NIST 800-171 and Cybersecurity Maturity model Certification need Department that Defense (DoD) builders to “Mark media with essential CUI markings and distribution limitations”. A basic tenet of details security is to visually identify CUI info that needs special protections for this reason authorized users know what special managing controls should be applied. 32 CFR, component 2002, which applies to both executive branch agencies and also defense contractors, requires managed Unclassified details markings to assist ensure the data is secure. In this write-up we will certainly walk you v the process of identify CUI information and how to use security CUI markings come physical and also electronic media.

You are watching: It is mandatory to include a banner marking

What is CUI?

Before we destruction into just how to mark regulated Unclassified Information, us should discuss how we got here. CUI is any kind of unclassified information that through law, regulation, or government-wide policy, calls for safeguarding or dissemination controls. In 2010, chairman Obama issued executive Order 13556 – managed Unclassified information to standardize just how CUI is taken on by executive branch agencies. The executive, management order additionally designated the national Archives and also Record management (NARA) together the executive Agent (EA) responsible for implementing the CUI program. 

See more: Us Postal Service: How Many Sheets Of Paper Can Be Mailed With One Stamp ?

DoD"s Implementation that the CUI regime

In its duty as the CUI regime Executive Agent, NARA has issued a far-ranging amount of accuse on just how to manage (i.e. Mark, copy, transport, disseminate, reuse, and also destroy) CUI.

NARA maintains the CUI Registry, an online repository because that all official information, guidance, policy, and requirements related to managing CUI. However, the CUI Registry right now provides a caveat:

“Agency personnel and contractors should very first consult their agency’s CUI implementing policies and also program monitoring for guidance.”

For DoD contractors, this leads united state to two vital points. The DoD has not yet implemented the CUI program as required by EO 13556 and 32 CFR, component 2002. The room of Defense will certainly implement the CUI program once the Federal policy is finalized and published within the federal Acquisition Regulation. Until then, the DoD will identify and also protect CUI every the indict in DoD hands-on 5200.01, Volume 4. However, the DoD will certainly likely take on NARA’s guidance prior to the finish of fiscal Year 2020, for this reason this blog article will describe NARA’s standards.

The 2nd point to keep in mind, is that as soon as CUI is noted to or created by DoD contractors, the pertinent contract files (e.g., contract clause, declare of work, DD type 254, Security group Guide (SCG), and Cybersecurity classification Guide) should recognize the controls and protective measures building contractors are supposed to apply.