Presentation from CMMC Day that teaches about declassifying information and its applicability to CUI

1. Declassifying Information
& Its applicability to CUI
May 6, 2024

2. • Enterprise Risk Leader 20 years of Business and Security Technology Leadership
experience
• Corporate cyber security experience — FIS, NCR, IBM, Dell, Credit Unions, etc….
• R&D & Model development — Trusted Platform Module (TPM) Chip Development, Air
Force Tech Transfer, Citrix patent (team member)
• Federal agency cyber experience — USAF, Army, Navy, DOS, NRO, NGA, CIA, NSA,
NASIC and others units for system accreditations
Max Aulakh, MBA, CISSP, CISA, CRISC
Managing Director
Formal Education & Credentials
• Wright State University — MBA (2014)
• American Military University — B.S Information Security, Computer Science (2009)
• Community College of the Air Force — Criminal Justice (2009)
• Cyber & Technology Industry Credentials: CISSP, PMP, Linux+, Security+, Network+, ITIL-F,
Certified Scrum Master
✔ Cigital Defensive Programming, OWASP, Threat Modeling, etc..
✔ Cyber Regulatory/Frameworks — CMMC, NIST, HIPAA, HITRUST, SOC 1/2, CIS,
FFIEC, ISO 27K, FISMA
• Formal Military Physical Security Training: Counter Terrorism, HAZMAT, Explosive
Ordinance, Customs, Use of Force, LOAC, Force Protection, Combat Leadership, Ground
Defense Command, SERE, Bloodborne Pathogens
• Formalized Weapon Systems Training: M9, M4, M2, M249 & M240B
US Military Operational – Strategic Tour of Duties
2007-2009: Iraq — Security Forces Leadership
2006-2007: Afghanistan — Security Forces Member/Forward Deployed Military Linguist (Hindi,
Urdu & Punjabi)
2005-2006: Iraq — Security Forces/Classified Systems Member
2003-2005: Turkey — US Nuclear Weapons Systems Administrator & Security Member
max@ignyteplatform.com I 937-789-4216 I
https://www.linkedin.com/in/maxaulakh/
Cyber & Technology Industry Credentials
• CISSP
• PMP
• Linux+
• Certified Scrum Master
• Digital Defensive Programming
• OWASP
• Threat Modeling
• Security+
• Network+
• ITIL-F
• USAF
• Army
• Navy
• CIA
• NSA
• NASIC
• DOS
• NRO
• NGA
Federal & Corporate agency cybersecurity experience
• Dell
• IBM
• UFCU

3. Agenda
● What is declassification and why is it important?
● Information Classification Primer
○ Classifying & Declassifying Information
● Decontrolling CUI
● Challenges & Opportunities in Decontrolling CUI
● Summary
● Q&A

4. Why is Declassification Important?

5. Importance of Declassification
Perspective from working within cleared defense
community.
● Broad scope of CUI Information types
● Diminishing value of information over time
● Transparency and Open Government
● Over classification is common and will become an
emerging issue
Declassification and Decontrolling is not a panacea but a risk management technique your toolbox.

6. Questions posed by Senior Management
● Why should I pay to protect something that is
already available on the internet?
○ What benefit does it provide and what is
the extra cost of protection?
● Why should we opt to protect our intellectual
property according to the NIST assessment
protocol when we are already doing a pretty
good job using ISO 27001?
● Less than 5% of our revenue comes from DoD
or a Prime so why should we spend significant
time and effort on protecting the 5%?
Hard question……

7. Multinational Orgs are facing difficult challenges
“We want to be able to bring European and/or Korean
Defense capabilities to the US Government. How can we
achieve CMMC Compliance when our foreign capabilities
and systems are not considered US Covered Defense
Information (CDI)”

8. Classification of Information

9. What is Classification & How does it occur?
Safety of US depends on our ability to adequately protect
classified information.
● Performed by Original Classification Authority (OCA) |
qualified & certified professionals “classifiers”
● OCA also sets the rules for protection, etc.. in Security
Classification Guide or properly marked source
documents
● Information that typically gets classified early and
broadly (primary strategy):
○ Pre-existing guidance on specific type of information
○ State of the Art (nuclear systems, technology, etc..)
○ National Net Advantage (Unique to US, etc..)

10. How does classification occur?
Original Classification Authority follows a standard process:
● Marking of documents properly ← Method 1
○ Current & primary strategy in managing CUI by DoD
● Develop a Security Classification Guide ← Method 2
- 1. Government Information <- information must be owned by,
produced by or for, or under the control of the U.S. Government
- 2. Must be eligible (1 of 8 categories | weapons, foreign gov,
WMDs, specific vulnerabilities, etc..)
- 3. Impact and harm to national security
- 4. Classification Level
- 5. Duration | How long? timely declassification
- 6. Additional Guidance | Derivative classification, etc..

11. Declassification of Information

12. When is information declassified?
When information is no longer a secret
● After 25 years, declassification review is automatic
○ 9 narrow exceptions
○ After 50 years there are only 2 exceptions
○ After 75 years requires special permission
Agencies and Original Classification Authorities (OCAs)
must respond to mandatory declassification reviews and
FOIA Requests.
Note: Executive Order 13526 establishes the mechanisms for most declassifications, within the laws passed by Congress.
https://www.youtube.com/watch?v=jn9BWf50UdE

13. Popular Examples of Public Unclassified
Information
● Security Technical Information Guides (STIGs)
○ Originally started as Unclassified
○ Required access to NIPRNET
● FedRAMP Training
○ Previously required access to GSA
Decontrolled CUI Example: https://www.fedramp.gov/assets/resources/training/200-C-FedRAMP-Training-Security-Assessment-Report-SAR.pdf

14. Decontrolling CUI
Removal of any controls designed to protect CUI.
Agencies are encourage to quickly decontrol CUI.
Decontrolled CUI Example: https://www.fedramp.gov/assets/resources/training/200-C-FedRAMP-Training-Security-Assessment-Report-SAR.pdf
When the government publishes it in the open available
to anyone.
● Why protect information already available in public
domain?
Other conditions of Decontrolling CUI:
● When law or policy no longer apply to CUI
● When OCA or designee makes a public disclosure
● FOIA request
● Predetermined date or event
Example of publically available marked information:

15. Decontrolling CUI Process
Encouraging your government agency how to Decontrol CUI Important when
government may require a specialized enclave for specific type of information.
1. Government Information <- majority of the CUI information must be owned by,
produced by or for, or under the control of the U.S. Government. If it is not then
you have a potential case.
1. Must be eligible ← Develop criteria and categories of protection and non-
protection (i.e available on the internet, available to foreign government, et..)
specific to your contract.
1. Assess impact and harm to national security <- do not conflate this harm to
your organization.
1. Classification Level <- Select and propose a non-CUI classification level or a
general data classification model.
1. Duration <- Estimate time value of the information you and the government has
collectively created together.
1. Additional Guidance <- Add additional information

16. Challenges and Opportunities

17. ● Industry and government maturation
○ Agencies are struggling with CUI program development
and Security Classification Guide development
● Artification Intelligence - Natural Language
○ Ability to infer without complete knowledge
● Information duplication across large enterprise
Challenges with Decontrolling CUI

18. Summary

19. ● Importance of Declassification
● How information is classified
● How information is declassified
● Decontrolling CUI
● Security Classification Guides
● Challenges with declassification
Recap

20. Q&A

21. Thank you
www.ignyteplatform.com
info@ignyteplatform.com
1.833.IGNYTE1
5818 Wilmington Pike, #220
Centerville, OH 45459-7004
Max Aulakh
Managing Director
max@ignyteplatform.com
937-789-4216