CUI Data Protection Standard

Description

The Federal Government has established guidelines for handling sensitive data which is not considered classified but called Controlled Unclassified Information or CUI. We will receive ongoing guidance for how to handle such data and this standard will outline the responsibilities of the Lehigh community to protect this data.

Scope

This policy applies to all environments where CUI data is stored and processed or may be stored or processed.

Security Requirements

NIST 800-171 exhaustively outlines the security controls which must be placed around CUI data. 

Implementation

Research Environments

A System Security Plan must be in place for any specific research projects with identified CUI data and then reviewed annually to assess compliance. The PI is ultimately accountable for ensuring that all of the NIST 800.171 controls governing the protection of CUI data involved in their projects.. Many of the controls can be met by using services provided by Lehigh’s Library and Technology Services but some controls need to be handled as part of the research environment. These controls are listed below. 

The Office of Information Security is available to answer any questions you may have and will periodically assess the security controls within all CUI environments.

Handling CUI

• Systems in a CUI environment must have separate accounts for administration of systems and user accounts must never have access to administer a system including installation of software.

• Systems in a CUI environment must only be used by authorized personnel working on the CUI project (no shared resources).

• Mobile devices are not permitted in a CUI environment. CUI data must never be processed or stored on a mobile device.

• External systems, including personal devices, are not permitted in a CUI environment. CUI data must never be processed or stored on an external system. Only Lehigh owned and managed devices may be used in a CUI environment to prevent malicious code from being introduced.

• Remote devices (ie laptops) cannot be accessing project data while on a ‘split tunnel’ vpn. Only ‘full tunnel’ vpn access is permitted. 

• CUI designated for processing on public systems must be reviewed and approved as public data by Lehigh CISO or designee prior posting on an external system.

• Any systems processing CUI data must share logs with Lehigh’s central logging service so they may be reviewed and monitored by Information Security.

• No shared accounts are permitted within a CUI environment so all activities can be uniquely correlated with a single, authorized individual.

• Maintenance of systems and equipment

  • CUI must be removed from systems before being removed for maintenance outside of Lehigh

  • If any diagnostic or test programs are found to contain malware, then that must be reported immediately to the Office of Information Security who will implement the Incident Management plan.

  • Anyone not authorized to view CUI data must be fully supervised while performing maintenance on a system containing CUI.

• Media Protection. CUI data might be delivered to a researcher on portable media, or saved, and transported to other locations on portable media. That media must be protected.

  • Media should be locked with access only to authorized personnel

  • Media must be marked with necessary CUI markings and distribution limitations.

  • Media must be sanitized or destroyed to a level which makes the data unrecoverable before disposal or reuse.

  • Chain of custody must be maintained when media is outside of stored location and cryptography used to ensure that data cannot be accessed, this includes backup media.

  • Media containing CUI must be encrypted. 

• Collaboration devices used to communicate (ie conference room systems, OWLs, electronic whiteboards, etc) need to have an indicator to show if someone remote is listening or viewing content. 

• If CUI is stored outside of the LTS controlled environment (i.e. Data Center) then all of the responsibilities for physical security are the responsibility of the PI.

Financial Aid 

The U.S Department of Education has made it clear that some data related to the Federal Financial Aid program will be considered CUI data and must be protected by the controls within NIST 800.171. Lehigh is waiting for specific guidance from the Department of Education on what data is considered CUI and when we will need to provide documentation of compliance. Until that point Financial Aid data is classified internally in Lehigh’s most sensitive data classification and is protected through Lehigh’s Information Security Program which is built upon NIST 800.171 controls.

Related

• NIST 800.171
  NIST Special Publication (SP) 800-171 Rev. 2 (Withdrawn), Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

• DFARS Interim Rule
  Defense Federal Acquisition Regulation Supplement: Assessing Contractor Implementation of Cybersecurity Requirements (DFARS Case 2019-D041)

• National Archives CUI Registry
  Controlled Unclassified Information (CUI)

Definitions

CUI - Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Revision History