21-08-16 DCSA CUI Presentation to Navy SEA21 Industry Day (003).pdf
Date Originally Posted
Oct. 5, 2021, 7:31 a.m.
CONTROLLED UNCLASSIFIED INFORMATION (CUI)SEA 21A INDUSTRY DAYMr. John B. MasseyDeputy Assistant DirectorEnterprise Security OperationsDCSA, Critical Technology ProtectionUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYTBDGreat Power Competition CUI Background and HistoryNISP32 CFR 20022010•32 CFR Section 2002 CUI published•DCSA Director implements DSS in Transition Initiative to focus protection efforts on critical assets and relevant threats 20161993The majority of lost/stolen technology occurs on unclassified systems“The loss of classified and controlled unclassified information is putting the Department’s investments at risk and eroding the lethality and survivability of our forces.”–SECDEF/24 Oct 2018“DSS In Transition,” Deliver Uncompromised, Joint Cyber Intelligence Tool Suite (JCITS), Cybersecurity Maturity Model Certification (CMMC)•EO 12829 Establishes the National Industrial Security Program•EO 13556 Establishes Controlled Unclassified Information•SECDEF appoints USD(I&S) DOD CUI Senior Agency OfficialAd-hoc, agency-specific policies, procedures, and markings to safeguard and control information emergesEO 13556Commerce Department and FBI estimate $600 billion in annual losses2020DODI 5200.48•Establishes policy and assigns responsibilities and prescribes procedures for CUI throughout DOD•Establishes official DOD CUI RegistryUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYGreat Power Competition WHAT IS CUI?•Intended to establish an open and uniform program for managing information that requires safeguarding or dissemination controls•Replaces FOUO, SBU, LES, and other labels and markings used•Categories such as Privacy, Tax, Law Enforcement, Critical Infrastructure, Export Control, Financial, and Intelligence information that requires special safeguardingWHAT IS NOT CUI?•Classified information or a classification•Corporate intellectual property (unless created for or included in requirements related to a government contract)•Publically available informationWHY? •CUI is the path of least resistance for adversariesExecutive Order 13556November 9, 201032 CFR Part 2002September 14, 2016DOD Instruction 5200.48March 6, 2020CUI OverviewUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYGreat Power Competition DCSA’s CUI ResponsibilitiesDCSA assigned eight (8) responsibilities in support of Department CUI program management; focused on CUI associated with classified contracts•a. Administers the DOD CUI Program for contractually established CUI requirements for contractors in classified contracts•b. Assesses contractor compliance with contractually established CUI system requirements in DOD classified contracts associated with the NISP•c. Establishes a process to notify the DOD CIO, USD(R&E), and USD(A&S) of threats related to CUI•d. Provides security education, training, and awareness on the required topics identified in Section 2002.30 of 32CFR•e. Provides security assistance and guidance to the DOD Components on the protection of CUI•f. Serves as the DOD-lead to report UDs of CUI•g. Coordinates with the DOD CIO to implement uniform security requirements for NISP contractors•h. Consolidates DOD Component input on the oversight of CUI protection requirements in DOD classified contracts for NISP contractorsUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYGreat Power Competition DCSA’s CUI PlanningOperationalize DCSA CUI responsibilities in a phased approach as outlined in DODI 5200.48.Execute DOD CUI Program Administration and associated responsibilitiesHolistic view of security at NISP facilitiesInformation sharing and collaboration with USG partnersIntegration into industry oversight processesAvoidance of redundant USG CUI-oversight effortsDOD CUI Program Administration(responsibilities: a, e, g, h)UD & Threat Notification Processes(responsibilities: c, f)CUI Security Education & Training(responsibilities: d)Assess Contractor Compliance(responsibilities: b)Coordination Lead (DOD CIO/Components)(responsibilities g, h)END-STATEGOALSCommunication is CriticalResources, Tools, and TrainingEasy to UnderstandEnables SuccessConsiders Impact on All BusinessesLeverages Technology and AutomationUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYGreat Power Competition DCSA’s CUI PlanningJuly 2021Plan Developed and Phased Approach SelectedJuly –Sep 2021Training and Communication01 Oct 2021Initial Operating CapabilityFY22Development/maturation of initial processes; progress towards FOCUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYCompleted•Issued DoDI5200.48 (March 2020)•Established DoD CUI Program Website (October 2020): https://www.dodcui.mil/ •Released CUI training and supplementary awareness aids (October 2020) –1.4MOngoing•Enhance DoD CUI Registry•Finalize CUI Non-Disclosure Agreement (NDA)•Partner with A&S CISO and DoD CIOOver the Horizon•Draft CUI Manual supplementing DoDI5200.48 •Plan for CUI Program Management transition to DCSA7USD (I&S) Implementation ProgressUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYEnhance DoD CUI Registry•Outcome: Offer a Registry for DoD personnel and industry partners that:•(1) includes laws, regulations, and government-wide polices (LRGWP)•(2) Identifies related DoD polices•(3) Provides examples to aid category selection.CUI Non-Disclosure Agreement (NDA)•Outcome: Issue a NDA for DoD personnel and contractors who are responsible to safeguard DoD CUI from unauthorized disclosure.•Status: Finalizing coordination and planning logistical matters. Partner with A&S CISO and DoD CIO•Outcome: Refinement and implementation of Cyber Maturity Model Certification (CMMC)•Purpose: Standardize cybersecurity requirements for non-federal systems that store, process, and transmit, CUI.•Status: Participating in the AO Working Group and Executive Steering Group8Ongoing LOEsUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYDraft CUI Manual supplementing DoDI5200.48 •Outcome: Based on implementation experience, draft, coordinate, and issue a supporting Manual that addressed more detailed aspects of the DoD CUI Program.•Identify procedural requirements based on feedback and analysis•Issue and then incorporate supporting policy memosPlan for CUI Program Management transition to DCSA•Outcome: Achieve appropriate balance of DCSA management and OUSD(I&S) oversight•Build and grow DCSA’s CUI Program•Continue maturing DoD’s CUI Program for a orderly transition•Begin initial planning discussions and timelines9Over the HorizonUNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYGreat Power Competition What Can Industry Do Now? •Review existing contracts; engage with Government customers to determine which, if any, CUI requirements are applicable to current contracts; and familiarize themselves with NIST SP 800-171.•Review CUI resources and training available on the CDSE website to include the CUI Toolkit and “DOD Mandatory Controlled Unclassified Information (CUI) Training FY21 (IF141.06.FY21).”•Review the CUI Toolkit, which includes training, policy documents, resources, and an FAQ video, which CDSE has made available at: https://www.cdse.edu/toolkits/cui/current.html. •Review the DOD CUI Registry at https://www.dodcui.milto become familiar with CUI organizational index groupings and CUI categories.•Stay Up to Date!•DCSA CUI Page: https://www.dcsa.mil/mc/ctp/cui/•Monthly Voice of Industry Updates UNCLASSIFIEDUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYUNCLASSIFIEDResourceshttps://www.dcsa.mil/mc/ctp/cui/https://www.dodcui.mil/https://www.archives.gov/cuiUNCLASSIFIEDDEFENSE COUNTERINTELLIGENCE AND SECURITY AGENCYUNCLASSIFIEDQuestionsUNCLASSIFIED