Your Cart is Empty
Menu
-
- View NIST RMF Control Families
- Access Control (AC)
- Awareness and Training (AT)
- Audit and Accountability (AU)
- Assessment, Authorization and Monitoring (CA)
- Configuration Management (CM)
- Contingency Planning (CP)
- Identification and Authentication (IA)
- Incident Response (IR)
- Maintenance (MA)
- Media Protection (MP)
- Physical and Environment Protection (PE)
- Planning (PL)
- Program Management (PM)
- Personnel Security (PS)
- PII Processing and Transparency (PT)
- Risk Assessment (RA)
- System and Services Acquisition (SA)
- System and Communications Protection (SC)
- System and Information Integrity (SI)
- Supply Chain Risk Management (SR)
- View All
- View Compliance Toolkits
- Enterprise
- About ASP
- FAQ
-
- ← Main Site
- Company
- Resources
- Blog
- Submit RFP
- Login
View NIST RMF Control Families
Add description, images, menus and links to your mega menu
A column with no settings can be used as a spacer
Link to your collections, sales and even external links
Add up to five columns
Add description, images, menus and links to your mega menu
A column with no settings can be used as a spacer
Link to your collections, sales and even external links
Add up to five columns
Implementing a Controlled Unclassified Information (CUI) Lifecycle
September 27, 2023 2 min read
Implementing a Controlled Unclassified Information (CUI) Lifecycle
When it comes to developing a well-structured and formalized Controlled Unclassified Information (CUI) program - one complete with policies, procedures, and other related measures, it’s important to include the following activities:
- Identification & Designation: It’s important to realize what, if any, CUI is generated for or on behalf of an agency within the Executive Branch under a contract and to then determine if the information falls into one of the more than one hundred categories of CUI in the National CUI Registry. It is also important to realize what is not CUI.
- Marking/Labeling: It’s important to be familiar with the marking and labeling requirements for CUI, but digital and non-digital. At minimum, CUI markings for unclassified DOD documents will include the acronym “CUI” or “CONTROLLED” in the banner of the document. For documents containing CUI, it must have a CUI Designation Indicator (DI) Block to notify the recipient about information related to who originated the document.
- Storing: Be advised that CUI must be stored in controlled environments that prevent or detect unauthorized access, with printed CUI documents requiring protection by at least one physical barrier, such as a cover sheet or a locked bin/cabinet. CUI may only be digitally stored in an authorized IT system/application provided it is:
- Configured at no less than the Moderate Confidentiality impact value
- Has limited access based on need, and
- Meets the requirements of DOD's IT Security Policy.
- Disseminating: Only authorized holders may disseminate in accordance with distribution statements, dissemination controls, and applicable laws.
- Destroying: Be aware of destruction guidelines for CUI. A great reference is NIST SP 800-88: Guidelines for Media Sanitization.
- Decontrolling: CUI must be decontrolled when the information no longer needs safeguarding.
About Arlington
We are Arlington, Incorporated (Arlington), a team of innovative, solution-oriented, highly agile, and well-versed professionals with decades of experience in working with America’s defense industry. From emerging cybersecurity regulations to helping our clients solve complex security & compliance solutions – and so much more – you can trust Arlington, the firm that’s Dedicated to Defense®. Learn more at arlingtonintel.com.