The DoD requires all military personnel, contractors, and other individuals who come into contact with CUI to complete formal training on how to protect it. Third-party staff need to understand marking requirements, decontrol procedures, reporting protocols, and more.
Is your DoD mandatory CUI training up to spec? Schedule a consultation to find out.
DoD Mandatory CUI Training 101
The Department of Defense’s (DoD) mandatory Controlled Unclassified Information (CUI) training is required for all DoD personnel and any contractors who work with the US military. It ensures all stakeholders are aware of what CUI protection entails, across four focal points:
- Institutional knowledge about the CUI program
- CUI marking and dissemination responsibilities
- Requirements for safeguarding and decontrolling
- Protocols for reporting on incidents impacting CUI
Getting your workforce ready for this training is a critical part of Cybersecurity Maturity Model Certification (CMMC) and DoD compliance. Working with a compliance advisor will help you streamline your training program and ensure all staff are ready to protect CUI proactively.
Focus 1: CUI Program and Institutional Knowledge
The first thing DoD contractors’ staff need to prove is their understanding of what CUI is and the institutional infrastructure that exists to protect it. In other words, they need to describe the CUI program and what major players work together to keep this information secure.
CUI is information that lacks the official designation of “classified” but still has implications for national security. As such, access to it is controlled. Before the CUI program was implemented, this control was handled in various ways by different departments impacted by CUI.
The CUI program made rules for CUI uniform across government agencies and third parties.
General CUI guidelines fall under the discretion of the Information Security Oversight Office (ISOO) of the National Archives and Records Administration (NARA). In the DoD, the primary administrative office in charge of CUI is the Office of the Under Secretary of Defense for Intelligence and Security (OUSD (I&S)). For the purposes of compliance and CUI training, DoD contractors’ staff need to be cognizant of both the OUSD (I&S)’s and ISOO’s involvement.
Understanding the Groupings of CUI
The DoD mandatory CUI training also tests how well stakeholders know the kinds of documents that constitute CUI. The DoD CUI registry mirrors the ISOO CUI registry, with minor differences and additional information relevant to DoD applications. Both comprise the following groupings:
- Critical Infrastructure (11 categories)
- Defense (4 categories)
- Export Control (2 categories)
- Financial (10 categories)
- Intelligence (7 categories)
- International Agreements (1 category)
- Law Enforcement (18 categories)
- Legal (12 categories)
- Natural and Cultural Resources (2 categories)
- Nuclear (5 categories)
- Patents (3 categories)
- Privacy (9 categories)
- Procurement and Acquisition (3 categories)
- Proprietary Business Information (6 categories)
- Provisional (4 categories)
- Statistical (1 category)
- Tax (3 categories)
- Transportation (2 categories)
One major difference is that the ISOO registry also contains a grouping for Immigration CUI, which is not present in the DoD registry documents currently available to the public. To pass training, staff members need to understand these groupings, their categories, and which authorities and rulesets apply to each—along with how this all figures into marking.
Focus 2: CUI Marking, Access, and Dissemination
Another major element of DoD mandatory CUI training is ensuring employees know how to identify and mark CUI appropriately based on the specific access controls applicable to it.
As a baseline, all CUI needs to be marked as such. Documents containing CUI need to have clear banner labels of, at minimum, “CUI.” Additionally, a CUI designation indicator needs to appear on the cover page or first page of the document, including the following (at minimum):
- The DoD Component’s name
- The office that created the document
- The CUI categories contained in the document
- Any applicable access statements or controls
- Contact information for the point of contact
Further banner documentation might also be necessary if the document is within a Specified rather than a Basic category, or if one or more Limited Dissemination Controls (LDC) apply.
Secure Transmission and Dissemination of CUI
The most critical component of CUI marking establishes which specific controls, if any, govern who can access it and how. The following is a breakdown of the CUI LDCs, by codename:
- FED ONLY – Federal Employees Only documents are only disseminated to members of the executive branch, its agencies, and personnel in the US Active and Reserve Guards.
- FEDCON – Federal Employees and Contractors Only documents are disseminated to FED ONLY recipients and contractors whose work furthers the agencies’ purposes.
- NOCON – No Dissemination to Contractors documents can be distributed amongst state, local, tribal, and other governmental employees but not to contractors thereof.
- DL ONLY – Dissemination List Controlled documents can be distributed to specific persons or other entities listed, only in situations where no other DLC would apply.
- RELIDO – Releasable by Information Disclosure Official documents grant select foreign authorities extended discretion regarding disclosure and use of the CUI in question.
- NOFORN – No Foreign Dissemination documents are not permitted to be disclosed in any way to any non-citizens, organizations based outside the US, or foreign persons.
- REL TO USA – Authorized for Release to Certain Foreign Nationals Only documents are disclosable only to entities within a named set of countries, appended in country codes.
- DISPLAYONLY – Display Only documents are allowed to be displayed to foreign entities in virtual or digital formats without granting the ability to alter or access the information.
- ATTORNEY-CLIENT – Attorney Client documents are restricted to attorneys, their agents, and their clients unless the attorney grants further access permissions.
- ATTORNEY-WP – Attorney Work Product documents are similarly restricted to the attorneys’ agents and clients, with additional discretion for originating attorneys.
Ensuring that these markings are present—and followed—is one of the most straightforward and critical security responsibilities of all DoD contractors. Through its CUI training, the DoD ensures that all stakeholders know what the markings mean and how to uphold them.
Focus 3: Safeguarding and Decontrol Requirements
Employees are also tested on their knowledge of how to safeguard CUI. At a baseline, they need to take proactive steps to minimize inappropriate access to documents and any media or environments containing them. For example, they should refrain from using, accessing, or discussing CUI beyond any CUI-specific responsibilities while at work. They should also ensure that CUI documents are locked away and completely inaccessible when they are not on duty.
Employees also need to account for CUI security across its entire lifecycle, including secure decontrol or destruction at its end. If a CUI document needs to be destroyed, it should be done so in a way that renders it unreadable. And when a document is no longer deemed CUI, it should have its markings removed and be prepared for release for public access.
Beyond employees’ individual responsibilities to reduce risks to CUI, they should also display a basic understanding of institution-wide network security protections in place. These begin with safeguards in the National Institute of Standards and Technology (NIST) Special Publication 800-171, which are required in part for CMMC Level 1 and in full for CMMC Level 2.
In addition, depending on the extent and sensitivity of CUI your organization controls, you may need to implement SP 800-172 for CMMC Level 3. Regardless of which protections are needed, you should ensure that your staff are aware of them for their DoD mandatory CUI training.
Focus 4: Reporting on Incidents Impacting CUI
When CUI is compromised, or security breaches make it likely that compromise could happen, there are specific procedures that stakeholders need to follow to report on the incident. But these will vary slightly depending on the DoD entities with whom a contractor works. The DoD Components’ Senior Agency Official (CSAO) works together with its Program Manager (CPM) to determine the exact protocols for all DoD and contractor staff for that Component.
In most cases, if there is an Unauthorized Disclosure (UD) of CUI, parties who become aware of it need to report it to their immediate supervisor immediately. The administrative offices that need to be contacted in all cases are the Program Management Office (PMO) and an organization of the Military Department Counterintelligence (CI).
Whatever the specific protocols are for your particular use case in the agencies you work with, your staff need to be aware of their responsibilities for their DoD mandatory CUI training.
Streamline Your DoD Mandatory CUI Training
Organizations that work with the US government need to take every precaution to ensure that CUI is protected and kept out of the hands of nefarious actors. Training is integral to that effort, empowering all staff to safeguard CUI and report on incidents in which it may be compromised.
RSI Security has helped countless military contractors implement CUI training and prepare for NIST and CMMC implementation. We believe that discipline creates freedom, and training your employees thoroughly on the right way to safeguard CUI is the only way to ensure it’s protected.
For further guidance on preparing for, implementing, or assessing your DoD mandatory Controlled Unclassified Information training program, contact RSI Security today!