Controlled Unclassified Information (CUI) Compliance
Supporting NIST SP 800-171
& CUI Compliance
Boldon James Classifier, the market leading data classification product, supports compliance with NIST regulations by:
Ensuring appropriate control
of confidential or sensitive information
Classifying or labelling data with visual (and metadata) labels to highlight any special handling requirements
Alerting users when personal data is leaving the organisation to warn or prevent them from sending messages that contain sensitive information
Educating users about the sensitivity of data whilst ensuring adherence to corporate policy
Defense Federal Acquisition Regulation Supplement
For all contractors and subcontractors with US Department of Defense, the DoD has published prescriptive steps to ensure compliance with the requirements safeguarding Controlled Unclassified Information (CUI). Through the DoD Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, implementation of the controls identified in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” must be in place as of the December 31st, 2017.
The NIST publication references a registry of information categories and related subcategories maintained by the National Archives (NARA). The CUI initiative seeks the consistent application of safeguarding measures related to the dissemination of information while fostering the sharing of information and collaboration where appropriate.
The heart of the CUI program was expressed in Executive Order (EO) 13556 calling for “An open and uniform program to manage all unclassified information…” with a key component being that all CUI to be labelled with appropriate visual markings that indicate to downstream parties how the regulated data should be treated.
Organizations can position themselves for compliance by taking steps to master the principles of data classification, and implement the processes, tools and training that will enable consistent and accurate labeling as defined in their data governance policy and required by NIST SP 800-171. Through this capability, organizations can readily demonstrate that have the capacity in place to recognize and manage CUI with appropriate metadata and visual markings as defined in the NARA registry.
At this time a certification process for CUI compliance does not exist but given that the requirements are stipulated through DFARS 252.204-7012, one can reasonably expect a strict attestation scheme in the future. While compliance is on the ‘honor system’ there are risks to be considered for not adopting the safeguards up to and including the loss of a contract or participation as a subcontractor.
By adopting the framework, organizations will not only demonstrate their ability to protect regulated data but will also enhance their ability to compete for new opportunities that store, process or transmit CUI.
- NIST Special Publication 800-171 Rev.1 Assessing Security Requirements for Controlled Unclassified Information. A publication intended to assist organizations develop assessment plans and conduct efficient, effective, and cost-effective assessments of the security requirements in SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.
- NIST MEP Cybersecurity Self-Assessment Handbook For Assessing NIST SP 800-171 – Self-Assessment Handbook that could be useful to all DoD contractors seeking to assess their own implementation of the NIST SP 800-171 controls.
- Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012
With unrivalled customer service and best-of-breed data protection and governance solutions,
we are helping many of the world’s most successful organisations take control of their business data.
Everyday, our customers enjoy more effective, secure and streamlined operations -
protecting their business critical information and reducing risk.
We integrate with powerful data security and governance ecosystems.
We protect business critical data, improve data control and reduce risk.
We deliver improved and streamlined business performance.
We are a “safe pair of hands” that constantly deliver success.