Identifying Controlled Unclassified Information (CUI)

September 22, 2019

If your organization works on a government contract, you must comply with the Defense Federal Acquisition Regulation Supplement (DFARS). When following the security controls within NIST’s SP 800-171, you must report your level of compliance to the government. This became a requirement at the end of the 2017 calendar year.

It may seem overwhelming but if you can identify Controlled Unclassified Information (CUI), it will help with mapping out how your organization will satisfy the identified security controls. You must first determine if your organization is even in scope. If the organization holds a federal contract, then you must comply with SP 800-171. You can review this website to help identify the type of data elements that are covered.

After the determination has been made the organization is required to comply, you will need to identify where the data lives and if it has been tagged and controlled. This step is critical and will help drive the roadmap to being successful with protecting the data that has been identified.

Once the data is located and tagged, you will need to evaluate whether the data is monitored, audited, alerts are setup to track the location and path of your data elements. You will then identify whether the appropriate controls are in place from the technical evaluation. Your organization will evaluate each control listed within the fourteen (14) families that have been identified as a requirement. This gap analysis will provide a delta of what controls are deficient and which ones are satisfied.

Following these first three steps will help with the initial evaluation and provide the initial information required to help your organization. Taking the time at the start of this project and making sure that the data is properly identified will help when implementing additional security controls. If your organization skips the crucial first steps, you may incorrectly identify controls as being deficient when they are actually implemented properly; then finding yourself with competing security controls.

 

Please reach out with any questions and let us help with your DFARS assessments! Remember, Slate is a Qualified Maryland Cyber Seller – providing tax credits to small businesses.

 

Resources:

https://www.archives.gov/cui/registry/category-list

 

Email Signup

Sign up for periodic updates from our blog.

Monthly Blogs

The Top Metrics to Track in Cybersecurity

If you are a federal government contractor, you are preparing your organization for the Cybersecurity Maturity Model Certification (CMMC). The United States Department of Defense is moving towards the CMMC to standardize the cybersecurity requirements across the Defense Industrial Base (DIB). The goal is to ensure the federal government’s controlled unclassified information (CUI) is not at risk.

The New CMMC Controls for Security Awareness and Training

If you are a federal government contractor, you are preparing your organization for the Cybersecurity Maturity Model Certification (CMMC). The United States Department of Defense is moving towards the CMMC to standardize the cybersecurity requirements across the Defense Industrial Base (DIB). The goal is to ensure the federal government’s controlled unclassified information (CUI) is not at risk.

The Benefits of Hiring a Virtual CISO

Our day-to-day lives have become so busy, that we often forget to maintain and update passwords unless it is forced upon us by third-party applications or corporate requirements. As our lives move into a more remote lifestyle, a lot of our work has moved into cloud-based services.

Sitemap

About Us
Solutions
Industries
Community
Resources & Industry News