WESTBOROUGH, MA, May 26, 2020 —On 14 May 2020, the Information Security Oversight Office (ISOO) released CUI Notice 2020-01: CUI Program Implementation Deadlines (the “Notice”), which includes specific dates of implementation and deadlines for affected government agencies that handle or store Controlled Unclassified Information (CUI). The Notice applies to all Executive Branch agencies.
The Notice references 30 June 2020 as the deadline for the initialization of an awareness campaign for workforces within agencies that have access to CUI. By this date it is expected that relevant agencies will be able to define and identify potential CUI within an office as well as summarize the actionable plan the office will follow to properly store, dispose, and in the case of legacy material, re-mark and reuse said CUI information.
The deadline for agencies to draft their policies detailing CUI guidelines moving forward is 31 December 2020. By this date, now current policies must be rescinded or modified with a policy that satisfies the new mandates set by ISOO for individual agencies to follow, and these policies will be implemented over the course of the following calendar year. The use of any Classification Marking Tools (CMTs) in the labeling and marking of CUI materials must also be updated by the 31 December 2020 date.
“The CUI implementation timeline is a critical step towards data security in the U.S.,” said Andrew Kelleher, President and CEO of Security Engineered Machinery (SEM). “We applaud ISOO for their tireless efforts in safeguarding CUI. By ensuring all agencies are storing, labeling, and destroying CUI data appropriately, we can help protect government agencies and the citizens of our country as a whole.”
All physical safeguards must be in place by 31 December 2021, including how an agency ensures CUI is kept out of sight and out of reach from those who do not have access. All agencies that store CUI information in Federal Information Systems must additionally have those systems updated and configured to no lower than Moderate Confidentiality impact value, as outlined in 32 CFR 2002.14.
In addition, training on the policy for an agency’s workforce including sub-agencies must be implemented and completed by 31 December 2021. This includes detailing CUI’s purpose, individual responsibility, and destruction requirements. Destruction requirements for end-of-life CUI should be as detailed as possible and, at a minimum, follow specifications outlined by the National Institute of Standards and Technology (NIST) Special Publication 800-88, Guidelines for Media Sanitization. It should be noted that NIST 800-88 specifically states that paper containing sensitive information such as CUI must be destroyed to a 1mmx5mm final particle size at end-of-life, which is the same final particle specification as classified information destruction.
“Technology advancements have made it easier for criminals to reconstruct data, whether on digital or traditional media,” added Heidi White, SEM’s Director of Marketing. “Ensuring that end-of-life media is destroyed to the appropriate specifications, which for CUI is NIST 800-88 standards, cannot be overstated.”
The Notice can be read in its entirety here.