Employee CUI Handling Guide
Small businesses in the DoD contractors, subcontractors, and vendors –members of the DoD Industrial Base (DIB)–have lots to do to secure the sensitive information they handle on behalf of the DoD. One of those sensitive data types is Controlled Unclassified Information (CUI). The DoD Cybersecurity Maturity Model Certification (CMMC) requires DIB members to “establish and maintain one or more processes or procedures for handling CUI data.” (Practice AM.2.036). As a member of the DIB, some of your employees may handle CUI, so you’ll need to ensure you instruct those employees in the proper way to handle any CUI they may encounter. To instruct our employees we created a nifty little two-pager (back and front) Employee CUI Handling Guide to use in our environment. This post provides a brief overview and the opportunity to download the guide template.
We have this guide printed back and front on card stock and every employee in the company has received a copy of the guide. We also dedicate a portion of our cybersecurity awareness training program to instructing employees on the contents and use of the guide. The images below show the two pages of the guide template you can download. Note that any text highlighted in yellow is generic and meant to be customized for your environment.
First page of the Guide
As you can see the first page provides a quick definition of CUI and why it’s important to protect it. This helps establish a rationale for the guide, and motivation for employees to abide it.
We then list the CUI documents and media (what we call “CUI Elements”) in our environment so employees know exactly what they might handle that contains CUI. Note that we generated this list in collaboration with our DoD customer and a Security Classification Guide (SCG) they provided to us. You’ll need to customize this section with the list of CUI elements in your environment. If you don’t have an SCG or a definitive list of CUI in your environment, it’s your right – per DoD Instruction 5200.48 — to have one provided to you. So ask for one and don’t stop asking until you get it! After all, you must know what to protect in order to properly protect it! If you need help with this request let us know; we know the right questions to ask.
Our Employee CUI Handling Guide goes on to list several high-level procedures employees are expected to execute when handling CUI. For example, email in our environment is not appropriately encrypted, but we do provide a CUI-compliant file sharing system for transmitting CUI externally. Employees are trained on this system, and we reiterate in this guide the prohibition on using email to transmit CUI, and then redirect them to the secure file share system.
We generate a lot of CUI in our environment, as many of you may. For example, if you are a manufacturer and generate engineering drawings for a part that you sell to a Prime DoD contractor, you can bet those drawings are considered CUI. When we generate CUI, DoDI 5200.48 requires us to appropriately mark (label) media containing that CUI. So, your employees that will be generating this data must be trained to understand how to mark it.
To that end, lastly on this side of the guide we instruct the employees to always mark media appropriately: removable media with CUI stickers, and documents with “CUI” in the header and footer in accordance with DoD requirements. We also direct their attention to the other side of the document for specifics on the “Designation Indicator” that must be included on the first page of any document containing CUI.
Second page of the Guide
As you can see the other side of the Employee CUI Handling Guide consists of two brief procedural instructions followed by two tables. The instructions reiterate the requirement to mark all CUI-containing documents with “CUI” in the header and footer, and then instruct the employee to apply a “Designation Indicator” to the first page. The purpose of the Designation Indicator, shown in template form in the table at the bottom of this page, is to:
- identify what DoD entity “owns” the CUI contained in the document,
- list a DoD point of contact for that ownership,
- provide some indication of what “category” the resident CUI falls into,
- and indicate who the document can be distributed to.
All CUI in our environment is owned by the same DoD entity, so our template reflects this. You may have many different types (categories) of CUI in your environment, with differing DoD ownership and distribution (dissemination) controls. Adjust the guide accordingly for your environment.
The top table shows employees the specific categories and distribution controls for each CUI element in our environment. We provide an example of two different types of CUI: Controlled Technical Information (CTI) and Operational Security (OPSEC). When CTI is present, DoD policy dictates that a Distribution Statement must also be applied to the first page of the document. Our DoD customer requires Distribution Statement D to be applied, so we have that text shown in the right-hand column of the bottom table for reference. Adjust this table as befits your environment.
When we train our employees on the CUI Handling Guide, we explain these tables and show examples of documents in our environment appropriately marked with Designation Indicators. Providing the tables as reference in conjunction with example documents helps employees understand the expected outcome of executing the marking procedures on internally-generated CUI. As we mentioned before, we provide every employee a copy of the Guide printed on card stock, and instruct them to keep it handy in their work area as a reference. We also plan to convert the guide into full size posters for display in our work areas.
Wrapping Up
That’s our Employee CUI Handling Guide template in a nutshell. You can download the template for free below. We’d love feedback on the template and how you use it in your environment, so drop us a line sometime! We also cover many aspects of properly handling CUI in our online Workshops. Come join us!
Good Hunting!
–Adam
Download our free Employee CUI Handling Guide
Like this post? Share it!
