Ooey Cooey

32 CFR says that authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions: (1) Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments. (2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI; (3) Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and (4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800-53.

Have you ever wondered where NIST 800-171 came from or why it was written?  In August 2020 I had the opportunity to interview a representative from the Information Security Oversight Office (ISOO) on my YouTube channel DIB Tech Talk (https://www.youtube.com/c/DIBTechTalk [https://www.youtube.com/c/DIBTechTalk]).  This interview goes into the origins of NIST 800-171 with someone who was there when it happened. He walks us through some of the thinking behind the CUI program and why it's important.

At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document. If portion markings are selected, then all document subjects and titles, as well as individual sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be portion marked with “(CUI).” Use of the unclassified marking “(U)” as a portion marking for unclassified information within CUI documents or materials is required.

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly. But how? Tune in to find out.

Established by Executive Order 13556 in 2010, the Controlled Unclassified Information (CUI) program standardizes the way the entire Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.  The Department of Defense (DOD) is an agency within the Executive branch of the U.S. government. But what is CUI?  Tune in to find out!