NIST-800-171 And The Need For Controlled Unclassified Information
In 2008, the categories of "for official use only," "Law Enforcement Sensitive," and "Sensitive But Classified," were replaced with the "Controlled Unclassified Information" (CUI) category. This category was created to create uniformity among the U.S. Military and all Federal Agencies. CUI must be protected for the U.S. Military to be able to carry out operations in a secure manner.
The Need for CUI
Not all documents meet the criteria for being considered Classified National Security Information. Information that is classified must be clearly marked as such. While CUI does not require that level of protection, there are other requirements.
A CUI document must be safeguarded. Careful controls must be placed on the dissemination of this document. This is an improvement over past policies where agencies would come up with policies ad hoc. There were no instructions across agencies regarding how documents would be protected. As a result, agencies would sometimes become confused when sharing information with other agencies. This often leads to information failing to be protected and also caused agencies to operate less efficiently.
CUI affects any information that the U.S. government creates or possesses that is required to be protected under law, government-wide policy or through specific regulations. It does not cover classified information.
Resolving Conflicts Between Different Policies
When there is a perception that there is a conflict between policies regarding the CUI, the conflict must be brought up with the CUI Program Manager, who is then responsible with resolving conflicts.
Training Requirements for Employees
Employees who will be handling CUI documents must be trained within 60 days of being hired. Also, employees must be retrained once every two years. The training is meant to ensure that all documents are protected according to current laws and regulations. Whoever is in possession of a CUI is held accountable for following procedures. Those who fail to follow the policies will be punished based on relevant laws, government policies and regulations.
The Role of the NIST-800-171 Document
NIST-800-171 is a publication that details the requirements for protecting a CUI. These requirements are needed by federal agencies within contractual vehicles and other agreements between other agencies and non-governmental organizations. Increasingly, the U.S. Military relies on outside service providers to conduct a range of missions. Because these outside actors often must possess CUI documents, they must be trained on the methods used to protect documents from unauthorized access.