Controlled Unclassified Information Chris Shawn VA Kathleen Connor

Controlled Unclassified Information Chris Shawn, VA, Kathleen Connor, VA/Book Zurman and Eric Larsen, CMS/MITRE 1

Navigation Links Controlled Unclassified Information Approach to Marking Healthcare CUI Controlled Unclassified Information (CUI) FAQs HL 7 CUI Examples HL 7 CUI Codes 2

Agenda • • • What is Controlled Unclassified Information (CUI)? CUI FAQs Easing CUI adoption for healthcare CUI Standards in HL 7 Version 2, CDA, and FHIR Possible Technical Solutions CUI Banner Demo 3

Key Messages CUI Business Problem • Federal health agencies evaluate their requirements for marking and managing Controlled Unclassified Information (CUI) – Executive Order 13556 and 32 CFR Part 2002 • Recipients of federal health CUI must manage persist, and enforce CUI security controls as well as apply marking to further disclosed CUI • If each agency adopts a different CUI marking policy, then the burden on downstream HIE participants would increase exponentially CUI Solution • Easing CUI implementation is possible if agencies decide on a consensus CUI marking • Adoption of HL 7 CUI codes ensures interoperability across HL 7 4 Version 2, CDA, and FHIR content

Learning Objectives • CUI Business Drivers – Policy Issues, Risks, Solutions • Technical Solution Approaches • Legal basis for CUI requirements • Which CUI Categories apply • Everything you’ll ever want to know about CUI • Interoperable CUI 5

Controlled Unclassified Information (CUI) Acknowledgement: NIST Controlled Unclassified Information Security Requirements Workshop 6

Background Federal agencies are required to protect Controlled Unclassified Information (CUI) in nonfederal systems and organizations: Executive Order (EO) 13556: Establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended. 32 CFR Chapter 2002: Establishes policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, selfinspection and oversight requirements, and other facets of the Program. NIST Special Publication (SP) 800 -171: Provides federal agencies with recommended security requirements for protecting the confidentiality of CUI when the CUI is resident in a nonfederal system and organization. The security requirements apply only to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components. 7

CUI History • • • 2007 – Do. D CIO memo to safeguard Do. D data in non-Do. D systems 2007 – Presidential memo - Controlled Unclassified Information (CUI) program 2010 – Do. D publishes Advance Notice of Proposed Rulemaking for DFARS 2010 – President issues E 0 13556, NARA designated CUI Executive Agent 2011 – Do. D publishes proposed DFARS rule including table of selected 800 -53 controls 2012 – DFARS rule re-scoped to protect Unclassified Controlled Technical Information 2013 – NARA objects to DFARS in Interagency coordination 2013 – Safeguarding of Unclassified Controlled Technical Information DFARS published 2013 – Do. D/NARA/NIST begin work on what will become NIST SP 800 -171 2015 – NIST SP 800 -171 published 2015 – DFARS rule revised to cite NIST SP 800 -171 and apply broadly to ‘Do. D’ CUI 2016 – NARA CUI Federal Rule (32 CFR 2002) published 8

Key Definitions Federal Information System An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. “…when a non-executive branch entity uses or operates an information system or maintains or collects information for the purpose of processing, storing, or transmitting Federal information, and those activities are not incidental to providing a service or product to the government. ” Nonfederal Information System An information system that does not meet the criteria for a federal information system. Nonfederal Organization An entity that owns, operates, or maintains a nonfederal information system. Federal contractors State, local, and tribal governments Colleges and universities 9

CUI and Security NIST SP 800 -171 defines security requirements for protecting CUI in nonfederal information systems and organizations. Federal CUI regulation (32 CFR Part 2002) establishes required controls and labeling for CUI governmentwide. • Codifies that CUI is categorized as at least FIPS Moderate Impact Level for Confidentiality. • Integrity and Availability not addressed. • Confidentiality categorization may be higher with “prior agreement. ” • Defines “on behalf of an agency” • States that information systems that process, store, or transmit CUI may be federal or nonfederal • • Specifies federal agency security requirements when federal, including contractors operating “on behalf of” (i. e. , FISMA/RMF). Specifies security requirements from SP 800 -171 when nonfederal. 10

NIST Special Publication 800 -171 Provides federal agencies with recommended requirements for protecting the confidentiality of CUI • When the CUI is resident in nonfederal information systems and organizations. • Where the CUI does not have specific safeguarding requirements prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. • When the information systems where the CUI resides are not operated by organizations on behalf of the federal government. CUI requirements apply only to components of nonfederal information systems that process, store, or transmit CUI, or provide security protection for such components. The requirements are intended for use by federal agencies in contractual vehicles or other agreements established between those agencies and nonfederal organizations. Requirements must be “Weaponized. ” 11

NIST SP 800 -171 Security CUI Requirements Security requirements have a well-defined structure that consists of the following components: • • Basic security requirements from FIPS 200 (Strategic) Derived security requirements from SP 800 -53 (Tactical) Basic and derived security requirements are obtained from FIPS 200 and NIST SP 800 -53 initially — and then tailored appropriately to eliminate requirements that are: • Uniquely federal (i. e. , primarily the responsibility of the federal government). • Not directly related to protecting the confidentiality of CUI. • Expected to be routinely satisfied by nonfederal organizations without specification Confidentiality impact value for CUI is no lower than Moderate in accordance with FIPS Publication 199. 12

CUI Security Requirements: Healthcare Impacts Health information and privacy are CUI Categories requiring additional security controls beyond those mandated by • • • HIPAA Privacy and Security Title 38 Section 7332 42 CFR Part 2 Privacy Act OMB A-130 Managing PII CUI regulation requires that • Federal agencies and Contractors apply healthcare and privacy CUI markings • Non-federal entities receiving CUI must persist and reapply CUI when redisclosed, and enforce CUI security controls Federal Health Agencies could ease adoption with consensus on • A Default CUI Marking for all key health information exchanges • Interoperable CUI standards such as HL 7 CUI codes 13

Approach to Marking Healthcare CUI Controlled Unclassified Information 14

Problem Federal health agencies must evaluate their requirements for marking and managing Controlled Unclassified Information (CUI) as required by 32 CFR 2002 and guidance from the National Archives and Records Administration (NARA). CUI Recipients must manage persist, and enforce CUI security controls as well as apply marking to further disclosed CUI. Federal health agencies could decide on very different CUI marking policies, e. g. , agencies could decide to: • Mark the same CUI differently • Mark CUI portions • Not marking CUI because CUI recipients must adhere to the 800171 regardless • Decontrol CUI 15

CUI Risk Vectors Key Federal healthcare CUI is disseminated with trading partners including: • Other Federal agencies • Non-executive branch agencies – judiciary, research, educational institutions • Health Oversight agencies • Contracted providers, payers, intermediaries • Private sector providers, payers, intermediaries, & HIEs CUI Recipients must manage persist, and enforce CUI security controls as well as apply marking to further disclosed CUI. If CUI markings on same HIE content differs, recipients will have difficulty discerning their security control requirements. 16

Worse Case Scenario • Agency A sends no CUI but expects recipients to comply with their NIST SP 800 -171 control requirements. Without CUI marking standards, the provenance of the designating agency may not be conveyed. • Agency B decontrols the its patient records. The provenance of the decontrolling agency might not be conveyed. • Agency C sends the minimum “CUI” marking with no indication of the Category Authority, which may have other control requirements. • Agency D sends CUI//SP-HLTH/PRVCY with provenance of the designating agency • Provider contracted with any of the above receives information about same patient under 4 different CUI marking schemes. • May send patient record back to a Federal agency with markings from another agency. • Each Federal agency must then retain the CUI markings sent by the provider regardless of the agency’s approach to marking CUI. 17

Solution • Consensus around which CUI categories apply to key health information exchanges and a standards based interoperable approach to CUI Marking could: • Address the risk of the worse case scenario • Lower the burden on downstream recipients, which could be the Federal health agencies themselves • Enable development of Technical Solutions 18

Analysis Review of applicable CUI Authorities indicates that only General . Privacy and Health Information Categories pertain to Federal HIE key lines of business Applicable CUI related laws most important to HIE 19

Applicable CUI Categories Under the General Privacy Category, OMB Circular A-130 governs all PII handled by Federal agencies, including IIHI and PHI. • This is Basic CUI. [CUI//PRVCY] Under the Health Information Category, the Specified Health Information Category pertains to information governed under the HIPAA Administrative Simplification Statute and 42 CFR Part 2, which is closely aligned. • This is Specialized CUI. [CUI//SP-HLTH] HIPAA Privacy and Security CUI Basic Health Information Authorities echo their statutory basis. In addition, under the Health Information Category there is Title 38 Section 7332 and 42 CFR Part 2 privacy related Authorities. • These are Basic CUI [CUI//HLTH] 20

Adopt a Consensus Federal Health Information Exchange CUI Marking • To ease CUI implementation and interoperability for HIE and our partners, Federal health agencies could consider a single default CUI Marking to meet 32 CFR Section 2002 requirements for their shared healthcare lines of business information exchanges. • This basis of this recommendation is that federal agency participation in HIE is governed by shared privacy and security policies, which are associated with CUI Basic and Specified Markings under two CUI Categories: General Privacy and Health Information. • The following is a common marking for health information exchanges: Federal Health Information and General Privacy Common HIE Marking CUI//SP-HLTH/PRVCY 21

Conclusions (1) All key federal HIE flows could be described by a single default CUI Marking. • The CUI regulation indicates that the basic controls apply, even when there is CUI specified marking, unless there is a conflict. If something gets designated SP-HLTH that doesn’t mean that the only controls are the security safeguards listed in the HIPAA Administrative Simplification statute, which is a “specified” CUI Health Category Authority. • It means that all the CUI Basic controls as outlined in NIST SP 800 -171 would be required to be implemented by an authorized holder in addition to 42 USC 1320 d-2(d)(2). Likewise, that is consistent with the position in the DURSA discussions where CUI Health doesn’t just follow the HIPAA security rule requirements, but also the NIST SP 800 -171 controls. 22

Conclusions (2) HIE implementation will require use of vocabulary and mechanisms already established for labeling CUI in HL 7 standard messaging. Using HL 7 Security Labeling across HL 7 Standards provides a “Cross-Paradigm” approach to CUI Markings that is transformable. • Standard CUI codes can be implemented in HL 7® Version 2, CDA, and FHIR CUI codes are available through HL 7 with definitions and syntax implementation guidance about how to display in CUI Banners at the document level and at the portion level. • HL 7 CUI codes are based entirely on the NARA CUI Marking Handbook To extend interoperability, X 12, NCPDP, and NIEM communities are be encouraged to adopt the same CUI codes within their standard’s syntax, 23

Recommendations Adopt a Consensus Federal Health Information Exchange CUI Marking Adopt HL 7 CUI vocabulary and messaging standards implementation of CUI labeling for all supported messaging Work with HIE Trading Partners toward seamless adoption of CUI and NIST SP 800 -171 Encourage industry solutions 24

Sharing with Protections using CUIs • • Open APIs Shared Services 25 Digital Health Platform Powered by 25

Digital Health Platform Architecture 26

Controlled Unclassified Information (CUI) FAQs Acknowledgement: NIST Controlled Unclassified Information Security Requirements Workshop 27

Controlled Unclassified Information (CUI) FAQs (Cont. ) • CUI FAQ 2019 by Mike Davis • This document contains key concepts and citations related to CUI in the form of Frequently Asked Questions (FAQ). 28

HL 7 CUI Examples Acknowledgement: NIST Controlled Unclassified Information Security Requirements Workshop 29

HL 7 V 2 Security Label Example with CUI ARV|1|A| Title 38 Section 7332^ Title 38 Section 7332^2. 16. 840. 1. 113883. 21. 405|ETHUD^ alcohol use disorder information sensitivity^HL 70719^^^^^^2. 16. 840. 1. 113883. 5. 4~| Title 38 Section 7332^ Title 38 Section 7332^2. 16. 840. 1. 113883. 21. 405^HL 70719^^^^^^2. 16. 840. 1. 113883. 5. 4|This information has been disclosed to you from records protected by federal confidentiality rules (Title 38 Section 7332). The federal rules prohibit you from making any further disclosure of information unless further disclosure is expressly permitted by the written consent of the individual whose information is being disclosed or as otherwise permitted by Title 38 Section 7332. |CUI//SP-HLTH/PRVCY ||201708151230^201808151230|R^restricted^HL 70952^^^^^^2. 16. 840. 1. 113883. 5. 25|TREAT^treatment purpose of use^Hl 70953^^^^^^2. 16. 840. 1. 113883. 5. 8~PERSISTLABEL^persist security label^HL 70953^^^^^^2. 16. 840. 1. 113883. 5. 4~PRIVMARK^privacy mark^HL 70953^^^^^^2. 16. 840. 1. 113883. 5. 4|MSH^1^4~EVN^1~PID^1^ 8~PID^1^10~DG 1^2^4~DG 1^3^4 30

CDA Security Label with CUI <section> <!-- Privacy Markings section template --> <template. Id root="2. 16. 840. 1. 113883. 3. 3251. 1. 5" assigning. Authority. Name="HL 7 Security"/> <code="57017 -6 " code. System="2. 16. 840. 1. 113883. 6. 1“ code. System. Name="LOINC" display. Name="Privacy policy Organization"/> <title>Controlled Unclassified Information Health </title> <text> CUI//SP-HLTH/PRVCY</text> <confidentiality. Code code=" R" code. System="2. 16. 840. 1. 113883. 5. 25" code. System. Name="HL 7 Confidentiality"/> 31

FHIR Bundle & Resource with CUI 32

CUI Reference Material • Executive Order 13556 • Controlled Unclassified Information Executive Order 13556 • Info 32 CFR Part 2002 (Implementing Directive) • Information Security Oversight Office (ISOO) • Protection of Controlled Unclassified Information - CSRC • Controlled Unclassified Information (CUI) – NIST • CUI Rule 32 CFR Part 2002 • SP 800 -171 A • CUI Marking Handbook • CUI Health Information Category • CUI Registry: Limited Dissemination Controls • CUI Policy and Guidance • CUI Glossary 33

CUI Updated Training Videos 1 • August 6, 2018 August 7, 2018 by Mark Riddle, posted in Common questions, General updates, Marking & examples • ISOO has developed seven new training modules. These videos offer the most up-to-date information about the CUI Program. • Introduction to Marking CUI (updated August 6, 2018): This video provides an overview of how to mark documents, emails, presentations, systems, and other files that contain CUI. It specifically addresses the designation indicator and the CUI banner marking, including the CUI control marking, CUI category markings, and Limited Dissemination Control Markings. It also discusses portion marking, the use of cover sheets, marking multipage documents, and decontrolling CUI. • Marking Commingled Information: This video describes how to mark documents that contain both CNSI and CUI. Specifically, it covers portion and banner markings and how to mark emails and presentations. 34

CUI Updated Training Videos 2 • Controlled Environments (updated August 6, 2018): This video presents the viewer with examples of two environments, one that is considered suitable for the storage and handling of CUI and one that is not. It discusses why controlled environments are important and the different approaches agencies can take to creating their own controlled environments. • Destruction of CUI (updated August 6, 2018): This video discusses the different destruction methods that are appropriate for CUI when it is no longer needed. • Lawful Government Purpose (updated August 6, 2018): This video addresses the principle of Lawful Government Purpose, or the standard for deciding when to share and when not to share CUI. • Freedom of Information Act FAQs (updated August 7, 2018): This video addresses some of the most frequently asked questions about CUI and FOIA. • CUI and the FOIA FAQs (Published on Aug 7, 2018): This video is a discussion of CUI and FOIA expanding on the concepts covered in the July 3, 2014 memo Revised Guidance regarding Controlled Unclassified Information and then Freedom of Information Act. 35

HL 7 CUI Codes In HL 7 V 3 Act. Code system @ 36

Controlled Unclassified Information – Abstract Term Code Controlled. Unclassif ied. Information Description Usage Notes Information the US Government creates or possesses, or Abstract child of Privacy Mark with that an entity creates or possesses for or on behalf of the leaf codes. An abstract code for Government, that a law, regulation, or Government-wide display of Controlled Unclassified policy requires or permits an agency to handle using Information tags. safeguarding or dissemination controls. However, CUI does Mandatory control marking, which not include classified information (see definition above) or must be displayed on the top information a non-executive branch entity possesses and portion of each rendered or maintains in its own systems that did not come from, or was printed page containing controlled not created or possessed by or for, an executive branch information. Should be displayed agency or an entity acting for an agency. Law, regulation, or at the bottom of each rendered or Government-wide policy may require or permit safeguarding printed page containing controlled or dissemination controls in three ways: Requiring or information. Must be displayed on permitting agencies to control or protect the information buteach portion of controlled providing no specific controls, which makes the information at the portion level if CUI Basic; requiring or permitting agencies to control or portions are uncontrolled protect the information and providing specific controls for unclassified information. Based on doing so, which makes the information CUI Specified; or CUI Marking Handbook requiring or permitting agencies to control the information https: //www. archives. gov/files/cui and specifying only some of those controls, which makes the /20161206 -cui-marking-handbookinformation CUI Specified, but with CUI Basic controls where v 1 -1. pdf the authority does not specify. Based on CUI Glossary https: //www. archives. gov/cui/registry/cui-glossary. html. 37

CONTROLLED Code Display CONTROLLED Description Usage Notes A displayed mark, required to be rendered as Mandatory control marking, which must be "CONTROLLED", indicating that the electronic displayed on the top portion of each or hardcopy information is protected at the rendered or printed page containing level of the subset of CUI for which the controlled information. Should be authorizing law, regulation, or Government- displayed at the bottom of each rendered wide policy does not set out specific handling or printed page containing controlled or dissemination controls. Agencies handle CUIinformation. Must be displayed on each Basic according to the uniform set of controls portion of controlled information at the set forth in this part and the CUI Registry. CUI portion level if portions are uncontrolled Basic differs from CUI Specified (see definition unclassified information. Based on CUI for CUI Specified), and CUI Basic controls apply. Marking Handbook whenever CUI Specified ones do not cover the https: //www. archives. gov/files/cui/201612 involved CUI. From CUI Glossary 06 -cui-marking-handbook-v 1 -1. pdf. https: //www. archives. gov/cui/registry/cuiglossary. html. 38

CUI Code CUI Display CUI Definition Usage Notes A displayed mark, required to be rendered as "CUI", indicating that the electronic or hardcopy information is protected at the level of the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified), and CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI. From CUI Glossary https: //www. archives. gov/cui/registry/cuiglossary. html. Mandatory control marking, which must be displayed on the top portion of each rendered or printed page containing controlled information. Should be displayed at the bottom of each rendered or printed page containing controlled information. Must be displayed on each portion of controlled information at the portion level if portions are uncontrolled unclassified information. Based on CUI Marking Handbook https: //www. archives. gov/files/cui/201612 06 -cui-marking-handbook-v 1 -1. pdf 39

CUI//HLTH & CUI//SP-HLTH Code Display Definition Usage Notes CUIHLTH CUI//HLTH A displayed mark, required to be rendered as "CUI//HLTH", Examples of healthcare regulation governing CUI indicating that the electronic or hardcopy health information is Basic marking include HIPAA Unique Identifier protected at the level of the subset of CUI for which the provisions 42 USC 1320 d-2 note(b) authorizing law, regulation, or Government-wide policy does not https: //www. govinfo. gov/content/pkg/USCODEset out specific handling or dissemination controls. Agencies 2016 -title 42/pdf/USCODE-2016 -title 42 -chap 7 handle CUI Basic according to the uniform set of controls set subchap. XI-part. C-sec 1320 d-2. pdf; Title 38 Section forth in this part and the CUI Registry. CUI Basic differs from CUI 7332 Specified (see definition for CUI Specified), and CUI Basic controls https: //www. govinfo. gov/content/pkg/USCODEapply whenever CUI Specified ones do not cover the involved CUI. 2016 -title 38/pdf/USCODE-2016 -title 38 -part. V-chap 73 From CUI Glossary https: //www. archives. gov/cui/registry/cui-subchap. III-sec 7332. pdf; and several sections of 42 glossary. html. CFR Part 2. related to consent and confidentiality, e. g. , https: //www. govinfo. gov/content/pkg/CFR 2017 -title 42 -vol 1/pdf/CFR-2017 -title 42 -vol 1 -sec 212. pdf CUISPHLTH A displayed mark, required to be rendered as "CUI//SP-HLTH", Examples of healthcare regulation governing CUI indicating that the electronic or hardcopy health information is Specified marking include HIPAA Transaction and protected at the level of the subset of CUI in which the Code Sets and references the Congressional authorizing law, regulation, or Government-wide policy contains requirement that HHS promulgate Privacy, and specific handling controls that it requires or permits agencies to Security rules use that differ from those for CUI Basic. The CUI Registry https: //www. govinfo. gov/content/pkg/USCODEindicates which laws, regulations, and Government-wide policies 2016 -title 42/pdf/USCODE-2016 -title 42 -chap 7 include such specific requirements. CUI Specified controls may be subchap. XI-part. C-sec 1320 d-2. pdf. more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance. From CUI Glossary https: //www. archives. gov/cui/registry/cuiglossary. html. CUI//SPHLTH 40

CUI//PRVY & CUI//SP-PRVCY Code Display Definition Usage Notes CUIPRVCY CUI//PRVCY A displayed mark, required to be rendered as "CUI//PRVCY", indicating that Examples of privacy regulation governing CUI the electronic or hardcopy information is private and must be protected at Basic marking include 20 CFR 401. 100 related to the level of the subset of CUI for which the authorizing law, regulation, or SSA disclosure of personal, program, and non. Government-wide policy does not set out specific handling or dissemination program information. controls. Agencies handle CUI Basic according to the uniform set of controls https: //www. govinfo. gov/content/pkg/CFR-2017 set forth in this part and the CUI Registry. CUI Basic differs from CUI title 20 -vol 2/pdf/CFR-2017 -title 20 -vol 2 -sec 401 Specified (see definition for CUI Specified), and CUI Basic controls apply 100. pdf whenever CUI Specified ones do not cover the involved CUI. From CUI Glossary https: //www. archives. gov/cui/registry/cui-glossary. html. CUIPSPRVCY A displayed mark, required to be rendered as "CUI//SP-PRVCY", indicating Examples of privacy regulation governing CUI that the electronic or hardcopy information is private and must be Specified marking is OMB M-17 -12. This protected at the level of the subset of CUI in which the authorizing law, Memorandum sets forth the policy for Federal regulation, or Government-wide policy contains specific handling controls agencies to prepare for and respond to a breach that it requires or permits agencies to use that differ from those for CUI of personally identifiable information (PII). It Basic. The CUI Registry indicates which laws, regulations, and Government- includes a framework for assessing and mitigating wide policies include such specific requirements. CUI Specified controls may the risk of harm to individuals potentially affected be more stringent than, or may simply differ from, those required by CUI by a breach, as well as guidance on whether and Basic; the distinction is that the underlying authority spells out the controls how to provide notification and services to those for CUI Specified information and does not for CUI Basic information. CUI individuals. Basic controls apply to those aspects of CUI Specified where the authorizing https: //www. whitehouse. gov/sites/whitehouse. g laws, regulations, and Government-wide policies do not provide specific ov/files/omb/memoranda/2017/m-17 -12_0. pdf guidance. From CUI Glossary https: //www. archives. gov/cui/registry/cuiglossary. html. CUI//SPPRVCY 41

(CUI) Portion Marking Code CUIP Display (CUI) Definition Usage Notes A displayed mark, required to be rendered as Examples of healthcare regulation governing CUI "(CUI)", indicating that a portion of an electronic Basic marking include HIPAA Unique Identifier or hardcopy information is protected at the level provisions 42 USC 1320 d-2 note(b) of the subset of CUI for which the authorizing https: //www. govinfo. gov/content/pkg/USCODElaw, regulation, or Government-wide policy does 2016 -title 42/pdf/USCODE-2016 -title 42 -chap 7 not set out specific handling or dissemination subchap. XI-part. C-sec 1320 d-2. pdf; Title 38 Section controls. Agencies handle CUI Basic according to 7332 the uniform set of controls set forth in this part https: //www. govinfo. gov/content/pkg/USCODEand the CUI Registry. CUI Basic differs from CUI 2016 -title 38/pdf/USCODE-2016 -title 38 -part. V-chap 73 Specified (see definition for CUI Specified), and -subchap. III-sec 7332. pdf; and several sections of 42 CUI Basic controls apply whenever CUI Specified CFR Part 2. related to consent and confidentiality, ones do not cover the involved CUI. From CUI e. g. , https: //www. govinfo. gov/content/pkg/CFRGlossary 2017 -title 42 -vol 1/pdf/CFR-2017 -title 42 -vol 1 -sec 2 https: //www. archives. gov/cui/registry/cui 12. pdf glossary. html. 42

(CUI) & (CUI//HLTH) Portion Marking Code CUIP Display (CUI) CUIHLTHP (CUI//HLTH) Definition Usage Notes A displayed mark, required to be rendered as "(CUI)", indicating Examples of healthcare regulation governing CUI Basic that a portion of an electronic or hardcopy information is marking include HIPAA Unique Identifier provisions 42 USC protected at the level of the subset of CUI for which the 1320 d-2 note(b) authorizing law, regulation, or Government-wide policy does not https: //www. govinfo. gov/content/pkg/USCODE-2016 set out specific handling or dissemination controls. Agencies title 42/pdf/USCODE-2016 -title 42 -chap 7 -subchap. XI-part. Chandle CUI Basic according to the uniform set of controls set sec 1320 d-2. pdf; Title 38 Section 7332 forth in this part and the CUI Registry. CUI Basic differs from CUI https: //www. govinfo. gov/content/pkg/USCODE-2016 Specified (see definition for CUI Specified), and CUI Basic controlstitle 38/pdf/USCODE-2016 -title 38 -part. V-chap 73 -subchap. IIIapply whenever CUI Specified ones do not cover the involved CUI. sec 7332. pdf; and several sections of 42 CFR Part 2. related to From CUI Glossary https: //www. archives. gov/cui/registry/cui- consent and confidentiality, e. g. , glossary. html. https: //www. govinfo. gov/content/pkg/CFR-2017 -title 42 vol 1/pdf/CFR-2017 -title 42 -vol 1 -sec 2 -12. pdf A displayed mark, required to be rendered as "(CUI//HLTH)", Examples of healthcare regulation governing CUI Basic indicating that a portion of an electronic or hardcopy informationmarking include HIPAA Unique Identifier provisions 42 USC is protected at the level of the subset of CUI for which the 1320 d-2 note(b) authorizing law, regulation, or Government-wide policy does not https: //www. govinfo. gov/content/pkg/USCODE-2016 set out specific handling or dissemination controls. Agencies title 42/pdf/USCODE-2016 -title 42 -chap 7 -subchap. XI-part. Chandle CUI Basic according to the uniform set of controls set sec 1320 d-2. pdf; Title 38 Section 7332 forth in this part and the CUI Registry. CUI Basic differs from CUI https: //www. govinfo. gov/content/pkg/USCODE-2016 Specified (see definition for CUI Specified), and CUI Basic controlstitle 38/pdf/USCODE-2016 -title 38 -part. V-chap 73 -subchap. IIIapply whenever CUI Specified ones do not cover the involved CUI. sec 7332. pdf; and several sections of 42 CFR Part 2. related to From CUI Glossary https: //www. archives. gov/cui/registry/cui- consent and confidentiality, e. g. , glossary. html. https: //www. govinfo. gov/content/pkg/CFR-2017 -title 42 vol 1/pdf/CFR-2017 -title 42 -vol 1 -sec 2 -12. pdf 43

(CUI//PRVCY) & (CUI//SP-PRVCY) Portion Marking Code Display Definition Usage Notes CUIPRVCYP (CUI//PRVCY) A displayed mark, required to be rendered as "(CUI//PRVCY)", Child of Controlled Unclassified Information Mark. indicating that a portion of an electronic or hardcopy information Examples of privacy regulation governing CUI Basic is protected at the level of the subset of CUI for which the marking include 20 CFR 401. 100 related to SSA authorizing law, regulation, or Government-wide policy does not disclosure of personal, program, and non-program set out specific handling or dissemination controls. Agencies information. handle CUI Basic according to the uniform set of controls set forthhttps: //www. govinfo. gov/content/pkg/CFR-2017 in this part and the CUI Registry. CUI Basic differs from CUI title 20 -vol 2/pdf/CFR-2017 -title 20 -vol 2 -sec 401 Specified (see definition for CUI Specified), and CUI Basic controls 100. pdf. apply whenever CUI Specified ones do not cover the involved CUI. From CUI Glossary https: //www. archives. gov/cui/registry/cuiglossary. html. CUISPPRVCYP A displayed mark, required to be rendered as "(CUI//SP-PRVCY)", Examples of privacy regulation governing CUI indicating that a portion of an electronic or hardcopy information Specified marking is OMB M-17 -12�This is protected at the level of the subset of CUI for which the Memorandum sets forth the policy for Federal authorizing law, regulation, or Government-wide policy does not agencies to prepare for and respond to a breach of set out specific handling or dissemination controls. Agencies personally identifiable information (PII). It includes handle CUI Basic according to the uniform set of controls set fortha framework for assessing and mitigating the risk in this part and the CUI Registry. CUI Basic differs from CUI of harm to individuals potentially affected by a Specified (see definition for CUI Specified), and CUI Basic controls breach, as well as guidance on whether and how to apply whenever CUI Specified ones do not cover the involved CUI. provide notification and services to those From CUI Glossary https: //www. archives. gov/cui/registry/cuiindividuals. glossary. html. https: //www. whitehouse. gov/sites/whitehouse. go v/files/omb/memoranda/2017/m-17 -12_0. pdf. (CUI//SPPRVCY) 44

Uncontrolled Unclassified Information Mark (U) Code UUI Display (U) Definition A displayed mark for uncontrolled unclassified information, required to be rendered as "(U)", indicating that a portion of the electronic or hardcopy information is neither Executive Order 13556 nor classified information authorities cover as protected. Usage Notes Regulatory Source: 32 CFR § 2002. 20 Marking. Federal Register Page 63344 (ii) Authorized holders permitted to designate CUI must portion mark both CUI and uncontrolled unclassified portions. CUI Marking Handbook https: //www. archives. gov/files/cui/20161206 -cui-markinghandbook-v 1 -1. pdf CUI Portion Marking: Portion marking of CUI is optional in a fully unclassified document, but is permitted Although this information is not and encouraged to facilitate information sharing and proper handling of the controlled or classified, agencies must still information. Agency heads may approve the required use of CUI Portion marking on handle it in accordance with Federal all CUI generated within their agency. As such, users should consult their agency CUI Information Security Modernization Act policy when creating CUI documents. When CUI Portion Markings are used and a (FISMA) requirements. From CUI Glossary portion does not contain CUI a “U” is placed in parentheses to indicate that the https: //www. archives. gov/cui/registry/cu portion contains Uncontrolled Unclassified Information. (Page 14) i-glossary. html. CUI Portion Markings are placed at the beginning of the portion to which they apply and must be used throughout the entire document. They are presented in all capital letters and separated as indicated in this handbook and the CUI Registry. The presence of EVEN ONE item of CUI in a document requires CUI marking of that document. Because of this, CUI Portion Markings can be of great assistance in determining if a document contains CUI and therefore must be marked as such. Remember: When portion markings are used any portion does not contain CUI, a “(U)” is placed in front of that portion to indicate that it contains Uncontrolled - or non-CUI - Unclassified Information. (Page 15) 45