Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program standardizes the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
Twenty-two categories of CUI data are defined by the National Archives and Records Administration (NARA), of which five are pertinent to the Installations and Environment community and related to the Critical Infrastructure Category: Controlled Technical Information, Critical Infrastructure, DoD Critical Infrastructure Security Information, Critical Energy Infrastructure Information, Physical Security, and Protected Critical Infrastructure Information.
Controlled Technical Information
Critical Infrastructure-DoD Critical Infrastructure Security Information
Critical Infrastructure-Critical Energy Infrastructure Information
Critical Infrastructure-Physical Security
Critical Infrastructure-Protected Critical Infrastructure Information
The DoD implementation of the EO was issued December 2015 as the “Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement Clause 252.204-7012 (Safeguarding Unclassified Controlled Technical Information).
DFARS Technical Information. Technical data or computer software as defined in DFARS Clause 252.227-7013, Rights in Technical Data-Non Commercial Items, regardless of whether or not the clause is incorporated in the solicitation or contract. Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.
All FRCS projects that will collect, transmit, or store CUI data must have a current Cyber Risk Management Plan (CRMP) IAW with NIST SP 800-171 and the DFARS CUI Guide, compliance required by Dec 2017.
Templates are provided for each of the documents and the IE and ESTCP offices will assist contractors/vendors to complete a CRMP. Note the templates can be used for both corporate IT business systems and OT FRCS projects. Typical CUI data on corporate IT systems includes design drawings and site information (CAD, BIM, GIS), specifications, test results, and consumption data (meter, site data). Typical CUI on OT projects includes network traffic (Modbus, BACNet, TCP/IP) between HMI and lower level controllers, configuration files, hardware/software versions and hashes, and consumption data (meter, site data).
The following documents are typically included in the CRMP (presented in order of recommended completion):
DSD Memo - Responding to Breaches of Personally Identifiable Information (November 2018) - The purpose of this memorandum is to remind DoD personnel of their obligation to respond to known or suspected breaches of personally identifiable information (PII) in accordance with the attached DoD Breach Response Plan
Approval of Multi-Factor Authentication Alternatives RSA and Yubikey - CIO signed memorandum authoring the use of RSA and Yubikey for MFA that can be used when use of PKI is not feasible. Per DFARS, contractor/vendors must have MFA on their systems that contain CUI.
DFARS Guide 2015 Guidance to Stakeholders for Implementing Defense Federal Acquisition Regulation Supplement – This guidance is intended for stakeholders charged with protection of unclassified controlled technical information (CTI) resident on or transiting through contractor information system(s) covered by DFARS 252-204-7012 (Safeguarding Unclassified Controlled Technical Information). CTI is technical information with military or space application that is subject to controls on its access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. This guide will assist stakeholders in carrying out their responsibilities should a defense contractor report a compromise on a contract that contains unclassified CTI.
DFARS 252.204-7012 Safeguarding Covered Defense Information and Cyber Incident Reporting – This is the DFARS Contract clause an investigator should look for in their contract/subcontract. If the ESTCP contract does not include this clause, contact the ESTCP office so a modification can be issued.
NIST SP 800-171 Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations - The protection of Controlled Unclassified Information (CUI) while residing in nonfederal information systems and organizations is of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations. The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components. The CUI requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations.
CJCSM 6510.01B Cyber Incident Handling Program 2012 - This manual describes the Department of Defense (DoD) Cyber Incident Handling Program and specifies its major processes, implementation requirements, and related U.S. government interactions.