Controlled Unclassified Information - Transmission by either Physical or Electronic Means
An XCCDF Rule
Description
<VulnDiscussion>Failure to handle/transmit CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui NIST FIPS 140-2, Security Requirements for Cryptographic Modules DODI 8520.2, "Public Key Infrastructure (PKI) and Public Key Enabling (PKE)" CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure A, paragraphs 13.a., 13.b.(2)(3), and Enclosure C, paragraphs 22.d,, 25.a.,d.,e.,f., 26.j.(2), and 35.a. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: AC-17, AC-20, IA-2, SC-8, SC-9, and SC-23. DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13. DODI 5200.48 Controlled Unclassified Information (CUI)</VulnDiscussion><FalsePositives></FalsePositives><FalseNegatives></FalseNegatives><Documentable>false</Documentable><Mitigations></Mitigations><SeverityOverrideGuidance></SeverityOverrideGuidance><PotentialImpacts></PotentialImpacts><ThirdPartyTools></ThirdPartyTools><MitigationControl></MitigationControl><Responsibility></Responsibility><IAControls></IAControls>
- ID
- SV-245847r917355_rule
- Severity
- Medium
- Updated
Remediation - Manual Procedure
General Information:
Standards for transmission for most types of CUI are the same as for FOUO but some variance does exist. Therefore, specific requirements for certain CUI may need to be checked against applicable references to ensure proper means for transmission are used.
For most CUI and FOUO specifically ensure the following standards are met: