To work with the Department of Defense (DoD), organizations need to follow its guidance on safeguarding Controlled Unclassified Information (CUI), which focuses on the following:
- Understanding the purpose of the ISOO CUI registry
- Ensuring stakeholders follow DoD Instruction 5200.48
- Implementing the NIST SP 800-171 framework
- Meeting CMMC requirements for DoD compliance
What is the Purpose of the ISOO CUI Registry?
The Information Security Oversight Office (ISOO) maintains a registry of all document types that are considered CUI. The purpose of the ISOO CUI registry is to provide uniform definitions and responsibilities for CUI for every government agency that might come into contact with it—along with contractors that work with them. With a few exceptions, they all follow the same rules.
For example, the first grouping of CUI in the ISOO registry is Critical Infrastructure. It includes several categories of CUI, including chemical terrorism vulnerability information and SAFETY Act information. All government entities, including their contractors, have to mark and protect documents in these categories in the same exact ways or face ISOO (or other) enforcement.
There is also a DoD CUI registry that exists independently from the ISOO registry but is nearly identical to it. It includes all of the CUI’s categories except Immigration, and it stipulates additional rules and responsibilities pertinent to DoD personnel and contractors.
Why is DoD Instruction 5200.48 Important?
DoD Instruction 5200.48 is the formal touchstone of all DoD guidance on safeguarding CUI. It establishes the basic infrastructure of the CUI program and all the key government departments that organizations need to be aware of for reporting and oversight purposes. It also explains the basic purposes and functions of CUI protection, with rules and examples for how to follow them.
One such rule is that organizations need to mark CUI in particular places with symbols or language to designate what kind of information it is, who can access it, and which government entities have authority over its control. Organizations need to ensure that the markings are accurate—and that access and dissemination are controlled in the ways stipulated.
For example, a document marked “FEDCON” can be disseminated to both federal employees and contractors, but “FED ONLY” files can only be accessed by employees and not contractors.
All staff at an organization that comes in contact with CUI need to be familiar with these and other controls. They also have to go through mandatory training, which should include becoming familiar with DODI 5200.48 in its entirety, along with supplemental documents it refers to.
How Does NIST SP 800-171 Protect CUI?
Beyond DODI 5200.48, the other document most critical to following DoD guidance on safeguarding CUI is the National Institute for Standards and Technology (NIST) Special Publication 800-171. It contains programmatic guidance on network security controls organizations need to implement to minimize threats and vulnerabilities impacting CUI.
NIST SP 800-171 specifies 110 individual Requirements across 14 Families:
- Access Control
- Awareness and Training
- Audit and Accountability
- Configuration Management
- Identification and Authentication
- Incident Response
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System and Communications Protection
- System and Information Integrity
Protecting CUI per Defense Federal Acquisition Regulation Supplement (DFARS) requirements, which apply to nearly all DoD entities and contractors, means implementing NIST SP 800-171.
Is CMMC Required for CUI Protection?
Finally, DODI 5200.48 and NIST SP 800-171 are not the only governing frameworks related to CUI protection. DFARS also requires DoD contractors to achieve Cybersecurity Maturity Model Certification (CMMC). CMMC guarantees that contractors are well-positioned to protect CUI and other sensitive data they’ll come into contact with when working with the US military.
Contracts with the DoD will require contractors to achieve a certain CMMC Level:
- Level 1: Foundational – Organizations with the lowest amount of exposure to CUI need to implement 15 Practices based on NIST SP 800-171 and self-assess annually.
- Level 2: Advanced – Organizations with moderate exposure to CUI must implement all 110 Requirements from SP 800-171 and conduct third-party assessments triennially.
- Level 3: Expert – Organizations with the most CUI exposure must also implement practices from NIST SP 800-172 and conduct triennial government-led assessments.
Implementing the appropriate framework controls and assessing per your Level’s requirements is the final and most formal step toward following the DoD guidance on safeguarding CUI.
What Level of System and Network Configuration is required for CUI?
Moderate level of System and Network Configuration is required for CUI.
Protect CUI and Streamline DoD Compliance
To recap, protecting CUI per the DoD’s guidance requires understanding the DoD CUI registry, DODI 5200.48, NIST SP 800-171, and CMMC. Familiarizing your workforce with each of these complex systems can be challenging, but working with a DoD compliance advisor can help.
RSI Security has helped many organizations meet DoD compliance requirements, including mandatory CUI training. We’re committed to serving you above all else, and we’ll work closely with teams at your organization to ensure that all stakeholders know their responsibilities.
For tailored assistance implementing DoD guidance on safeguarding CUI, get in touch today!