At this point in the series, you should be familiar with the term controlled unclassified information (CUI), what CUI is, and the importance of protecting CUI. Now I will discuss methods of controlling CUI. Developing a mature and resilient cybersecurity strategy is a secret ingredient of NextGen federal contracting.
Identify The CUI
The first step that primary and secondary federal contractors need to do is take an inventory of CUI and determine its location.
Start by reviewing your contracts to determine the level of sensitive information that your company handles. For example, with defense contracts, any non-commercial technical details will typically fall under CUI.
You can also evaluate the sensitive information that will be accessed by acquisitions in your business development program.
Consolidate Sensitive Information
Once you know where your CUI is kept, the best way to control it is to consolidate it into a central information system.
This system should be able to track who accesses which data and when it was accessed. If there is a breach, knowing who had last accessed the data can be critical.
Evaluate whether your CUI controls can be isolated into a single document management system.
By deploying mature information technology (IT) practices, you will ensure an organized informational system.
Ensure CUI Is Controlled
Once you know what CUI you handle and where it is located, you need to control access to the CUI. Implement physical, network, and session controls to monitor who accesses CUI and when.
If you have CUI data stored digitally, as mentioned just above, isolate it into one document management system. If you have physical data storage, such as printed documents or servers, make sure that the storage areas are secure, have a lock, and you know who has access to it.
Deploying mature IT practices ensures an organized informational system (OSI). Networks should have security features such as firewalls and OSI layers 1-4.
If you want help to determine if you have CUI and whether you have the necessary controls in place, contact IBSS and we will provide you with a free quote to evaluate your CUI.
Considerations For Controlling CUI During The Pandemic
During the COVID-19 pandemic, when many people are working remotely, there are some additional steps needed to control CUI.
- Do not store CUI on personal devices – only store CUI on company-issued devices
- Do not use personal email accounts to store or handle CUI – only access or store CUI through company-issued email accounts
- Minimize physical document storage – only print documents when absolutely necessary
- Use virtual desktop environments
Next Up
Now that you have a primer on CUI and how to ensure CUI is controlled, I am going to turn my focus to the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 (800-171) interim rule that now requires a self-assessment.
