Who Is Responsible for Protecting CUI? A Complete Guide

By
Joyce C. Goldstein
-
0
59
who is responsible for protecting cui

Controlled Unclassified Information (CUI) is a category of unclassified information that must still be protected for personal privacy or federal security.

Information that falls under this category can be segregated into three categories: Personally Identifiable Information (social security number, date of birth, IP address), Law Enforcement Sensitive Information (investigation details, criminal intelligence reports), and Unclassified Controlled Technical Information (weapon manuals, test data for defense equipment).

Since CUI isn’t classified information (and therefore “easier” to access comparatively), strategic competitors and bad actors view it as low-hanging fruit. Failure to safeguard such information not only risks legal and contractual consequences but can also have real-world national security implications.

That said, have you ever wondered who is responsible for protecting CUI? This article answers this question as well as how CUI is protected and the difference between logical boundaries vs. physical boundaries.

Who Is Responsible for Protecting CUI? 

Controlled Unclassified Information (CUI) must be protected by any individual or organization that creates, processes, stores, or transmits it. Any person or organization that handles such information is automatically liable for any possible data leaks. Federal agencies, government contractors, and employees and personnel with access all fall under this category.

That said, the organization primarily responsible for protecting CUI is the National Archives and Records Administration (NARA), as stated in Title 32 of the Code of Federal Regulations, Part 2002 (32 CFR Part 2002). Specifically, the Information Security Oversight Office (ISOO) serves as the Executive Agent for the CUI Program.

naras isoo is the executor of protecting cui
NARA’s ISOO is the executor of protecting CUI

Image source: Google

The ISOO develops policies, issues guidance, and oversees the implementation of CUI across federal agencies. To put it simply, the ISOO sets the standard, and agencies are obligated to follow its regulations when handling CUI.

Agencies that fail to follow these regulations may face serious consequences, including financial losses, reputational harm, or felony sentences, depending on the severity of the violation.

Who Handles CUI? 

CUI often passes through multiple organizations to complete a task, meaning it may be stored, processed, or transmitted across different systems and teams. As such, tracking who’s accountable for safeguarding the information at each stage can become increasingly difficult.

To minimize the risk of breaches, any contract that handles CUI must include a Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause, which mandates compliance with the cybersecurity standards developed by the National Institute of Standards and Technology (NIST 800-171).

Under this clause, the organization is fully responsible for protecting CUI regardless of which team member performs the work.

It also falls to the organization to confirm that subcontractors hired (cybersecurity firms, lawyers, secure printing providers, research labs, etc.) meet the requirements for handling CUI.

If a subcontractor fails to follow the procedures and mishandles CUI, they and the organization that hired them can be held accountable.

all subcontractors should comply with cui processing procedures
All subcontractors should comply with CUI processing procedures

How Is CUI Protected? 

NIST 800-171 has 110 baseline controls for protecting CUI in nonfederal systems. These controls are grouped into 14 families. All 110 security controls must be implemented, with some requirements more critical than others.

You can find a detailed list of these requirements in a 114-page PDF report published by the National Institute of Standards and Technology.   Some such controls include:

  • Access Control (AC): Minimizes the risk of unauthorized access, data breaches, and insider threats
  • Awareness and Training (AT): Helps employees and personnel identify and respond to threats
  • Audit and Accountability (AA): Requires organizations to maintain audit logs to analyze, monitor, and report unauthorized activity
  • Identification and Authentication (IA): Requires organizations to have strong and unique passwords and verify the identities of users before granting access
  • Risk Assessment (RA): Regularly evaluates risks to assets, operations, and individuals who handle CUI

What Are Logical and Physical Boundaries, and Why Are They Important for Protecting CUI?

Boundaries refer to the barriers organizations put in place to control, isolate, and protect information systems and data. These boundaries fall into two main categories: logical boundaries and physical boundaries.

Logical Boundaries 

Logical boundaries are non-physical, software or system-based protections that define who can access data, and how. These boundaries ensure that only authorized users and devices can access CUI, even if connected to the same network. Examples of logical boundaries include:

facial recognition and firewall security measures belong to logical boundaries
Facial recognition and firewall security measures belong to logical boundaries
  • Authentication systems (multi-factor authentication, role-based access)
  • User access controls (who can log in, and what they can access)
  • Firewalls and intrusion detection systems
  • Passcodes/usernames and passwords
  • Virtual Private Networks (VPN) and HTTPS connections between the client and server to encrypt CIU

Physical Boundaries

As the name suggests, physical boundaries are tangible protections that prevent unauthorized people from physically accessing systems or data.

Unauthorized personnel can’t “hack” through a physical boundary by sending malware or other techniques that may be effective against logical boundaries. They would need to physically access a building or trick someone into letting them in to access the desired information.

Examples of physical boundaries include:

  • Locked doors and cabinets
  • Data center cages
  • Metal enclosures that protect network devices
  • Badge access systems
  • Conduits around critical cabling on the outside of buildings

What Are CUI Markings? 

CUI markings are labels or designations applied to documents, files, and emails to let the handler know that the content contains CUI and must be protected according to specified rules.

According to the Department of Defense, any and all unclassified documents must include the acronym “CUI” at the top and bottom of each page.

Additionally, a CUI designation indicator must be included on the first page or cover of any document containing CUI. This annotation typically consists of four lines:

  1. The name of the organization that controls the CUI
  2. The applicable CUI category
  3. Any relevant limited dissemination controls
  4. The contact information for the Designating Office or Point of Contact (POC)
example cui marked document
Example CUI-marked document

Image source: Google

For example:

  • Controlled by: DDI(CL&S)
  • CUI Category: NNPI
  • Limited Dissemination Control: NOFORN
  • POC: John Smith, 707-678-8236

DDI(CL&S)/IAP refers to the Deputy Director for Intelligence (Counterintelligence, Law & Security, while NNPI (Naval Nuclear Propulsion Information) refers to a specific type of CUI related to naval nuclear systems.

NOFORN means Not Releasable to Foreign Nationals, restricting access to U.S. citizens only (even if the individual has a clearance). You can find a full list of Limited Dissemination Controls and their markings on the official DoD PDF file.

Finally, “John Smith+ number” is the Point of Contact, or someone who can answer questions or clarify information about the CUI content

Who Is Responsible for CUI Markings? 

The responsibility to mark CUI falls to the originating agency or the contractor/organization that generates or receives the CUI under a government contract. This includes:

  • Employees and Contractors: Ensure that the information in the document is correctly marked and corrected. They’re trained to recognize CUI, understand safeguarding requirements, and apply the correct markings.
  • Program Managers and Supervisors: Ensure that their teams understand CUI requirements and adhere to proper CUI marking protocols.
  • CUI Designating Officials: Government officials who identify what needs to be marked as CUI.
  • CUI Program Managers and Coordinators: Oversees the implementation of CUI protocols within their respective organizations. They develop procedures, policies, and training programs to ensure the organization complies with CUI marking requirements.
  • Information Owners/Data Owners: Person or entity that decides what qualifies as CUI and who is allowed to access it. They make sure the information is marked and protected properly.

Featured image source: Google