If you provide services or products to the federal government, it’s essential to understand what qualifies as CUI data so that you can comply with the way it should be stored, processed, transmitted, and protected. Here are some basic tips to help guide you.
What is CUI?
Federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release. CUI stands for “Controlled Unclassified Information” that the US government has deemed necessary to safeguard (Presidential Executive Order 13556). In short, CUI is sensitive information—both digital and physical—created by the government (or an entity on its behalf) that, while not classified, is still sensitive and requires protection.
What is CDI data?
CDI stands for Covered Defense Information. While there is some overlap, the DoD has its own rules and definitions for cybersecurity. What’s important to note, however, is that they use the term CDI almost interchangeably with CUI, and are consistent with the National Archives’ definition of what constitutes CUI. So essentially, “Covered Defense Information” is unclassified controlled technical information or other information, as described in the Controlled Unclassified Information (CUI) Registry, that requires protection controls.
Why is the way you deploy CUI / CDI important?
Over the past several years, several high-profile data breaches compelled the U.S. government to assess its ability to protect sensitive information, particularly when that information resides within IT systems of contractors doing business with the government. The US National Institute of Standards and Technology (NIST) published NIST SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, that provides guidelines on how CUI should be securely accessed, transmitted, and stored in nonfederal information systems and organizations. NIST SP 800-171, places significant responsibility on contractors that do business with the government, by specifying 14 cybersecurity controls they must put in place around their organization, systems, and processes where CUI is handled.
The National Archives and Records Administration also provides in-depth information about CUI. A full list of what constitutes CUI can be found on their website—this information is ever-changing.
What is FedRAMP?
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program whose mission is to promote the adoption of secure cloud services across the Federal Government by providing a standardized approach to security and risk assessment for cloud deployments. According to an OMB memorandum, cloud services that hold federal data must be FedRAMP authorized. FedRAMP provides guidelines to help agencies more rapidly transition from their legacy systems to authorized and secure, cost-effective cloud-based IT. It’s vital for anyone doing business with the government and holding CUI data in cloud environments to understand FedRAMP requirements.
In terms of deployment options, what guidance does FedRAMP give?
FedRAMP provides three main security baselines that match security with risk. The framework you choose will vary depending on your attribution or classification of the information in the system. If it’s CDI data, the framework should be FedRAMP high or moderate.
FedRAMP High Impact Level
FedRAMP introduced its High Baseline to account for the government’s most sensitive, unclassified data in cloud computing environments, including data that involves the protection of life and financial ruin. High Impact data is usually in Law Enforcement and Emergency Services systems, Financial systems, Health systems, and any other system where the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.
FedRAMP Moderate Impact Level
Moderate Impact systems account for nearly 80% of CSP applications that receive FedRAMP authorization and is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in serious adverse effects on an agency’s operations, assets, or individuals. Serious adverse effects could include significant operational damage to agency assets, financial loss, or individual harm that is no loss of life or physical.
FedRAMP Low Impact Level (Commercial Cloud Environment)
Low Impact is most appropriate for CSOs where the loss of confidentiality, integrity, and availability would result in limited adverse effects on an agency’s operations, assets, or individuals. FedRAMP currently has two baselines for systems with Low Impact data: LI-SaaS Baseline and Low Baseline. The LI-SaaS Baseline accounts for Low-Impact SaaS applications that do not store personally identifiable information (PII) beyond that generally required for login capability (i.e. username, password, and email address). Required security documentation is consolidated, and the requisite number of security controls needing testing and verification are lowered relative to a standard Low Baseline authorization. Additional information on requirements for the LI-SaaS baseline can be found on the FedRAMP Tailored website.
These baseline descriptions are from FedRAMP.gov. For more detailed information on the security controls for each baseline level, click here.)
What type of data does TechnoMile hold, and how is it categorized?
The TechnoMile solution is a collection of business intelligence, sales and capture management, competitive intelligence, compliance, and analytics tools and processes deployed on a CRM platform. TechnoMile customers have implemented the solution in different environments based on their specific needs and security requirements. The choice of framework for deployment a customer chooses will vary depending upon how they are classifying the CUI data in the system. Regardless of the security framework, the capabilities TechnoMile customers get when using the system is the same.
Many TechnoMile customers have asked us how to categorize TechnoMile data. Data in the TechnoMile system can be classified as “Metadata” and “Documents.” Most of this Metadata information and documents are gathered from publicly available sources, including websites, FBO / SAM.gov solicitations, newswires, and press releases.
TechnoMile Metadata
- If a customer decides the data elements in the Metadata section are CUI, then they should go with either a High or Moderate security infrastructure deployment, as outlined in the FedRAMP baseline descriptions.
- If the customer decides the Metadata is not CUI, then they can choose a Commercial cloud environment.
TechnoMile Documents
The same thought process needs to be extended to Documents. Generally, customers consider documents to require a higher security classification than Metadata.
- If a customer determines documents need to be stored in a FedRAMP High environment, the TechnoMile recommended cloud document management system is SharePoint GCC High. Some customers who have on-prem compliant environments integrate Cloud CRM with on-prem systems as well.
- If a customer determines documents can be stored in a FedRAMP Moderate environment, the TechnoMile recommended solutions are Salesforce GCC Moderate Environment or SharePoint GCC Moderate Environment.
- If a customer decides the documents can be stored in a commercial cloud environment, the recommended solution is SharePoint or CRM in a commercial cloud.