In recent months, we have witnessed a number of high-profile security incidents where the absence of adequate broader cyber security measures and appropriate data classification tools have wreaked havoc for government agencies and private industry alike. These highly publicised cases are likely to shape cyber security policy for years to come, and we can expect to see more rigorous scrutiny of government supply chain considerations around Controlled Unclassified Information (CUI), and for cyber security standards for contractors to become more demanding. In fact, we are already seeing additional compliance legislation expedited.
The recent Consolidated Appropriations Act requires government agencies to conduct “an assessment of any risk of cyber-espionage or sabotage” associated with the acquisition of any high-impact or moderate impact information system. Further, the Department of Defence’s interim rule for its Cybersecurity Maturity Model Certification (CMMC) Program, which went into effect November 30th, 2020, outlines that registration and reporting of assessment scores (per the program) are now required of all DoD contractors and subcontractors. Also, that the first “pathfinder” contracts requiring CMMC review means that contractors will need CMMC certification by the date of award in order to participate.
More recently, the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2021 contains a number of provisions related to cyber security designed to improve U.S. cyber security defences, and to protect U.S. systems and critical infrastructure from malicious actors. It includes the adoption of a biennial national cyber exercise involving federal, state, private sector and international stakeholders, and recognises the need for greater coordination and cooperation between government and industry pertaining to cyber threats.
The race is now on for any contractors wishing to work with the government to come into full CUI compliance, and additional cyber security-related legislation is certain to be on the horizon this year.
The UK Government must keep an eye on its vulnerable supply chain
The CUI Framework
Prior to NARA’s implementation of the CUI cyber security protection framework, government agencies employed ad hoc agency-specific policies, procedures, and markings to safeguard and control all unclassified information that did not meet the criteria required for classification. The rule was designed to primarily safeguard sensitive government data that had not been assigned as confidential or secret, whilst it was shared between different government and commercial entities. But this confusing patchwork resulted in inconsistent marking and safeguarding of documents, which led to unclear or unnecessarily restrictive dissemination policies and created barriers to authorised information sharing.
Today, the CUI Program is a unified effort between Executive Branch agencies to standardise protections and practices across departments and agencies. It defines a central data classification policy for the handling, safeguarding and dissemination of ‘sensitive but unclassified’ (SBU) government information.
NARA maintains a public CUI registry reflecting authorised CUI categories and subcategories, associated markings, and applicable data safeguarding, dissemination, and decontrol procedures as data moves through non-federal systems. The marking is central to ensuring that CUI data is handled and secured in an appropriate way, and is only accessible to users who need to work with it e.g. for a particular project.
This solution enables government agencies and contractors to meet CUI handling requirements. Given that information is truly one of the most important assets government and federal agencies have, they should be thinking about the CUI compliance plan as an opportunity to leverage, protect, and share this information.
How to boost internal cyber security training
CUI in practice – five core considerations
So in practice, what does CUI mean for government agencies today? Ensuring consistency and compliance with the CUI framework requires federal agencies to enhance their overall security program by addressing five key considerations in the identification and protection of CUI. This involves the detailed categorisation and labelling of data, that places the focus on protection of the information itself, ensuring it is kept secure through every step of its downstream journey.
Here, a solid data classification tool that supports agencies by automating the labeling process and enabling them to comply with CUI cyber security directives with minimal impact to internal IT and software development resources, is critical.
1.Identifying CUI in email and documents
This includes adding CUI-compliant headers, footers, and portion markings. The markings should be applied automatically to ensure consistency and compliance with the CUI framework.
Here, data classification tools should include the provision of CUI banners and portion markings in emails and documents. These markings also raise CUI awareness and encourage information sharing and proper handling of sensitive information by users.
2.Ensuring any existing marking tools support the new CUI framework
Here existing marking tools should be able to switch over to the new markings within a very short period, and ideally they will recognise the old markings such as SBU and ‘For Official Use Only’, and automatically map them to new CUI markings.
Data classification tools should adequately safeguard CUI from disclosure and provide users with targeted security education, which prevents data leaks before they happen. The software must automate warnings to users when they are violating policy, such as sending CUI to a recipient who is not authorised to receive it.
3. Automatic Encryption and Dissemination Controls
Some CUI information will require extra protection such as encryption and dissemination controls, which optimise security and enhance the ability of other security solutions to protect CUI, including data loss prevention (DLP), which gives insight into user activity by recording CUI marking actions and user responses to policy violations, network guards and archiving solutions.
4. CUI markings should be stored as metadata
Adding metadata drives downstream technologies, such as solutions for archiving, eDiscovery and DLP. These audit logs can be aggregated into reports that provide insight into information flow, user behaviour, and security policy effectiveness.
5. Any marking solutions should be easy to use and require minimal training for the user
Ideally, the solution will be integrated into the user’s regular email and document workflow, thereby enhancing information sharing. The solution enables users to leverage the CUI framework as an opportunity to share and protect information assets, which helps to promote government transparency while protecting sensitive government information.