How to Protect the Confidentiality of CUI
By: Omer Kaan Aslim
November 04, 2021
Learn how to protect the confidentiality of CUI using physical and technical safeguards.
CUI can be stored on two forms of media, non-digital media and digital media. Both forms of media containing CUI require different protection mechanisms however the objective of providing confidentiality remains the same. Non-digital media includes paper and microfilm. Digital media includes diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. CUI can also be transmitted in digital form over computer networks.
Protecting the Confidentiality of CUI on Non-Digital Media
The confidentiality of CUI stored on non-digital media is provided using physical security controls. This includes limiting access to the facility where the non-digital media is stored and by limiting access to the container in which the non-digital media is stored. CUI stored on non-digital media should be in a “controlled environment”. A controlled environment prevents unauthorized personnel from accessing, observing, or overhearing CUI. This includes limiting access to the facility where the non-digital media is stored and by limiting access to the container in which the non-digital media is stored. You should store non-digital media containing CUI in locked cabinets. Only provide authorized personnel with keys to the locked cabinet.
Protecting the Confidentiality of CUI on Digital Media
To protect the confidentiality of CUI on digital media, FIPS validated cryptography is used along with the physical security protections. Do you have to encrypt all digital media containing CUI? If you are transporting CUI on digital media outside of a “controlled environment” in your facility the answer is yes, you need to encrypt the digital media device. This is in accordance with the requirement “Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards” (CMMC MP.3.125, NIST SP 800-171 3.8.6).
If the digital media device containing CUI is remaining at your facility in a secured room or cabinet it does not have to be encrypted to meet your compliance requirements although you certainly should encrypt it as it is possible for someone to simply steal or lose the digital media containing CUI.
You can use Bitlocker to encrypt the hard drives on your Microsoft workstations and servers that store CUI. Bitlocker can also be used to encrypt removable storage devices. You can use FileVault to encrypt your Mac workstations. Both Bitlocker and Filevault use FIPS validated encryption. Companies like Apricorn, sell secure removable storage devices that use FIPS validated encryption. These devices are a good option for companies that need to use USB removable storage devices.
Protecting the Confidentiality of CUI in Transit
CUI in transit refers to CUI that is being sent over computer networks. This can include sending an email containing CUI, sharing a digital document containing CUI over a network, or entering CUI into a form on a website. To protect CUI sent over email, S/MIME encryption can be used. To protect CUI in digital documents during transit, SFTP can be used in place of FTP. When entering CUI into a website you should ensure that TLS is used to encrypt your connection to the site.
Protecting the Confidentiality of CUI When Speaking
CUI can also be transmitted with your voice.You can talk to someone about CUI in person, via the phone, or other voice technology. To protect the confidentiality of CUI, only authorized persons should hear discussions involving CUI. CUI should not be discussed outside of controlled areas. Discussing CUI in a coffee shop is not appropriate. Discussing CUI over an unencrypted voice technology is also not appropriate.
Discover Our NIST SP 800-171 Solutions:
For contractors seeking compliance
For IT service providers
Supply Chain Verifier
For contractors seeking to verify partner compliance