Stakeholder Briefing Outline CUI Overview CUI FAR Status
Stakeholder Briefing
Outline § § § § CUI Overview CUI FAR Status NIST SP 800 -171 Rev 2 NIST SP 800 -171 B CUI Program Manager Position Description CUI Multi-Step Destruction Process Revision CUI Media Label Update (SF 902 and 903) CUI Registry Committee Q&A 2
CUI Overview What is the CUI Program? The CUI Program is an information security reform that standardizes the way the executive branch handles information that requires protection What is CUI? Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and governmentwide policies Contact Us! Contact an Agency! www. archives. gov/cui Policy and Guidance • • Executive Order 13556 32 CFR Part 2002 (Implementing Directive) CUI Marking Handbook CUI Notices NIST Publications OMB Circular No. A-11 CUI Advisory Council Quarterly CUI Program Updates! https: //isoo. blogs. archives. gov/ 3
NIST SP 800 -171 Rev 2 Draft NIST SP 800 -171 Revision 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800 -171 Revision 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements. Comment period has been extended to Friday, August 2, 2019. Submit comments to sec-cert@nist. gov. https: //csrc. nist. gov/publications/detail/sp/800 -171/rev-2/draft 4
NIST SP 800 -171 B In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. § The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800 -171, since the basic and derived requirements are not designed to address the APT. § The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. § The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement. Comments on Draft SP 800 -171 B has been extended to Friday, August 2, 2019. Submit comments to sec-cert@nist. gov. https: //csrc. nist. gov/publications/detail/sp/800 -171 b/draft 5
CUI Program Manager PD § The purpose of this notice is to provide a template for the CUI Program Manager position at agencies and to assist with the hiring of CUI Program Managers. § The position description is the result of work with the CUI Advisory council which helped provide a well-rounded and flexible template for the position of a CUI Program Manager. § The position description is optional and can be modified by an agency as needed. 6
CUI Notice on Destruction (Revision) § Clarifies the requirements of single step destruction. § Ensures proper oversight and handling of material prior to final destruction. CUI Notice 2019 -03 Will be posted to the website shortly. 7
Media Labels! § The new media labels are finalized and will be available for purchase on GSA Advantage. § When the link is live we will post it to our blog! 8
CUI Registry Committee The purpose of the Committee is to advise the CUI Executive Agent and make recommendations on the establishment, modification, or elimination of CUI Categories or Limited Dissemination Controls for the CUI program. 9
Questions? 10
- Slides: 10
