Managing Controlled Unclassified Information (CUI) – Part Two of a Three Part Series

In my first blog on Controlled Unclassified Information (CUI), I discussed ways in which your organization could get started with the Defense Federal Acquisition Regulation Supplements (DFARS) compliance activities around CUI and the deadline of December 31, 2017.  Hopefully, everyone reading this part two of the three-part series has created the policies required to identify, classify, handle and control your CUI.  Building upon part one, we will move into managing your CUI throughout your environment.

Is DLP a solution?

Managing controlled unclassified information (CUI) in your environment can be done with existing infrastructure in most cases though this is a lot more cumbersome and time consuming.  Current data loss prevention (DLP) tools utilize pattern matching techniques in rules to either allow or block information from leaving an organization. To manage the data flow of CUI information, you must have the ability to recognize the data as CUI.  In part one of this series, we discussed identifying your information, specifically CUI, through the use of a policy.

Assuming your policy provides the user creating or receiving CUI with the organization’s guidelines for the proper marking of CUI, the user should be able to apply the appropriate CUI banner marking per the National Archives and Records Administration’s (NARA) CUI Mark Handbook instructions.  Once the CUI banner is applied in the header, the DLP can be configured to look for the various patterns of categories and sub-categories.  The DLP policies would then be able to control the flow of your CUI within your environment and to the edge of the perimeter.

Use Data Classification to identify your CUI

There are other ways to manage your CUI which can help automate the manual process and make your employees more productive.  By leveraging your end users understanding of the data, and applications such as Microsoft’s Azure Information Protection (formerly Secure Islands), TITUS Classification Suite, or Bolden James, visual markings can be added for CUI in the headers and footers of emails, documents and spreadsheets.  In addition, these applications can add metadata fields to your documents and emails, which can assist a DLP in identifying your sensitive information faster, with fewer false positives and fewer rules.

All three of the applications also have integration with digital rights management like the RMS offering from Microsoft. The policies within the data classification tools make a call out to the RMS and apply the policy associated based upon the classification selected, as an example.  The classification tools can also call various encryption applications when sending emails containing sensitive information outside the organization.

Organizations should also consider a cloud access security broker (CASB) application today to manage the information created or flowing in and out of cloud applications.  Your perimeter DLP may not have all of the visibility needed to properly manage your cloud.  In addition, your users may have access to cloud apps which are not sanctioned by the organization, which could pose an exploitable avenue for the loss of sensitive information.

By identifying, classifying, and controlling your sensitive information, including CUI, the organization will have gone a long way in fulfilling the spirit and intent of meeting the compliance requirements for identifying, protecting and controlling controlled unclassified information created, obtained, or received.

Up Next

For part three of this series, we will be discussing some of the obstacles and lessons learned while implementing a CUI program in various organizations.  Stay tuned…

To download the CUI Marking Handbook.

More on Controlled Unclassified Information from Sienna Group

Wayne Selk, CISSP VP of Professional Services