Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained

An XCCDF Rule

Description

<VulnDiscussion>Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: MP-4 and PE-3. DoD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DoD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13.f. DoDI 5200.48 Controlled Unclassified Information (CUI) DoD 5220.22-M (NISPOM), Incorporating Change 2, 18 May 2016, 4-103.c., 5-203.b., and Chapter 5 and Chapter 8, paragraph 8-302.b.& g. </VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>

ID: SV-245845r939275_rule
Severity: Medium
Updated: 9 months ago

General Guidance:  

Standards of protection for most types of CUI are the same as for FOUO but some variance does exist.  Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper protection is afforded.  The fixes are applicable to all forms of CUI: documents, AIS hard drives and storage media.

Fixes applicable for FOUO:
For most CUI and FOUO specifically ensure the following standards are met: 

1.  During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel.  This would include things like placing cover sheets on FOUO documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency Check (NAC). 

2.  After working hours, FOUO information (documents and AIS storage media) may be stored in unlocked containers, desks, or cabinets if Government or Government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and AIS storage media) shall be stored in locked desks, file cabinets, bookcases, locked rooms, etc.  In all cases FOUO and other CUI must be placed out of sight during non-working hours. While not required, implementation of a clean desk policy would be a good idea.  

3.  Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) should only be granted to persons with at least a favorable NAC.  All others should be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks or automated access control systems may be used to control access to such areas.

Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained

Description

Remediation - Manual Procedure