We are often asked by our clients how they know what information is considered Controlled Unclassified Information (CUI) or Classified Defense Information (CDI) as described in NIST 800-171 and Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204.7012.
Understanding how information is stored, processed or transmitted within your company is essential because NIST 800-171 control 3.8.4 requires marking of media with appropriate CUI marking and distribution limitations. Additionally, the National Archives and Records Administration (NARA) published the final rule regarding regulations on CUI in September 2016, which becomes effective Nov. 14, 2016.
Established by Executive Order 13556, NARA’s CUI program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations and government-wide policies.
The NARA action identifies the approved categories and subcategories of CUI and establishes a registry that’s the official online repository for information, guidance, policy and requirements for federal agencies to follow. The NARA program is applicable to federal and defense contractors through contract and agreement provisions related to CUI, and to properly implement it, contractors must familiarize themselves with the distinction between “Basic” and “Specified” CUI information for marking and handling information. The onus is on contractors to handle CUI in compliance with the NARA rules and the CUI Registry.
Even with the finalized rule, our advice to contractors is the same: review contracts and agreements relating to CUI handling requirements and evaluate the CUI they are handling in the course of executing existing contracts. Remember, agencies may have additional specific requirements for data handling.
If you don’t know what is considered CUI, ask! Once you know what information you are required to protect and to what extent, your company is equipped to develop or revise existing internal controls to ensure compliance with the NARA rule.