Protection of Common Types of Department of Defense Controlled Unclassified Information

OH, UNITED STATES

03.03.2022

Video by Dave Pope 

Air Force Research Laboratory

✔ ✗ Subscribe

38

Welcome back!

Today is number 6 in the Blue Cyber Series. We’ll be talking about protection of common types of Department of Defense controlled unclassified information. My name is Kelly Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer and AFWERX.

Most information produced for the government is protected as controlled unclassified information or CUI. You can find multiple training presentations at this web link. There you will also find guides on how to mark CUI. And be sure to recognize that it is the full implementation of NIST SP 800-171 which the DoD defines as adequate security for protection of CUI.

In our talk today, we're going to discuss several types of CUI that you may encounter on your small business journey. However, there are many more types of CUI and you can learn about them at the National Archives website. At that site, the National Archives will provide definitions, safeguarding and dissemination authorities, and banner marking notes.

When it comes to marking CUI, there are two types: basic and specified. The difference between the two has to do with the law. At this site, you will find a handbook and the handbook will guide you on marking the two types of CUI.

As a small business, the most common category you will encounter is controlled technical information or CTI. Examples of CTI include: engineering data, engineering drawings, source code, executable code, studies, and analyses created for the government. You will be creating CTI as a government contractor. Another CUI category you may encounter is export controlled research. This is unclassified information concerning certain items such as commodities, technologies, software knowledge, or other information whose export could adversely affect our national security. Another category is sensitive personally identifiable information or PII.

PII, if lost, compromised, or disclosed without authorization, could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. You must protect PII as CUI.

Another category of CUI is legal privilege. This category includes attorney work product and attorney client privilege. More information about this category can be found at the National Archives.

Another important CUI category is protected health information or PHI, which is regulated by the HIPAA agreement. PHI must be marked and protected as CUI.

Small business research and technology has its own CUI category. This information must protected as CUI. More information is available at the National Archives website.

Another important category of CUI is general proprietary information. Proprietary information must be marked and protected as CUI within the Department of Defense. Here are some examples of general proprietary information: they include material and information relating to or associated with a company's products, business, or activities included but not limited to financial information data or statements, trade secrets, product research and development, existing and future product designs, and performance specifications.

It is worth noting that export controlled research is regulated by the international traffic in arms regulations or ITAR and the export administration regulations or EAR. Your technical point of contact or contracting officer representative will have more information on how to protect CUI in these two categories.

The Chief Data Officer of the Department of the Air Force has issued a memo to small businesses. You will find it here at www.afsbirsttr.af.mil in the about section. In this memo, the Department of the Air Force Chief Data Officer reminds small businesses about the requirements and regulations that are necessary to protect data and information within the Department of the Air Force.

Thank you for your time today. We discussed protection of common types of Department of the Air Force CUI that you might encounter in your small business journey. This is a reminder that this presentation is not a substitute for reading the FAR and DFARS in your small business contract. My name is Kelly Kiernan and I'm here representing the Department of the Air Force Chief Information Security Officer and AFWERX.