Identifying and Marking CUI
NIST 800-171 and Cybersecurity Maturity Model Certification require Department of Defense (DoD) contractors to “Mark media with necessary CUI markings and distribution limitations”. A basic tenet of information security is to visually identify CUI information that requires special protections so authorized users know what special handling controls must be applied. 32 CFR, Part 2002, which applies to both executive branch agencies and defense contractors, requires Controlled Unclassified Information markings to help ensure the data is secure. In this article we will walk you through the process of identifying CUI information and how to apply security CUI markings to physical and electronic media.
What is CUI?
Before we dig into how to mark Controlled Unclassified Information, we should discuss how we got here. CUI is any unclassified information that by law, regulation, or government-wide policy, requires safeguarding or dissemination controls. In 2010, President Obama issued Executive Order 13556 – Controlled Unclassified Information to standardize how CUI is handled by executive branch agencies. The executive order also designated the National Archives and Record Administration (NARA) as the Executive Agent (EA) responsible for implementing the CUI program.
DoD's Implementation of the CUI Program
In its role as the CUI Program Executive Agent, NARA has issued a significant amount of guidance on how to handle (i.e. mark, copy, transport, disseminate, reuse, and destroy) CUI.
“Agency personnel and contractors should first consult their agency’s CUI implementing policies and program management for guidance.”
For DoD contractors, this leads us to two important points. The DoD has not yet implemented the CUI program as required by EO 13556 and 32 CFR, Part 2002. The Department of Defense will implement the CUI program once the Federal policy is finalized and published within the Federal Acquisition Regulation. Until then, the DoD will identify and protect CUI per the guidance in DoD Manual 5200.01, Volume 4. However, the DoD will likely adopt NARA’s guidance before the end of Fiscal Year 2020, so this blog post will describe NARA’s standards.
The second point to keep in mind, is that when CUI is provided to or generated by DoD contractors, the pertinent contract documents (e.g., contract clause, statement of work, DD Form 254, Security Classification Guide (SCG), and Cybersecurity Classification Guide) should identify the controls and protective measures contractors are expected to apply.
Determine the CUI Category
The originator of media that contains CUI is responsible for determining at origination whether the information may qualify for CUI status and to apply the appropriate security markings. Although the CUI Registry is the authoritative source for information about CUI, you should consult relevant contract documents, the Prime contractor, or government program management office for your initial guidance on how to identify and mark media with necessary cui markings and distribution limitations.
We should emphasize again, that the determination of whether information is deemed CUI is a function of laws, policies, and regulations associated with how information is produced or used. For example, if Company X produces a “Commercial Off the Shelf (COTS)” widget, the engineering drawings, research data, and process sheets are not CUI. But if Company X produces the same widget for the DoD only, those same engineering drawings, research data, and process sheets are CUI and must be marked as such.
CUI Organizational Index Groupings
CUI is broken into 20 broad “Organizational Index Groupings” which are further divided into 124 categories. The CUI Registry provides additional details for each category, to include Category Descriptions, Safeguarding and/or Dissemination Authorities, sanctions for violating handling controls, and if the CUI is “Specified” or “Basic”.
If the laws, policies, and regulations that designate CUI include specific handling controls, dissemination controls, or sanctions for not protecting CUI, the information is referred to as “CUI Specified”. CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy is not called for. CUI Specified means that a law, policy, or regulation stipulates more than a general requirement to “protect” the information and is not a “higher level” of CUI.
For example, the Organizational Grouping “Defense” is divided into four categories –
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Unclassified Controlled Nuclear Information – Defense
Controlled Technical Information (CTI) is CUI Specified because 48 CFR 252.204-7012 defines CTI and requires defense contractors to implement NIST 800-171. However, DoD Critical Infrastructure Security Information is CUI Basic because the Safeguarding/Dissemination Authority, 10 USC 130e, does not provide any instruction on how the information is to be protected. In fact, 10 USC 130e only authorizes the Secretary of Defense to designate information as critical infrastructure information. To know if information is considered DoD Critical Infrastructure Security Information, you would have to reference the Secretary of Defense’s written determination that designates the information as CUI.
In the two examples we provided, each Category was based on only one Safeguarding/Dissemination Authority. Some Categories have more 15 different authorities you may have to comb through to know if you are dealing with CUI and what protections are required. Fortunately, most defense contractors will likely deal with a limited number of categories of information based on their particular contract or industry. After some initial research you will likely become familiar with the CUI Categories you handle on a regular basis.
How to Mark CUI in Documents
CUI can be found on just about any form of media, to include paper documents, solid state storage devices, optical discs, magnetic disks, and magnetic tapes. The various forms of media have slightly different security marking requirements, but the same basic principle applies to all of them – Clearly identify the media as CUI and who designated it as CUI.
Paper documents must be marked with a Banner Marking and a CUI Designation Indicator. Agencies may choose to use Portion Markings (e.g. marking each paragraph’s Classification like we do in Classified environments) but they are not required by NARA.
1. Banner Marking consists of CUI Control Marking, CUI Category Marking, and Limited Dissemination control markings.
The CUI Control Marking, Category Marking, and Limited Dissemination Control markings are separated by double forward slashes (//). Multiple Category Markings or Dissemination controls are separated by single forward slashes (/). The Banner Marking text is bold, capitalized, black, and centered on the page. The Banner Marking must appear at the top of each page, but top and bottom banner markings are a “best practice”.
a. CUI Control Marking. Use of either “CUI” or “CONTROLLED” is acceptable but must be applied consistently throughout the document. The CUI Control Marking is mandatory.
b. CUI Category Marking. If multiple CUI Categories are referenced in the document, list each Category. If the document contains CUI Specified, the CUI Category marking must start with “SP-“ and list the specified category. A CUI Category can have both CUI Basic and CUI Specific. It is the authority, not the information, that makes it CUI Basic or CUI Specific so you must know under which authority you designate a document as CUI (see image below). The CUI Category Marking is mandatory.
c. Limited Dissemination Controls place limits on how CUI can be shared. For example, the Limited Dissemination Control “NOFORN” prevents the information from being shared with non-US citizens and governments. Limited Dissemination Controls are not always required, so consult the CUI Registry and your agency for guidance. If they are applied, the only authorized Limited Dissemination Controls are:
- No Foreign Dissemination (NOFORN)
- Federal Employees Only (FED ONLY)
- Federal Employees and Contractors Only (FEDCON)
- No Dissemination to Contractors (NOCON)
- Dissemination List Controlled (DL ONLY)
- Authorized for Release to Certain Nationals Only (REL TO [USA, LIST])
- DISPLAY ONLY
2. CUI Designation Indicator. All documents containing CUI must indicate the designator's agency.
The designation indicator can be accomplished through the use of a letterhead, a signature block that includes the agency, or a “Controlled by” line. The CUI Designation Indicator is required.
3. Portion marking. Agencies may choose to require documents to include portion markings.
Portion markings are placed at the beginning of section to which they apply, such as at the start of a paragraph. Portion markings provide granularity to identify what specific information belongs to specific CUI Categories or has specific Limited Dissemination Controls. For example, the NOFORN Limited Distribution Statement may apply to only one piece of information in the entire document and the use of portion markings would clearly identify what specific information cannot be released to non-U.S. citizens.
How to Mark CUI in Emails
There are only a few differences between the rules for marking printed documents and emails. A Banner Marking will be placed at the top of the email body and the email must carry a CUI Designation Indicator. If you forward an email that contains CUI, you must include all the original CUI markings.
NARA also recommends that senders terminate the Subject Line with the phrase “[Contains CUI]”. If the email includes an attachment that contains CUI, NARA also recommends that the file name indicate the presence of CUI, such as “FileName[CONTAINS CUI].docx”.
How to Mark CUI on Electronic Storage Media
Due to size restrictions and access difficulties, it can be a bit more challenging to apply security markings to electronic storage media such as DVDs, thumb drives, and hard drives. At a minimum, storage media will include a CUI Control Marking and a CUI Designation Indicator.
CUI Marking on Computers
If you are unable to access internal computer storage media, you must mark the outside of the computer. If you are using government-owned equipment, you can use an SF 902 or SF 903 to mark equipment. The SF 902 and 903 are nearly identical except the SF903 is narrow enough to on a thumb drive. If you are not marking government-owned equipment or if you do not have access to the SF 902 or SF 903, the security markings can be applied with a permanent marker.
You will likely have to invest some additional time to learn how to properly mark media necessary CUI markings and distribution limitations. This article provided a general overview of common situations in which security markings must be applied to media that contain CUI, and what markings are required. However, you may also run into situations which we didn’t discuss in this blog, for instance:
- The media contain multiple CUI categories.
- The CUI is mixed with classified information (CONFIDENTIAL, SECRET, or TOP SECRET).
- You handle different forms of media.
- You must ship media that contain CUI.