Security Engineered Machinery Provides Compliance Solutions for the Destruction of CUI

April 5, 2019 at 3:22 pm by Heidi White

Secure data destruction device manufacturer supplies CUI line of paper shredders to provide compliance solutions for Executive Branch agencies and their affiliates to meet ISOO’s new CUI directive

nsa-listed-paper-shredder
SEM’s entire line of high security paper shredders comply with the new CUI paper destruction requirement

Security Engineered Machinery Co., Inc. (SEM), global leader in high security information end-of-life solutions, is pleased to offer a complete line of high security paper shredders that meet requirements of the new Controlled Unclassified Information (CUI) Program instituted by the National Archives and Records Administration (NARA) and the Information Security Oversight Office (ISOO). The Program, which affects all Executive Branch agencies within the Federal Government as well as their affiliates that may handle CUI, mandates that paper containing CUI be destroyed to a 1mmx5mm particle, which is the same particle size as required by the National Security Agency (NSA) for classified and top secret information.

“We have been in frequent contact with NARA and ISOO, including presenting at their first CUI Industry Day held at the National Archives in Washington DC,” stated Todd Busic, Vice President of Security and Intelligence Operations at SEM. “As a result of our communication with these organizations and our commitment to the new directive, SEM has pledged to educate government agencies on the paper destruction requirement of the new CUI Program, which is quite different than what was once accepted as standard.”

“SEM has long been an industry leader in providing solutions on the cutting edge of new technology and on educating entities on new and updated data security regulations,” added Andrew Kelleher, President of SEM. “As a solutions provider to the Federal Government, we are fully committed to assisting NARA and ISOO in educating Executive Branch agencies on the new CUI directive and how best to achieve compliance.”

All unclassified information throughout the Executive Branch that requires any safeguarding or dissemination control is characterized as CUI and includes nearly all government agencies. Further, unclassified data such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Personally Identifiable Information (PII), as well as information relating to critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation all fall under this requirement.

Executive Order 13556 “Controlled Unclassified Information” created a program for standardizing the management of CUI across the Executive branch and designated the National Archives and Records Administration (NARA) as Executive Agent. As such, NARA is responsible for the implementation of the CUI program as well as agency oversight to ensure compliance. The Archivist of the United States in turn delegated these responsibilities to the Information Security Oversight Office (ISOO), which issued 32 CFR Part 2002 “Controlled Unclassified Information” to establish a comprehensive policy for managing all aspects of CUI, including disposal and other program-specific requirements. 

The rule affects not only all federal Executive Branch agencies that handle CUI but also all other organizations that in any way interact with CUI or have access to federal information on behalf of an agency. Therefore, these agencies must implement safeguarding or dissemination controls that are consistent with the CUI Program for any and all unclassified information. Prior to the CUI Program, agencies typically utilized agency-specific policies and procedures, of which there were many, resulting in inconsistently managed CUI.

The ISOO CUI directive has very clear requirements for information end-of-life, mandating that all CUI information be destroyed to NIST 800-88 specifications. For paper, the NIST 800-88 destruction specification is the same as NSA requirements for classified information: a 1mmx5mm final particle size. Therefore, all CUI paper must be destroyed using a high security shredder that produces a final particle size of 1mmx5mm or less, such as those listed on the NSA/CSS 02-01 EPL for classified paper destruction. All of SEM’s high security shredders meet the new CUI mandate.

In an effort to provide clear communication and simplified purchasing for Federal Government agencies, all of SEM’s compliant paper shredders are now marked as being appropriate for CUI destruction. For more information, visit www.semshred.com/CUI.