, as per CMMC’s Media Protection guidelines and NIST SP 800-171 3.8.6, which states, “Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards.” This varies whether the data is at rest or in transit.

When referring to CUI protection for digital data at rest, information is not moving through the network. This usually means it is stored on hard drives, media, and mobile devices. In addition to encryption and physical security systems, other CUI protection tactics can be employed. These include: 

• Data loss prevention (DLP) technology 
• Firewalls
• Intrusion detection and intrusion prevention systems (IDS and IPS) 

Facilitating CUI protection for data in transit or when it is being transmitted over computer networks requires another set of tools. Common examples of data in transit are sending an email that contains CUI, sharing a digital document that contains CUI over a network, or entering CUI into a form on a website. CUI protection methods for data in transit are primarily based on current encryption standards.

CUI protection must also be considered for verbal communications. Talking with another person on the phone or in person can result in inadvertent CUI sharing with unauthorized parties. To protect the confidentiality of CUI, discussions involving CUI should take place in controlled areas with voice encryption in place for calls.

Why CUI Protection Is Important

When summarizing the importance of CUI protection, the United States Defense Counterintelligence and Security Agency says it best: “Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is one of the most significant risks to national security, directly affecting the lethality of our warfighters.” Source

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.

Last Updated: 5th November, 2024