I must apologize for this final CUI segment taking so long. Every time I thought I was ready to publish, something new to talk about popped up. Initially, I was going to talk about the importance of communicating CUI to the organization and the potential pitfalls of a data classification policy in a company that never had one before. But then, we started getting involved with pushback from other companies and *shock* government agencies ranging from a mix of legacy banners to encrypting CUI. So, I asked myself “Did the government make the right decision?”
A Little Background
The Executive Order required the private sector to implement SP800-171, Protecting Controlled Unclassified Information in Non-Federal Information Systems and Organizations, by December 31, 2017; while the federal agencies have until the end of 2018. One might surmise it is “easier and faster” for the private sector to implement the controls and markings than the federal agencies, and I would agree. However, the challenge then for those private entities who are on the ball typically leads to a “disagreement” with not only other private entities, but the federal agencies who are not fully aware of what the Executive Order and 800-171 imposed on the private sector.
The CUI Confusion
Let me explain the two examples from above. Regarding the “mixed” banner, the CUI Marking Handbook from the National Archives and Records Administration (NARA) as well as the CUI Categories no longer contains “For Official Use Only” or FOUO. It has been renamed to “CONTROLLED” or “CUI” depending on the agency. Yet, one customer of ours received instructions from another private entity to mark documents as “CUI//For Official Use Only” citing a contract containing that language.
In the other example, a government agency refused an encrypted email message which contains CUI information, preferring instead for the customer to send in “plain text”; SP800-171, 3.13.8 (SC-8 & SC-8(1)) specifically calls for cryptography to protect the CUI in transmission or by other physical safeguards. In both cases the communication process broke down. Whether it was a misunderstanding of the new process or misinterpretation, there simply was not enough communication from NARA to the private sector and the federal agencies.
Communication, Communication, Communication
The biggest lesson learned is there needs to be communication, followed by more communication. Did the government make the right decision in letting the private sector go first? I think so. They did publish very clear guidance and direction. Unfortunately, not everyone interpreted the information the same way. Others appear to forget about some of the security controls around this type of information. I am predicting even more confusion once the agencies come on board later this year.
To download the CUI Marking Handbook.