To install click the Add extension button. That's it.

The source code for the WIKI 2 extension is being checked by specialists of the Mozilla Foundation, Google, and Apple. You could also do it yourself at any point in time.

Kelly Slayton
Congratulations on this excellent venture… what a great idea!
Alexander Grigorievskiy
I use WIKI 2 every day and almost forgot how the original Wikipedia looks like.
Live Statistics
English Articles
Improved in 24 Hours
Added in 24 Hours
Show all languages
What we do. Every page goes through several hundred of perfecting techniques; in live mode. Quite the same Wikipedia. Just better.

Special Data Dissemination Standard

From Wikipedia, the free encyclopedia

Special Data Dissemination Standard (SDDS) is an International Monetary Fund standard to guide member countries in the dissemination of national statistics to the public.

It was established in April 1996.

YouTube Encyclopedic

  • 1/3
    2 544
    2 919
  • ✪ ISOO - CUI Briefing - January 27, 2017
  • ✪ Disproportionality 101: Equity in IDEA: Contents of the Final Rule - 2017
  • ✪ Methods for a Qualitative Systematic Review


>> Patrick Viscuso: Good morning everyone. My name is Dr. Patrick Viscuso. I'm one of the associate directors at the Information Security Oversight Office. Our office exercises Controlled Unclassified Information Executive Agent responsibilities for the Executive branch. We are very excited to have you here today to hear about the CUI Program. The CUI Program is a significant reform, a security and regulatory reform for the Executive branch. It will have a large effect not only in the Executive branch but for our non-federal stakeholders. Today's briefing will be presented by one of our leads for oversight and implementation, Devin Casey. I also want to acknowledge our other lead, Mark Riddle who is in the audience. Devin will be presenting an overview of the entire program and will be open for questions at the conclusion of his presentation. So without further adieu, I'd like to introduce Devin Casey. (applause). >> Devin Casey: Oh, don't applaud till the end. Let's see if you like the program first. So as Pat said, I'm Devin Casey. I work in the oversight and implementation branch for ISOO on the CUI Program. We also do a lot of outreach so I like to think of it as our third name. Oversight, Implementation, and Outreach. Today we are going to go over a briefing of the CUI or Controlled Unclassified Information Program. It's an information security reform for the United States Government that addresses how the government protects and controls unclassified information. We'll start off with a little overview of what the current practices are and why we need a reform, how the reform addresses the issues of current practice, our implementing directive the 32 CFR part 2002 which defines safeguarding for controlled unclassified information for the government, we also go over our approach to the contactor environment, some technical standards, phased implementation or the order and timeline that agencies should use to implement this CUI Program. It's not a light switch program. It will be implemented over the course of a few years and then in the second half of the briefing we will dive into safeguarding requirements in the 32CFR2002, our implementing directive, are like what do we mean by destruction and electronic safeguarding and down the nitty-gritty of the program, and we'll end on some next steps - what we're doing and what we expect from you moving forward. So the government already protects unclassified information. The issue wasn't that it protects, it was the effectiveness of the protection and the disparate programs it used to protect it. So we have an existing body of laws, regulations and government wide policies that require agencies to protect information but they weren't too specific on how. So every agency exercised their authority to define "protect" at their agency. Of course some agencies define protect differently than others. The intelligence community agencies, the law enforcement agencies have a different view of the word protect than the Non-title 50 or civilian agencies do. So as a result of that we ended up with a patch work of information security protection programs and you've probably seen one of the key indicators of that problem - the FOUOs, SBUs, SSIs, IOUs, OUOs, CSIs and all of the other TLAs which is a three letter acronym, which is an acronym that refers other three letter acronyms and is itself a three letter acronym. So as you can see the government loves its alphabet soup but the CUI Program is here to help address that. So one of the big issues that we currently face was not only just a mess of these acronyms that were telling employees to protect but that there were agency specific so when you shared that information with another agency to your non-federal environment, they didn't know what they were receiving. So it was marked as SSI at your agency but you shared it with the department of agriculture, their SSI program might be different or their might not even be a program there - so they didn't know what to do with the received material. Also in when the information was shared under, let's say, DODs FOUO program. DOD has policies and regulations, sanctions for failure to comply with their FOUO Program but normally those were failed to be reflected in information security sharing agreements with other agencies. So if they shared this information, which most of these agencies do, the recipient might receive FOUO information but might accidentally publically release it or store it improperly, but there was no good way to punish them, because it was always hard to prove, one- that there was a ISA on the books and two- that the employee was trained to the existing ISA. It was hard to find and then prove training to, and if anyone ever tried to punish an employee for improperly sharing either classified or unclassified information, identifying that they (the employee) knew what they were supposed to do and signed on that they knew how to protect is one of the first steps to punishing them for not protecting. So it's a very important part of the CUI program was to set up a base line for how to protect information that would Bridge those gaps. Another one of the large issues that we currently faced, not only were we not protecting information well and sharing it with the wrong people we were over-protecting a lot of information and not sharing it with the right people. Because each agency had their own program in order to share information they wanted to make sure that the receiving agency met all of their requirements and met them in the same way they did. So it was a huge impediment to sharing. In fact the CUI program was started after a Bush memorandum that was written as a result of an analysis on the causes of 9-11. One of the causes of that(9-11), was not just the sharing of classified material to the appropriate agencies but the road blocks in the way of sharing unclassified information between agencies, there were massive time delays and information sharing agreement issues, with sharing that unclassified information that could have helped develop a better picture in the intelligence community. As a result of that analysis, that memorandum, and some whitepapers the CUI program was born. It is an information security reform, based off of current practices, it protects information that was already required to be protected - what it does it standardizes and sets out a baseline, a framework, that agencies can use to apply security requirements to their information, and feel safe in sharing in that CUI environment, to put the emphasis on sharing to authorized users and protecting from unauthorized users. So it is meant to address both of those concerns that we saw in the existing program for information security. The main goals for CUI is that it is standardized, shared, and of course unfunded - I am joking there, usually get a laugh, come on, we all get unfunded mandates. There is a reason CUI is inherently unfunded, CUI is a security reform, all of your agencies are already spending money to protect this information, what we are here for is to make sure you are spending the money well and that it is focusing on the correct information and that we provide a framework that reduces overhead in information sharing agreements both in the agency environment and the non-federal environment. So by providing that framework we can cut down on a lot of that redundant work that is done every time information is shared and rather rely on a current and existing practice, as established by the CUI program, to help that information shared where it is supposed to be, while understanding that it won't be shared with who it is not supposed to be. The 32 CFR 2002, our implementing directive, is really the key part of the CUI program. It tells the executive branch the scope of the CUI program, what to protect, and how to protect it. It was effective November 14, 2016, and it began the phased implementation timeline that we will be talking about shortly. It is an entire information security program and it brings all those roles and responsibilities back under one office. Every agency has a chief information officer, a physical security officer, privacy lawyers, oversight lawyers and all the different offices that help come together to create an information security program. But over the past few years we have seen those offices focus on their own lane and they rarely come together to create a whole picture of information security. The 32 CFR part 2002, brings all those responsibilities for information security back under one roof. It doesn't require a reorganization of your agency, but it does require much better teamwork between those disparate offices, to make sure the whole picture is always looked at, from physical security and destruction, to the information security side, to the legal side of deciding what is and is not CUI and the interpretation of existing laws, regulations, and governmentwide policies. It is a very important cultural shift in that sense. That is why I come back to it being unfunded. Because departments already exist at your agency, they are already working on these programs, what we are doing is trying to get them to work together and to work more efficiently. It is a redirection of existing funds. So I said the 32 CFR part 2002 outlines the scope of the program and it does because it references the CUI registry, which is the scope. For the first time in the government, as the executive branch, we decided to define what we mean by controlled unclassified information: what should we protect, and why should we protect it. And that is - information that requires protection as the result of a Law, Regulation, or Government Wide Policy (LRGWP). That was the task we were given, to find out, what is required for protection. So there were two ways to go about that, one was to try and read every existing LRGWP which the last time Harvard law journal tried to figure out how many there were gave up after one million. So we did not take that approach, we took the approach that most other agencies do, given a near unsolvable question by OMB, we did a data call to other agencies and asked them "What do you currently protect and why?" We asked the stakeholders "what are you protecting and why are you protecting it?" and please send your submission back to ISOO. We received over 2200 submissions, and as a result made a lot of lawyers very happy for a short period of time as they got to pour over all of them. We de-conflicted, bounced them off of each other, we looked at them to make sure that they were in fact requirements for information to be protected and we created the CUI Registry. It is a tool, a database, a taxonomy of the CUI program. It is a listing of all the existing LRGWPs that require information to be protected. It, in and of itself, was a huge task and a huge accomplishment for the government. There was no one-stop shop for this before, and there now exist this listing online, the live database that anyone can access (it has actually been online for a few years now). It sorted those 2200 different submissions for information protection and types of information into 23 categories of its taxonomy. It allows for proper marking and it links directly to the LRGWP or citations that support that category. So you can actually get straight from our category names like "Privacy" to the A-130 and other supporting documents for privacy law. Again, it was the first lift and is the scope of the CUI program. For those of you with a classified background you probably know about security classification guides, this is about as close as we get in the CUI world to that. It tells you what can be controlled. It does not have OCA's, it is not the classified program, it is very different, but it is similar in that sense, as it says - this/these are CUI. Again, it is a living document, it is based off of LRGWP new ones pass or change or are rescinded all the time, so it does get updated. It is fueled by information from our office proactively looking for new laws that affect information as well as primarily by agencies letting us know when a new information type that their agency handles has a new law or change about its law so that we can update the CUI Registry. It does change, it does grow, it is not a static database, which is one of the reasons why it is live. It (CUI Registry) is also live because it addressed an important question. It addressed a question the public had "what does the government protect and why?" Those answers were different at every agency, now they actually have a way that they can answer that question. They can know they protect it, and not just because they wanted to in this particular instance but because there is a law, r egulation or government-wide policy telling them to do so. Another document that came out of our office, rather out of NIST's office with joint work from our office was the NIST SP 800-171. So, CUI has the requirement, for the technical environment, for the moderate confidentiality impact value and one of the important parts of CUI is that it is shared, and it is shared not only with executive branch agencies but also with non-federal entities. It spends a lot of its time on federal information systems but some of its time on non-federal information systems. To answer a question, almost before it was asked, we jointly published with NIST this SP 800-171, which defines the security requirements to meet what is akin to the moderate confidentiality impact value in a non-federal environment. It takes its policy direction from the 800-53, FIPS 199 and 200, it looks at those lists of security controls and creates security requirements, which the contractor environment must follow in order to raise their systems to that level. So some systems we are concerned about the confidentiality, integrity, and availability, those are our federal systems, the systems operated on behalf of the federal government, we are concerned about all aspects of that system. Those still have to meet all of the requirements the government imposes, from the FIPS 199, 200, 800-53, it is a federal information system, just operated by a contractor. But there is also those systems that contractors use that are not federal information system, that are not operated on behalf of [the government], but still process CUI. And that is where the 800-171 would apply. We are not concerned about integrity and availability so much, and only in the ways that they affect confidentiality. That is where the 800-171 outlines how to bring a non-federal information system up to that level, it weeds out the uniquely government controls, like COOP and COG requirements that we would require of our systems that we would not require of another's system and focuses on the confidentiality of the information. Now, some integrity controls are still included because they are necessary for the confidentiality, but only those that are so tied to confidentiality. If the government is concerned about the integrity and availability, then really what they are purchasing is the system itself, in which case it should be a federal information system. So it [NIST SP 800-171] address a gap that had long been either ignored or treated very disparately by different agencies, some required the system to meet all the federal information system requirements and others didn't really address it. So that is where the 800-171 comes in and fills in that lack of standardization. The 800-171 is required for use by the 32 CFR part 2002, and it should be used as agencies begin to implement the CUI program to communicate standards to the non-federal environment. Our agency, at ISOO and CUI still has a lot of work to do on CUI, it is your new program, but it is our new program too. We have products that we are working on, like training (which I will talk about shortly), but one of our biggest projects over the next year is to establish a new FAR and supporting clauses to address the contracting environment and how to communicate the requirements of the CUI program in a standardized fashion to industry. By doing this we will be able to take advantage of - when industries meet CUI program - we can take advantage of that reciprocity. As they meet the CUI program for DHS they will meet the CUI program for DOD and all the other agencies because of that standardized baseline. We want to make sure we communicate that properly though our FAR, we will be addressing issues such as: oversight of CUI in the non-federal environment, liability, subcontracting, timelines, reporting - and of course all of the information security requirements in the 32 CFR part 2002. So it is a large task, it is a task that we are excited to be taking here at our office. We do ask for help from both industry and agencies, we are going to lean on your experiences and your knowledge to help develop this FAR. Of course you will be coordinated with through the regular FAR process and comments, but if you would like to offer thoughts, assistance, or help or anything based off of experience of recent information security FARs or clauses that you have put out, please let us know. Because we are helping to develop a program that works for everyone and to do so we need everyone's input. So here is the slide we will probably spend some of the most time on. It is the "what do we have to do and when do we have to do it" slide. It is probably the most helpful slide, it is an attachment to an ISOO notice 2016 for the implementation of the CUI program. It was released the same day as our rule. It outlines what you should do and in what order you should do it. Now the - the timeframes here, to put lightly, are optimistic. When we asked most agency how long will it take to publish a policy they say, well if we have already written it and we are pretty good on it and we already internally coordinated it, if we put it up for interagency review to be published it takes about a year. That is after most of the legwork is done. So, we were kind of tied to the 180 day timeframe, it is an optimistic assessment of all of your capabilities, you should be proud that people think you can do it that quickly, but we understand that - that is a really hard timeframe to meet. And we do not want you to rush through a policy that does not implement the CUI program well at your agency just to meet a timeline. So, if you look at that ISOO notice 2016 and you flip to the last page, the second page - to the last sentence, it specifically states: at any point where you are having trouble meeting a timeline, during your reporting to ISOO just let us know where you are and when you think you will be done. We are not really in the business of approving it, we are just going to look at it and kind of do a reality check on it just to make sure it makes sense and then we are going to move on. Agencies move at different paces, we just want to see forward progress. What we don't want to see is bad forward progress, something done to quickly that is poorly done. We want to see a more measured approach to CUI. So if you come back and say it takes a couple years for your interagency review and you are not quite sure where you are so it is going to take longer to write the policy just let us know in your reporting to us, which will be in May (something we will cover a little bit more later). Obviously if you come back and sat that it is going to take you 10 years to write the CUI policy and that you aren't planning on working on it now, we will have follow up questions. But, again, we are not in the place of approving it per say, but just looking at it to make sure it makes sense - and in situations where we think we can help either by pointing you to some examples of existing policies that people have written or providing education and awareness that will get you moving along, then that is where we can focus our efforts on those agencies that need that assistance. The next two [topic on the slide] are actually based off of policy, and that is because you can't really start most of you training program or most of your physical security safeguarding program until you have made important decisions about how your agency is going to implement CUI. So those [training and policy] are dependent, so if you request an extension for your policy we are going to assume it will be an extension for those programs as well. Now training is kind of a super category, there are different type of training that you are going to have to do for CUI, the first (that actually shouldn't be [pushed back) that should occur at every agency that sometime around the end of this year beginning of next year you should publish agency wide training on the CUI program, it should cover some of the basics of the CUI program and address questions your agency is going to have. Like "when will we implement?" You should tell them that while the agency is implementing they should follow existing current practices. Don't jump ahead and start using the CUI program before your agency has a policy to support it. We do not want individual employees writing CUI on a document if your agency has not implemented CUI yet. So you are going to have to put out both, where your agency is and where it is going and where they should take further direction from, but also kind of the basics of CUI. The reasons that we want to put the basics of CUI out, what it looks like and how it is marked, is because at around that year and half, two year mark, some agency's will be fully implemented (or at least very close). So they will begin sharing CUI, so we have to make sure the other workforces of agencies are prepared to receive it and understand that they are going to treat it under their existing information security program and existing policies. Once you have implemented there will be initial training for all employees, they will have to train on CUI, as CUI touches just about everyone in the government. PII is CUI, so everyone gets that training, everyone gets CUI training. The next one is refresher training, we only require it every 2 years, but just about every agency we have gone and spoken to about their plans has decided that they are going to do it yearly. They are going to tie it into their cyber security awareness training or existing privacy training, kind of bring those training together into not necessarily one training but maybe one with different modules in it to address cyber security, information security, and privacy requirements, so that is one solution. And then the last type of training is "super user" training, or training for individuals who use particular types of CUI specified (something we will talk about shortly) i.e. Law enforcement information, legal information. These are trainings that are usually already occurring, it might be part of their job training, for how they become a law enforcement officer, they go over how to protect evidence, how to protect investigative material. Lawyers all get training on who should have access to their case work and how to protect their existing casework. So people are usually getting this training to some extent. Privacy lawyers and privacy office individuals clearly get training on privacy information, so most of these trainings exist. The focus on the CUI portion is to modify them, to build them in, to include them in that scope of CUI and to rope them in. The next part of that "super user" training is the individuals who will be implementing your CUI program, you are going to have to train them. How do you train your managers to oversee whatever responsibilities you give them for CUI, how are you going to train your contracting officers to really start to understand when should CUI be included in the contracting process when purchasing systems or if the contract is going to include the NIST 800-171. Who do they go to to ask that question and answer that question, do you want to point them to the CIO or the CUI office, either way they are going to have to be trained on that kind of awareness. Again, a lot of this training already exists and it is already being done, being roped into one house and being done for its express purpose. So while it might add some training time to you workforce, really it is going to replace a significant amount, almost as much as it adds and kind of simplify that training. Another advantage under the CUI program, employees that you hire from other agencies will have already been trained in the CUI program, there will be minor differences in the each agency as you get to make those choices in each agency policy, but the people coming to your workforce won't have a brand new policy with completely new requirements, they will already know about the markings and the basic protection requirements so there will be some good changes in that area. Physical safeguarding is dependent on policy because our law, sorry, our 32 CFR part 2002, our implementing directive, was rather broad about what we require in the physical security environment, and intentionally so. Agencies were already doing a good job protecting information from physically walking outside its doors. It is not where we were losing a lot of information, a lot of other coexisting programs in the government address a lot of the concerns that the CUI program has. Physical security has been stepped up drastically under HSPD 12 programs, many agencies have adopted - PIV of CAC access to computers, but also frequently using those for access to different rooms or suites. Creating, in a sense, what the CUI program requires, which is a controlled environment. The next big, I say big but it is quite easy - the next requirement for CUI in the physical environment is a locking barrier, it is your locking file cabinet, locking overhead drawer, a locking office. These are all ways to meet that requirement. It is how PII is currently stored, (again much of the CUI program is based off of existing practices) it is why we don't really consider there to be too many new expenditures, more relying on older [past] expenditures. If your other information security programs have gotten a bit dusty, and you don't have desks with locking drawers that will be something you will have to address but it is something that should have been working now and will have to work in the future. The role of your policy and your training will be to define what a controlled environment is in you agency, and it really needs to meet two requirements: one- that individuals that are around open storage or CUI that they can gain access to, that they have a lawful government purpose to access that information. Two- that employees know when they are and are not in a controlled area that can that can be used to store or process CUI. So if your agency would like to define a certain type of tumbler lock with a certain number of pins, they can, but the agency can decide what that looks like, you can require signs posted, you can require PIV access, you can go back to an old key control system, you can require escorting there is a lot of existing physical security policy that agencies have. That is why the physical security section is really dependent on the policy choices the agency makes. We do consider this to be a rather low lift for the majority of agencies in the majority of their offices. One thing I always like to caution or note on that, is sometimes the policy office, especially in this area of physical security, has an overly optimistic view of what is currently practiced by their agency. I always like to point to two policies that they have. One is the escorting policy. Almost every agency I have been to has a great one {escorting policy], it has a limit on how many people you can escort, how long you can escort them for, who needs to be escorted, and what areas require escorting. In practice, the practice has deteriorated. I always like to say that an escort policy lasts about four weeks. The first week they follow the policy to the letter and they escort people everywhere. The second week they escort them mostly but they start letting people take bathroom breaks unescorted. The third week. They let them in and overlook most of them, they themselves might take a break and come back and check on them afterwards. And the fourth week they prop the door open. That is about how long that lasts. The reason I tell you this is because your policies might be great but your practices might be lagging behind. Your policy. It is also very similar for telework, in telework there might be a clause in your telework agreement that says - that your boss is allowed too, unannounced, drop by your area of telework while you are teleworking to check on the physical security. I have yet to meet anyone who has ever had that happen, and I have met a lot of teleworkers. It is a great policy it is a great procedure, but the practice is broken... No boss wants to go to their employee's home while they are teleworking on a surprise visit. And it is rarely if ever done. So even though the policy looks great in practice if it is not supporting what it is intended to support. So that is really what I caution on the physical security side, to check that, we will talk about how to check that shortly. Under systems, which is kind of our next drop down, not dependent on policy, because for the systems we are only asking you to do two things. The first phase is what systems do we have and how they are currently configured. The second phase is, do they process CUI and if so, how do we get them up to the CUI standard, and how long that will take. So we are literally at that year mark looking for a plan, not the resolution, not everything fixed and updates, but a plan for how you are going to update and modify your systems. So the first step, the assessment in 180 days to be reported, is how many systems do we have and how are they currently configured? Some agencies can respond to that question in about a day, because it is required for FISMA reporting currently, how many systems you have, and how they are configured is a FISMA reporting requirement. But CUI offices are new, not everyone is prepared to get that answer back immediately so we give you 180 days to really get your CUI office established and find out not only who the CIO is but what part of the CIO keeps this information, start understanding who to ask for it and how to be involved in that process of the FISMA determination for systems. Once you have that information you have to ask the next question, which is, do these systems process CUI and if so, do they meet the requirements for that CUI. If it is CUI basic, that is [the requirement] moderate confidentiality impact value for FISMA, and if it is CUI specified you have to check to see if there are controls listed, for instance PII has a non-tailorable control of multifactor authentication for remote access. So if PII is being processed on a system you have to make sure that not only is the system moderate but that you did not tailor out a required control. Once that is done you just have to provide a plan to update those systems. Good security practices win the day here, FISMA reviews happen about every four years, systems come on and off line, so prioritize your response. Where is the bulk of your CUI, some CUI is more important and some less important, prioritize that way. Really what we think would work well at most agencies, find out the systems that are sun setting that don't have much CUI on them, just move forward without updating those, if they are sun setting during the scope of your implementation, don't spend a whole bunch of money updating a system that is going to go offline in two years. Spend that money on the new systems, prioritize the new systems. If you address information security from the ground up in your purchasing and contract for systems and contracting support, it is usually significantly less expensive to approach security before you purchase the system than tacking security on afterwards. Not only is it usually less expensive it is usually more effective as well. You will find yourself not having to tailor out as many controls due to the capabilities of the system, rather you purchase a system that is properly secure. So move that [new systems] to the top of your priority and address the rest in whatever way your agency sees fit. By quantity of CUI, by the sensitivity of the CUI, by the ability to renegotiate the contracts. If they are coming up for review that is a good time to put that/bake those CUI requirements in. Or if they are coming up for a FISMA review that is a good time to do that audit, see how that system is doing and adding those CUI requirements to the steps of the FISMA review that require the updating of the system afterwards. The last is self-inspection and this is one I was nodding to earlier when I said that a lot of people have policies or procedures that have grown dusty. Part of CUI is going to require your agency to do self-inspection. We are a small oversight office you have met Mark probably and you have definitely met me, so you have met the whole oversight office, both of us. So we are going to rely extensively on the self-inspection programs of you agencies. That is where you determine, does your policy and training actually affect practice, and are we actually implementing our CUI program effectively? We look for this around the 2 year mark because you cannot self-inspect a program that hasn't really started yet. It is one of the last things, but something you should be planning for. This is something, that when we visit agencies, we found that most agencies, will do physical security inspection IAW the safety of individuals, they do CIO inspections supporting the FISMA, but rarely do they look at the entirety of an information security program (outside of the classified world) in one go. So this is kind of a new practice to get ready for. This practice will also help support and probably be driven by, your self-reporting to ISOO. So for about a year we will be, well for a couple years, we will be getting in touch about every six months and reporting on the status of essentially every one of these timelines that you see here every 180 days. And for the foreseeable future we will require annual reporting. Most agencies get the numbers for their annual report by relying on a good self-inspection and self-reporting at your agency, to help feed those data calls by our agency. Some additional concerns, some questions we get from a lot of agencies, "what can we do?" "How can we do this" Step one, you have got to assign a SAO and project manager. If you do not have someone responsible for the CUI program and someone to help them implement it at the very least it's very hard to get the program off the ground, because no one would be responsible for the success or failure. Second, and what I would tell those individuals, the SAO and PM, if they asked what the first thing to do was, I would say it is to get the establishment of a working group or panel or whatever your agency calls getting individuals from all the other stakeholders and offices assigned the responsibility of assisting you with the implementation of the CUI program. No one office, that I have met yet, is prepared to implement the CUI program by themselves. Whether it is the CIO office, the physical security office, the privacy or records office, whichever office your agency decides to put the CUI program into, they are going to need the help from all of those other offices and all of your mission areas. If you write policy without consulting your mission areas and find out how it is going to affect them, if it critically affects them, they will non-concur every time. So it usually helps to involve them in the policy making process as opposed to just the policy approving process, to help that all move along quickly. Next thing to address is incident management, it kind of goes hand in hand with self inspection, it helps inform on that program, it also ties into training of course. "What should we train to?" we train to things that are causing us to lose CUI or causing CUI incidents. We should modify training to address that. Everyone already has some type of incident reporting, definitely for privacy which has very strict requirements, mostly also for other types of information that goes missing. The key here is to look at that type of incident reporting do we have at our agency and sure that it is bounced off the CUI program. Add yourself into that flowsheet or that checklist that those call centers or database use and make sure the question was asked; "was CUI involved?" "Was CUI leaked or possibly compromised (could someone have taken pictures of it or gained access to it that shouldn't have)?" Most people have physical security reporting, when an office is broken into the question should be asked "was there open storage of CUI in there?" Most people have a way of reporting losing a laptop; "was CUI on it?" When they lose privacy information, which is CUI, "where there other types of CUI involved in the loss?" Even if they are reporting a classified incident, classified material goes missing, which of course they are required to report, does the question get asked "was there also CUI in the report or just classified?" So it is less of establishing a new way to report and more of tying in CUI into existing reporting mechanisms. And then, one of the big changes, and again information security practices rule the day (like risk management and prioritizing) updating existing contracts and agreements to reflect the CUI programs requirements. One of the primary intents of the CUI program was to provide that framework, to help agencies share information more easily. To inspire that trust between the IC and DOD and NT-50's and civilian agencies, that we have one information security program and that it works the same, or very similar everywhere we go, to help you share that information. Address your existing, your legacy, contracts and agreements to both federals and non-federals, to see "are we requiring things that we don't need to require anymore?" "Are we pushing agency specific policy that really applies to us and shouldn't apply to them?" Because they as the receivers have a better understanding of how to protect that material while it is internal to their agency once they receive it. So limit those, revisit them, make sure that they are serving the ideas of standardization and of sharing to the appropriate individuals, the authorized holders. So that is kind of the first half of our briefing. We went over most of our documents, we covered implementation and our approach to the contracting environment. So now we are kind of going to dive in to "what do we mean by safeguarding?" and "what do we mean by protect?" To answer that question we have to talk about the two different types of CUI. That there is a division in CUI, we treat some information a little bit differently. As I spoke about earlier, CUI is information that is required to be protected by LRGWP. It is where the LRGWP defined an information type and said protect. If that is all it said then that information is CUI Basic. If the law identified information and then said protect this then we protect it at the CUI Basic level. But some LRGWPs considered something else, they said, here is an information type, protect it, and - these LRGWPS fall into two different categories, they either added a specific safeguarding control (like the example of privacy information requiring non-tailorable multifactor authentication for remote access, it specifically states that as a requirement) that is CUI specified. Then the other kind of type of CUI specified is where it expressly stated a particular type of dissemination, and it really defined what we mean by lawful government purpose by saying you have to go through or meet this requirement, this would be like Grand Jury information which requires, the attorney general (or designated individuals) approval before disseminating. Those are CUI specified. It is CUI but there is something specific in LRGWP that you have to follow in order to protect that information. It is an important distinction from Basic. CUI basic follows all the policies that we lay out in the 32 CFR part 2002 which protect it as CUI. CUI specified follows all of the same policies, unless the law expressly says something different. So it is only different where it is expressly different, other than that it follows the protections of CUI basic and regular CUI and it is different only where it says it is different under the specified law. Now the majority of those, currently, are dissemination controls, or limits on the dissemination. But as we imagine, with the framework of CUI, new laws and old/existing laws will probably be modified more to address the specific information types that they are and if there are important controls that should apply to that information type then they will be added. So it is important to understand some of where the CUI program is going, especially in the digital environment with regards to the possibility to new controls on CUI specified. So one of the intents of the CUI Program was to limit the effect of internal agency decisions. We outlined the scope, we outlined the safeguarding, we outlined the baseline in the 32CFR Part 2002. We said this is what you need to protect the information. We encourage agencies to make agency specific determinations, like increasing physical security requirements in certain areas or protecting certain systems more or less but the information itself has this requirement of protection. And when sharing it should default back to that and if it's going to go higher, the receiving agency should make that determination. Because it's their system, their location now. We do stress that one of the benefits of the program is the ability to rely on that framework, to share that information more easily between agencies because you can rely on the CUI Program and its baselines to protect it. At its heart, we are an information security program reform so the purpose of CUI is to prevent unauthorized sharing or receipt of CUI and its corollary purpose (and the whole reason government keeps information) is to make sure that authorized holders get access that information easily and efficiently without jeopardizing the first purpose which is making sure that unauthorized holders don't. So remember information security isn't about keeping information from everyone it is making sure the right people have it. And that is where the standardization and the impetus on sharing comes from. So our physical security requirement really is a controlled area with a lockable barrier and we leave a lot to be defined by your agency and again you can go the electronic route and have a PIV and CAC access or use lennel systems to gain access to a room. You can use locking doors, implement key control, like the good old days of physical security. You can have a security guard or an executive assistant that observes who comes in and understands who has to be escorted. On the flip side you can have locking barriers, you can use safes, you can use locking file cabinets, overhead compartments. Just make sure everyone who has a key has a lawful government purpose for that information. If you are one of those who bought those cubes where all the keys to the overhead bins were really one key, you'll have to revisit that. Generally, a pretty low lift for physical security. The reason for the low lift for physical security is because generally, information wasn't walking out the front door of agencies, most of it was taking the electronic path. So we were significantly more explicit for the requirements in the technical environment, that is the moderate confidentiality impact value, at a minimum for every system that processes CUI. FIPS 199 & 200, NIST SP 800-53 list out the controls and the procedures for getting a system up to the moderate confidentiality baseline. But this is the security requirement for CUI. No good information security program can work without a good marking program or scheme. If you don't know what information to protect you can't protect that information well. The marking has to communicate this type of information should be protected at this level. So we've implemented the CUI Marking policy, we have a marking guide online. But at its base, we've standardized how CUI should be marked. It has a banner that will include either the word "CONTROLLED" or the initialism "CUI" at the top. We do include best practice marking where you are allowed to mark the document at the bottom, center, as well. It is an encouraged practice that is reflected in the classified environment. Portion marking is also optional in the unclassified environment, it is required in the classified environment. It is, in many cases, very helpful to identify not just that a document is controlled at the CUI level but what particular pieces of information in it are CUI. Now, the document we saw before has the banner for CUI, which is the requirement for a document for CUI basic. Now if the document is specified you have to include the next step of the banner, which is the category marking. Now you can include those in CUI basic, but it is required for specified. And what that does is identify that the document is not only controlled but is controlled with this particular type of CUI information. As I mentioned earlier, specified material has a slightly different protection, whether it is a different dissemination or an actual physical or technical safeguarding requirement, it has to be treated differently and if you are going to treat information differently or protect it slightly differently you have to mark it as such. So that the users, the receivers, the authorized holders, understand that that information requires not only different treatment, but what kind. Which is why we include the actual category for specified in there. The last part of the banner line, which is optional, is the use of dissemination controls, we have a dissemination control list on our registry, we are in control of the names and how they are presented, and also the definitions of those dissemination controls. They must be authorized for use in agency policy to be used and they should restrict the distribution of that document in the furtherance of a lawful government purpose. So as you can see at the top here, you have, the CUI basic marking, "CUI" and then two forward slashes "//" then an "SP-" that lets the user know that it is a specified document (where it says "SPECIFIED" is where you would put the actual category marking, they have their own unique marking in the registry, you can find them online, we have a print out that people can use for shorthand, and that is where you would see that, usually four letter initialism for that category) and then "//" and the dissemination control. So a little bit more about specified. So how do I know if CUI is specified? Well we already did the work. We already read the laws, the regulations and the government wide policies, we looked at the controls and citations, we listed them all in the registry, and under the categories you can click on through our registry we tell you that this citation is or is not specified. Whether the information that it covers qualifies or does not qualify for specified protection and that right there, circled in red, we answer the question "Basic or Specified?" with the answer. If it is specified it has to be marked in the banner and marked in the portion marking if you are going the portion marking route as well or in the classified environment. And, again, it has that "SP-" that lets the user know that it is specified without memorizing the registry and remembering which four letter acronyms are specified. That "SP-" calls that out to their attention, for additional protection. Rather, differing protection. Our policy also addresses "bulk" or "alternative" marking. We do not actually require each and every single piece of CUI to be marked, we require it to be marked in aggregate and if it is separated form that aggregate. So if you have a database that is all CUI and it is all PDFs you can mark the database. It helps if you know what types of CUI are included and you are going to have to train the users of that database and make them aware that CUI is contained there, either through a splash-screen or a system access form or system access request or banner marking that tells them "you are accessing a database that has these types of CUI" and you have to make sure that they are trained on what to do when they remove information from that system, whether they print it off or take it out, that they have to mark it appropriately when it is separated. This also applies to marking filing rooms, or boxes of information. It is a current practice in the government to mark information that way and only getting more granular when you need to, when you are taking the information out. It is to note, that if you go the alternative/bulk marking route that you make sure that the people who may end up removing the information from that database or that box or filing room understands what types of CUI are there and how it should be treated and marked when removed. We have published our marking handbook, we are about to see our second revision to it shortly. To address markings in emails and a couple of other marking scenarios. There are no real changes to the existing book, just additional guidance for how to mark in different environments. It (the marking book) is already on our website, you can download it from there and print it off. It goes in depth into how CUI can and should be marked. We also allow for the use of our optional forms, our cover sheets. One of the results of that initial data-call to the agencies of what they protect was that we received a lot of different coversheets, all addressing the protection of CUI, some of them were disturbingly similar to special access programs coversheets and other classified coversheets. So we wanted to standardize that (the use of coversheets) practice, but we did not want to require coversheets. So we provided an optional form, we are allowing for the agencies/ giving them a tool to use, to have coversheets and ensuring that when coversheets are used that they are standardized and look the same and are used the same, but again, we do not actually require their use. It is more of a tool, say you have evidence, you can't actually mark the evidence, judges frown on tampering with it, but a coversheet is an excellent solution if the document can't actually, themselves, be marked. Two of the documents are fillable PDFs, you can get them either off of our website or through GSA. They allow for, in the top, including categories and subcategories on the coversheet, and in the bottom, they allow you to add the warning statements or paragraphs, that some categories of CUI specified require. The coversheets come in green, they can be printed out and used black and white, and we encourage you to keep them in color as that is the best way to really honor the purpose of the coversheet. We definitely encourage you to use them in the classified environment, because CUI unclassified. We do allow for a waiver of marking legacy information. It must be proactively done by your agency, the exact procedures for how you do it can be outlined in your policies. Essentially, you can waive the marking of legacy material your agency holds, however, if that material is reused or shared, it must be remarked. Legacy marking must be removed, and the new CUI markings must be added, if that information does qualify for the CUI program. It is not always a trade, 1 for 1. Not everything that is marked FOUO will be CUI. That is part of the reason that there is a CUI program. While you can waive the marking requirement for this information, it is limited by the reuse or sharing of the information. We also intended the alternative/bulk markings of systems to help alleviate some of this burden, it is not too hard to mark and entire database with a banner or a splash screen. Then the information is considered marked, as long as you provide guidance that when you remove this FOUO information, remove FOUO marking, add the CUI marking (if the information qualifies) and then share, To go that second route, you wouldn't have to go through the waiver, because you have marked the information in compliance with the program. So we did allow for that, it would have been a huge added cost if everyone had to go back through all of their records and remark it, so we did include that waiver process. Another area where the CUI policy was rather specific was in destruction. We found some agencies had particular destruction methods and others without them. For the most part everyone was already using the NIST 800-88 for the media sanitization guidelines, so if you had to wipe a hard drive or a mobile phone or device or anything like that, most agencies were using the 800-88. But the 800-88 also included recommendations for how to destroy, or a standard to which to destroy paper material. So we reference it for all of our destruction purposes, the NIST 800-88. And the top of this page, the top right, you can see a picture of what a lot of agencies were currently using to destroy CUI, and it was in fact what one company advertised as a CUI shredder. And don't know if some of you are too far away, but you can actually read names socials on that material, it does not meet the NIST requirement of unreadable, indecipherable, and irrecoverable. The lower standard (bottom picture) is the standard that we actually require, 1mm x 5mm, it is the requirement to destroy most classified paper documents as well. Now, we also identified through our working with agencies an existing good practice, that is allowed under NIST 800-88 but is not explicitly mentioned, so it make it a little bit more difficult to continue the existing practice, even though it is one we very much support. And that practice is multiple phased destruction. So what a lot of agencies were doing was destroying to the standard in the top picture, but then frequently protecting that material to some degree usually at a contractor who would move it offsite and then pulp it in the recycling process. Now the end result of this, the material after it has been shredded and pulped is unreadable, indecipherable, and irrecoverable. So that is an acceptable means for the destruction of CUI. It is just not explicitly stated in the 800-88, you have to write out that it meets the end result requirement and write out the process. Now one of our offices other goals for this year is to help with either a revision or modification to the 800-88 to explicitly and expressly allow for this practice, and to help agencies with that. One of the driving causes for that was not just because it was an existing practice that agencies used, but also it is very difficult to recycle that smaller shred size. It destroys the fibers too much and makes it much harder to recycle and we do not want all of the CUI that is being destroyed in the government, to not be easily recyclable. So that is one of the reason we are focused on getting that update/modification to the NIST 800-88. So that, kind of, ends our discussion of the main key requirements of the 32 CFR for safeguarding. So we will go over, kind of, what is going to happen moving forward. So we are going to continue providing briefings, in this forum as well as in a teleconference or online forum. Our next ones are scheduled for Feb 14th and 22nd. Everyone and anyone is invited to attend, we will try to make sure that we have enough lines for everyone who RSVPs. But we will be providing an overview of what we went over today, what has changed/what is happening and the status of our FAR, any new things that have come out, changes or additions to the marking handbooks or the Registry. It is just our way of putting out information to both agencies and industry about where the CUI program is now and where it is heading. We are going to try and continue with that quarterly. Some requests for you, if you do not have a designated SAO or PM at your agency, please designate one and send it to Mark or I. It helps us build the lines of communication to your agency to help understand and assist you with the development of your CUI program. Also, begin your implementation activities, as talked about in the implementation guideline. Focus more on the requirements and the order of the, rather than the timelines associated with them, they are excellent goals, but again they are somewhat unrealistic for some agencies. In our report that we are going to send out in May, please identify cognizant offices or dependent programs. If you rely on another agency for the destruction of your CUI or you use their training program for information security practices, or if you are an agency that has another agency that uses a program of yours, please identify them in this report to our office in May. So that we can understand, some agencies may be entirely falling under another agency for their program and we don't want to double up on reporting or anything like that. We want to make sure that is managed appropriately. Last, we will be contacting you again shortly, in May 2017, with our reporting on implementation, we are coming up with, we have a working group assembled through our advisory council, deciding on the exact layout and the questions going to be asked in that form. It is just about in its final state. So you will be receiving those shortly. And then again, annual reporting going forward. For all the agencies on the CFO's council, you will also start to see us, in a year or so, see Mark or I, com out for a formal inspection, where we will review all of the elements of the CUI program and provide guidance, tell you how you are doing and how you could do better and also identify best practices that we can share with other agencies. That will happen on a recurring 4 year schedule. For everyone else there will be ad-hoc inspections, to the other agencies, that either request it, or are identified as needing more assistance in establishing and overseeing their CUI program.


There are currently 65 members.


External links

This page was last edited on 19 August 2018, at 01:57
Basis of this page is in Wikipedia. Text is available under the CC BY-SA 3.0 Unported License. Non-text media are available under their specified licenses. Wikipedia® is a registered trademark of the Wikimedia Foundation, Inc. WIKI 2 is an independent company and has no affiliation with Wikimedia Foundation.