Controlled Unclassified Information (CUI) - Local Policy and Procedure

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-32156	IS-16.03.01	SV-42473r3_rule		Low

Description
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PL-1 and SI-1. DoD Manual 5200.01, Volume 4, SUBJECT: DoD Information Security Program: Controlled Unclassified Information (CUI); Enclosure 2, paragraph 4.b. and Enclosure 4, paragraphs 6 and 8. DoD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 7, Section 1, paragraph 7-101.a.(2).

Description

Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Rev 4, Controls: PE-1, PL-1 and SI-1. DoD Manual 5200.01, Volume 4, SUBJECT: DoD Information Security Program: Controlled Unclassified Information (CUI); Enclosure 2, paragraph 4.b. and Enclosure 4, paragraphs 6 and 8. DoD 5200.22-M (NISPOM), Incorporating Change 2, 18 May 2016, Chapter 7, Section 1, paragraph 7-101.a.(2).

STIG	Date
Traditional Security Checklist	2020-08-26

Details

Check Text ( C-40670r5_chk )
General Policy Guidance: All personnel of the Department of Defense are personally and individually responsible for properly protecting classified information and Controlled Unclassified Information (CUI) under their custody and control. All officials within the Department of Defense who hold command, management, or supervisory positions have specific, non-delegable responsibility for the quality of implementation and management of the information security program within their areas of responsibility. Check: This check is specifically to ensure there are local written procedures for handling, marking, storing, destroying and transmitting Controlled Unclassified Information. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Check Text ( C-40670r5_chk )

General Policy Guidance: All personnel of the Department of Defense are personally and individually responsible for properly protecting classified information and Controlled Unclassified Information (CUI) under their custody and control. All officials within the Department of Defense who hold command, management, or supervisory positions have specific, non-delegable responsibility for the quality of implementation and management of the information security program within their areas of responsibility.

Check:
This check is specifically to ensure there are local written procedures for handling, marking, storing, destroying and transmitting Controlled Unclassified Information.

TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix Text (F-36080r3_fix)
General Policy Guidance: All personnel of the Department of Defense are personally and individually responsible for properly protecting classified information and Controlled Unclassified Information (CUI) under their custody and control. All officials within the Department of Defense who hold command, management, or supervisory positions have specific, non-delegable responsibility for the quality of implementation and management of the information security program within their areas of responsibility. Fix: Ensure there are local written procedures for handling, marking, storing, destroying and transmitting Controlled Unclassified Information.

Fix Text (F-36080r3_fix)

General Policy Guidance: All personnel of the Department of Defense are personally and individually responsible for properly protecting classified information and Controlled Unclassified Information (CUI) under their custody and control. All officials within the Department of Defense who hold command, management, or supervisory positions have specific, non-delegable responsibility for the quality of implementation and management of the information security program within their areas of responsibility.

Fix:
Ensure there are local written procedures for handling, marking, storing, destroying and transmitting Controlled Unclassified Information.