Chances are discovering how to identify and protect the controlled unclassified information (CUI) at your company is one of your IT priorities. It can be a challenge to figure all this out on your own. Where do you start—and how do you proceed?
Know your CUI
The first step is to understand what CUI is and where it is present in your organization. Don’t take the path of most companies where they don’t know what their CUI data set is, so they assume it’s everything. Proceeding with this worst case scenario, everyone has access to CUI and everyone needs access to CUI. Scoping how to protect this information becomes immense. There is a better way.
Start by participating in the mandatory CUI training that the Department of Defense (DoD) provides. Then you can begin the process of going through each document and determining if it contains CUI. Learn about what CUI is and what CUI isn’t and apply that knowledge to your organization’s universe of information.
Scoping, creating, and defining your CUI boundary is a critical task
Some companies receive CUI data via removable media such as CDs, DVDs, USBs. Others are sent physical things from NASA to their environment. It depends on what your organization does. Keep in mind that CUI touches both the physical as well as the digital assets. We work to help you understand from beginning to end how CUI transfers throughout the environment.
Let’s discuss an example to illustrate the process and how CUI permeates an environment.
- Company A works with NASA and has rocket parts physically shipped to them. Their approved method for receiving those parts is through UPS.
- Those rocket parts then have a corresponding set of users who are allowed to receive them, bring them into the building, and document that they received them in accordance with the procedures they have in place.
- Company A also has another subsection of users who are going to work on those parts. Perhaps that’s split into engineers who draw plans, mechanical engineers who print or build parts, and management overseeing the work.
At CyberSheath, we break down these activities into simple steps and formulate a plan of how to manage it all. These actions all need to be documented in a policy and a procedure. To provide additional assistance, we craft technical configurations to help protect the environment even further.
Other examples of the complexities of managing CUI include:
- If B Manufacturing is receiving technical data from a contract and they are the manufacturer who’s producing the physical part, there are many layers to the CUI that needs to be protected, including technical, physical, and digital data. At any point, the company can split the data up and have multiple departments involved, including accounting which is billing for the part.
- Even the locations where things are being shipped might be sensitive information. For instance, if C Construction is building a new government building, the plans for that structure are going to be CUI. Perhaps less obviously, most likely the location where it is being located is also CUI.
There’s no one path for managing CUI
That’s the bad news. The good news is there is an approach we apply to help uncover, define, and wrangle CUI. It’s critically important for your company to understand what CUI is and to talk to your contractors about their CUI. It’s all a learning exercise.
Once you scope your environment and understand how the data flows, you can then diagram your environment. It doesn’t need to be technical, but it does need to outline where you are keeping the data, perhaps in Office 365 or in a locked room. You also need to document your processes around sending that data. Whether it’s physical or digital data, you’ll need to follow certain processes. The goal is to have your CUI management documented in a policy and in a diagram as well as have some type of technical configuration to adhere to.
If you need help identifying your CUI and scoping your environment, the experts at CyberSheath can help. Contact us to get started.