Overview
NIST Regulations For CUI:
Classifying And Controlling
Government Data In Nonfederal Systems
DOWNLOAD FACTSHEET

For all contractors and subcontractors with US Department of Defense, the DoD has published prescriptive steps to ensure compliance with the requirements safeguarding Controlled Unclassified Information (CUI).  Through the DoD Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, implementation of the controls identified in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” must be in place as of the December 31st, 2017.

The NIST publication references a registry of information categories and related subcategories maintained by the National Archives (NARA). The CUI initiative seeks the consistent application of safeguarding measures related to the dissemination of information while fostering the sharing of information and collaboration where appropriate.

Organizations can position themselves for compliance by taking steps to master the principles of data classification
Controlling CUI: The Role
Of Data Classification In Meeting
U.S. Government Requirements
DOWNLOAD WHITEPAPER

The heart of the CUI program was expressed in Executive Order (EO) 13556 calling for “An open and uniform program to manage all unclassified information…” with a key component being that all CUI to be labelled with appropriate visual markings that indicate to downstream parties how the regulated data should be treated.

Organizations can position themselves for compliance by taking steps to master the principles of data classification, and implement the processes, tools and training that will enable consistent and accurate labeling as defined in their data governance policy and required by NIST SP 800-171. Through this capability, organizations can readily demonstrate that have the capacity in place to recognize and manage CUI with appropriate metadata and visual markings as defined in the NARA registry.

Overview
Free Extended Trial
of Boldon James Classifier
EXTENDED TRIAL REQUEST

At this time a certification process for CUI compliance does not exist but given that the requirements are stipulated through DFARS 252.204-7012, one can reasonably expect a strict attestation scheme in the future. While compliance is on the ‘honor system’ there are risks to be considered for not adopting the safeguards up to and including the loss of a contract or participation as a subcontractor.

By adopting the framework, organizations will not only demonstrate their ability to protect regulated data but will also enhance their ability to compete for new opportunities that store, process or transmit CUI.

Organizations can position themselves for compliance by taking steps to master the principles of data classification
Additional Resources

Additional information from NIST:

  • NIST Special Publication 800-171 Rev.1 – Assessing Security Requirements for Controlled Unclassified Information. A publication intended to assist organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
  • Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012

Boldon James Ltd, Cody Technology Park, Ively Road, Farnborough, Hampshire GU14 0LX, United Kingdom