Marking & Protecting Controlled Unclassified Information (CUI)

Slides:



Advertisements
Similar presentations
Course Content Purpose of the Form I-9 Purpose of the Form I-9 Introduction to the Form I-9 Introduction to the Form I-9 Form I-9, Section 1 Form I-9,
Advertisements

Red Flags Rule BAS Forum August 18, What is the Red Flags Rule? Requires implementation of a written Identity Theft Prevention Program designed.
Overview of the Privacy Act
The International Security Standard
1. As a Florida KidCare community partner families entrust you to not only help them navigate the Florida KidCare system but to keep the information they.
Briefing Outline  Overview of the CUI Program  Establishment of the Program  Elements of the CUI Executive Order  Requirements and Timelines  Categories.
1 HIPAA Education CCAC Professional Development Training September 2006 CCAC Professional Development Training September 2006.
Section One: Classification System Overview Note: All classified markings contained within this presentation are for training purposes only.
SAFEGUARDING DHS CLIENT DATA PART 2 SAFEGUARDING PHI AND HIPAA Safeguards must: Protect PHI from accidental or intentional unauthorized use/disclosure.
HOW TO PREPARE FOR A NATIONAL SECURITY INFORMATION INSPECTION 1 SECRET Updated 09/27/11 Security is Everyone's Responsibility – See Something, Say Something!
Form I-9 INSTRUCTIONS for FedEx Representatives
Things To Remember About Completing I-9 Forms
Data Classification & Privacy Inventory Workshop
Examine Quality Assurance/Quality Control Documentation
Section Three: Protection of Controlled Unclassified Information Note: All classified markings contained within this.
Effectively Integrating Information Technology (IT) Security into the Acquisition Process Section 5: Security Controls.
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics.
HIPAA PRIVACY AND SECURITY AWARENESS.
MARKING CLASSIFIED MATERIAL
Marking OUO Documents Office of Health, Safety and Security Office of Classification Office of Quality Management 1.
Protecting Personal Information at Fermilab. Outline F Why must we protect personal information? F What is Protected Personally Identifiable Information.
1 Information Sharing Environment (ISE) Privacy Guidelines Jane Horvath Chief Privacy and Civil Liberties Officer.
Employment Eligibility Verification The I-9 Form Bluefield State College New River Community & Technical College.
Incident Security & Confidentiality Integrity Availability.
Research & Economic Development Office of Grants and Contracts Administration Data Security Presented by Debbie Bolick September 24, 2015.
Privacy Act United States Army (Managerial Training)
Government Agency’s Name April Identity Theft is when someone steals your personal information and uses it as their own, usually for some financial.
Information Security. Your responsibilities as a Government of Canada employee.
For Official Use Only (FOUO) and Similar Designations NPS Security Office
I-9 Express Overview What is I-9 Express? The service includes two Web sites that will help you eliminate paper, reduce costs, and maintain compliance.
Somerset ISD Online Acceptable Use Policy. Somerset Independent School District Electronic Resources Acceptable Use Policy The purpose of this training.
Properly Safeguarding Personally Identifiable Information (PII) Ticket Program Manager (TPM) Social Security’s Ticket to Work Program.
The CDA Information Security Office Presents…
HIPAA Privacy Rule Training
Information Security and Privacy Office
Protecting PHI & PII 12/30/2017 6:45 AM
I-9 Instructions and FAQs
Privacy and Security Basics for Falls Evidence Based Programs Data Collection . October 2016.
Voice Signature Process
Internet Business Associate v2.0
Public Health Data Sharing: A New Opportunity for UA Faculty & Staff
Privacy and Security Basics for CDSME Data Collection
Mysale Information Classification 101
Records Retention NYS Magistrates’ Association
Providing Access to Your Data: Handling sensitive data
Microsoft 365 Get help with regulatory compliance
The CDA Information Security Office Presents…
USAJOBS – Application Manager
Domain 2 – Asset Security
Introduction to the Federal Defense Acquisition Regulation
Special Publication Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations Dr. Ron Ross Computer Security.
Information Security Seminar
Welcome to the VRD Circulator training
Derivative Classification Overview
Briefing Outline Executive Order 13556
Red Flags Rule An Introduction County College of Morris
Disability Services Agencies Briefing On HIPAA
Subject Access Request Online Form
Security Awareness Training
Mysale Information Classification 101
The Health Insurance Portability and Accountability Act
HQ Expectations of DOE Site IRBs
The Maharaja Sayajirao University of Baroda
The Maharaja Sayajirao University of Baroda
Colorado “Protections For Consumer Data Privacy” Law
I-9 Designee Training Hello and welcome to I-9 training! The Office of Human Resources is excited to partner with you in completing this important process.
Part 1: Controlled Unclassified Information (CUI)
Partner Portal Training document
The Health Insurance Portability and Accountability Act
Presentation transcript:

Marking & Protecting Controlled Unclassified Information (CUI) Helen MacDonald Loyal Source Government Services 9/25/2018

Controlled Unclassified Information (CUI) Introduction Identify Mark Protect

Introduction The CUI program standardizes the way the executive branch handles unclassified information that does not meet the criterial required for classification (TS, S, C) but must be protected based on: Law, Regulation, or Government-wide policy Prior to the implementation of the CUI program, agencies employed ad- hoc marking resulting in inconsistent marking and safeguarding. Although government agencies have been marking documents and protecting information for decades, not everyone was using the same acronyms or labels to codify information. Consider this analogy: one department may have been speaking German while another was fluent in French. The purpose of CUI program is to be the Rosetta Stone- to set forth a common language so that we may all about CUI. An analogy: One department may have been speaking German while another was fluent in French. The purpose of CUI program is to be the Rosetta Stone – to set forth a common language so that we may all understand CUI.

Introduction Final Phase: Full Implementation of the CUI Program FY18-19 Eliminate Old Markings Assure use of only New Markings Complete IT Transition Monitor & Report Implementation https://csrc.nist.gov/csrc/media/events/ispab-june-2014- meeting/documents/ispab_jun2014_cui_nara_nist.pdf

Identify CUI Categories List: https://www.archives.gov/cui/registry/category- list

Identify Old markings will take on the CUI marking (CUI Basic)

Some examples of CUI Applicant Photo Driver’s License Contract Number Professional Information Sheet Applicant Passport or Copy Education Records or Resume Credentials Verification Form Name + Place of Birth Employment Verification Surveillance Profile Social Security Card or SSN + Name Birth Certificate Medical History Professional License Employee Clearance Level Permanent Resident Status Intelligence Financial Records Export Controlled Data FOUO NATO Restricted/Unclassified NOFORN https://www.archives.gov/cui/registry/limited-dissemination Proprietary Information* https://www.cdse.edu/documents/cdse/2017-Adjudicative- Guidelines.pdf Proprietary information now also falls under Guideline K of the New Adjudicative Guidelines, meaning that inappropriate use of it will be investigated and prosecuted by the USG.

Marking – CUI Cover Sheet The company for which I developed this program has decided to always use this CONTROLLED Cover Sheet for physical documents containing CUI on the front and back of each document. It will also always use this CONTROLLED Cover Sheet for each digital file containing CUI documents on the front of each package. This presentation does not address CUI Specific.

Marking – CUI Basic Banner Marking Many U.S. Government forms and templates either containing or requiring CUI do not currently display the mandatory markings. Consequently, we will use the following until we receive direction or new templates from our government partners. Additionally, our company will always use these markings on our own data that contains CUI. CUI Specific – Protected information that also requires one or more specific handling standards for that information. It would be marked CONTROLLED //SP-XXX to indicate to the reader that there will be special handling instructions for one or more CUI within the document. This presentation does not address CUI Specific.

This presentation does not address CUI Specific. Marking – Header The primary marking for all CUI here is the CONTROLLED Banner Marking. This is the main marking that will be applied in the Header of each page of any document that contains CUI: Mandatory for all documents containing CUI Must be inclusive of all CUI within the document Marking must be the same on every page Must be centered bold capitalized black text stating “CONTROLLED” in the Header of the page. Template can be provided by management CUI Specific – Protected information that also requires one or more specific handling standards for that information. It would be marked CONTROLLED //SP-XXX to indicate to the reader that there will be special handling instructions for one or more CUI within the document. This presentation does not address CUI Specific.

This presentation does not address CUI Specific. Marking – Footer Footer of each Page This statement must be entered in Footer of each Company document containing CUI: The information herein is Controlled Unclassified Information (CUI) and is protected under the Privacy Act of 1974, as amended. These files may only be accessed by COMPANY NAME and U.S. Government Personnel who possess a valid need-to-know. Unauthorized disclosure or misuse of this information may result in criminal and/or civil penalties This presentation does not address CUI Specific.

Identification of CUI Designated Agency of Applicable Safeguarding/Dissemination Authority for that CUI All documents containing CUI must indicate the agency of designation. This may come in several forms, including a letterhead, signature block, or “controlled by” line. However, our government partners may not have provided us the proper templates That said, my company will take on the responsibility to ALWAYS protect our employees’ and applicants’ sensitive information. So where CUI information exists, until otherwise directed by our government partners, we will utilize our own markings as addressed above COMPANY NAME Orlando, FL XXXXX

Supplemental Administrative Markings – Very Rare Draft and In-Process documents must be protected at the level of completed CUI documents Supplemental Agency Markings can be used to denote non-final status of a document Cannot be used to control CUI and cannot be commingled into the CUI Banner Marking

Marking – Electronic Media Storing or Processing CUI Media such as USB sticks, hard drives, and CD ROMs must be marked to alert holders to the presence of CUI stored on the device As space may be limited, at a minimum, mark media with the CUI Control Marking and the designating agency

Marking – Forms with CUI Forms that contain CUI must be marked accordingly when filled in As forms are updated for the CUI implementation, they should be marked to include a statement that indicates the form is CONTROLLED when filled in

Marking – Transmittal Documents – FAX When a transmittal document accompanies the CUI, the transmittal document must indicate that CUI is attached or enclosed The document must include the following instructions as appropriate: When enclosure or attachment is removed, this document is Uncontrolled Unclassified Information

Re-Marking Legacy Information Legacy information is unclassified information that was marked as restricted from access or otherwise controlled prior to the CUI program (e.g., PII). All Legacy information is not automatically CUI. It must be evaluated. Identify the information that needs to be reused Is the information listed in the CUI Registry? https://www.archives.gov/cui/registry/category-list If the information type is listed in the CUI registry….. …..you must mark the new document as CONTROLLED

Protect Room or Area Markings – My company has designated a room with area markings and privacy screens for cubicle computers Container and Storage Markings Shipping and Mailing Address packages that contain CUI for delivery only to a specific recipient Do not put CUI markings on the outside of an envelope or package for mailing/shipping Use in-transit automated tracking and accounting tools where possible Employees responsible for receiving or sending mail must be individually trained on how to handle CUI and report misuse

Protect – Transmittal Documents – eMAIL The principles for marking CUI are the same when sending email containing CUI: The CONTROLLED banner must appear at the top portion of the email Include “CUI” in the subject line to indicate that the email contains CUI When forwarding or responding to email containing CUI, be sure to carry forward all applicable markings to the new email Our company chose to also continue to encrypt emails containing CUI that was originally called PII

Training CUI Training Tools

Reference Information Security Oversight Office National Archives cui@nara.gov Version 1.1 – December 6, 2016 CUI must be handled in accordance with E.O. 13556, “Controlled Unclassified Information” and 32 CFR Part 2002 Supplemental guidance.

Questions?