Thefederal government is launching a program to protect confidential unclassified information, CUI. Targeted primarily at the defense department the program will help to limit the dissemination of sensitive information unauthorized parties.
Executive Order 13556 established the comprehensive Controlled Unclassified Information
Program in November 2010.
The order designated the National Archives and Records Administration (NARA) to serve as the Executive Agent (EA) to implement and oversee agency actions to ensure compliance. This directive was issued by the ISOO to establish policy for agencies designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program
6. The objective of this course is to gain a thorough
understanding of the CUI program.
7. This course will cover the following topics
History and Why of the CUI program.
What is CUI & PII
Mosaic Intelligence Gathering Theory
Types of information provided in the CUI
Registry
CUI & Lawful Government Purpose
Marking Control Requirements
8. This course will cover the following topics
Physical & Electronic Controlled
Environments
Reproduction of CUI
Transmission of CUI
Incident Reporting
Destruction of CUI
Decontrol of CUI
Freedom of Information
9. What is the CUI Program?
Executive Order 13556 established the comprehensive Controlled
Unclassified Information
Program in November 2010.
10. Controlled Unclassified Information
The order designated the National Archives and Records Administration
(NARA) to serve as the Executive Agent (EA) to implement and oversee
agency actions to ensure compliance.
11. Executive Order 13556 Controlled Unclassified Information.
The Archivist of the United States established the CUI Office
within NARA to fulfill the responsibilities of CUI Executive Agent.
The Director of the Information
Security Oversight Office (ISOO) is appointed
as Director of the CUI Office.
12. Executive Order 13556 Controlled Unclassified Information.
32 CFR Part 2002 CUI
This directive was issued by the ISOO to establish policy for agencies
designating, safeguarding, disseminating, marking, decontrolling, and
disposing of CUI, self-inspection and oversight requirements, and other
facets of the Program
13. Executive Order 13556 Controlled Unclassified Information.
32 CFR Part 2002 CUI
The rule affects Federal executive branch agencies that handle CUI and all
organizations (sources) that handle, possess, use, share, or receive CUI—or
which operate, use, or have access to Federal information and information
systems on behalf of an agency.
So what does this all mean?
14. Executive Order 13556 Controlled Unclassified Information.
32 CFR Part 2002 CUI
It means that any government agency and anyone doing business with the
federal government is responsible for the security of any data they receive
from that agency.
15. Executive Order 13556 Controlled Unclassified Information
Q) What is the purpose of this executive order?
16. Executive Order 13556 Controlled Unclassified Information
Q) What is the purpose of this executive order?
A) To ensure standards for classification, handling, storage and destruction of
CUI.
17. Why was the CUI program necessary?
Controlled information has, in the past, been managed
by various government agencies resulting inconsistent
standards, labeling and handling.
18. Protecting Controlled Unclassified Information
Companies working under federal contract or intend to compete for
government contracts must understand the importance of protecting
even unclassified information.
19. Protecting Controlled Unclassified Information
Federal contractors are routinely trusted with government
information. This information maybe unclassified but
it is always of vital importance.
20. Protecting Controlled Unclassified Information
Classified information can have extremely serious consequences
if compromised. Unclassified information can still have
intelligence value.
In addition unclassified information can be dangerous
in hands of criminals.
21. For Official Use Only
FOUO is a document designation, not a classification.
This designation is used by Department of Defense and a number of
other federal agencies to identify information or material which,
although unclassified, may not be appropriate for public release.
FOUO is being phased out and being replaced by CUI.
24. Lawful Government Purpose
Lawful Government Purpose means that authorized holders of CUI must refrain
from sharing CUI where sharing is prohibited, restricted, or further subject to
Limited Dissemination Controls.
28. Intelligence Collection Theory
Like a puzzle, intelligence gathering is all about gathering small bits of
information that will reveal the larger image.
29. Intelligence Collection Theory
If you have enough of the small pieces then you can easily
determine what the larger image is.
This is known as the Mosaic Theory of intelligence gathering.
30. Mosaic Collection Theory
Gathering enough unclassified and seemingly disconnected
pieces can give an adversary insight into a classified project.
This is why CUI is extremely important to protect!
32. Groupings of CUI
Critical Infrastructure
Defense
Export Control
Financial
Immigration
Intelligence
Law Enforcement
Nuclear
Patent Information
Privacy
Procurement & Acquisition
Proprietary Business Information
Provisional
Natural and Cultural Resources
Tax Information
Legal
Statistical
North Atlantic
Treaty Organization
(NATO)
33. Personally Identifiable Information
Also known as PII this is information that is identifiable to the individual.
Social Security Number
Medical Information
Payroll data
Family data
Driver’s License
Biometric Data
Employment History and Resume
Performance Evaluations
Human Resources Actions
34. Did any of the information on the previous slide look familiar?
35. Social Security Number
Medical Information
Payroll data
Family data
Driver’s License
Biometric Data
Employment History and Resume
Performance Evaluations
Human Resources Actions
All the information above was stolen from
Office of Personnel Management in a massive data breach in June of 2015
36. Office of Personnel Management Data Breach in June of 2015
Total records lost – 21.5 million
What other records were lost?
Biometric data; Fingerprints
Security Clearance Records
Background Investigation Reports
Personal History Data & Details
Although extremely sensitive the data was not classified.
However it is definitely considered CUI and PII.
37. Class Discussion
What is the value of unclassified information?
1. Give three examples of unclassified information that needs protection.
2. Who would be interested in CUI and why?
3. Who is responsible CUI?
41. Mosaic Intelligence Collection
Clue # 3
NTSB issues warning to makers and suppliers of jet fuel to review
safety measures for aircraft fuel leaks.
42. Mosaic Intelligence Collection
Clue # 4
Several defense contractors begin review of supplier credentials
manufacturing techniques and product specifications.