CUI can be stored on two forms of media, non-digital media and digital media. Both forms of media containing CUI require different protection mechanisms however the objective of providing confidentiality remains the same. Non-digital media includes paper and microfilm. Digital media includes diskettes, magnetic tapes, external/removable hard disk drives, flash drives, compact disks, and digital video disks. CUI can also be transmitted in digital form over computer networks.
Protecting the Confidentiality of CUI on Non-Digital Media
The confidentiality of CUI stored on non-digital media is provided using physical security controls. This includes limiting access to the facility where the non-digital media is stored and by limiting access to the container in which the non-digital media is stored. CUI stored on non-digital media should be in a “controlled environment”. A controlled environment prevents unauthorized personnel from accessing, observing, or overhearing CUI. This includes limiting access to the facility where the non-digital media is stored and by limiting access to the container in which the non-digital media is stored. You should store non-digital media containing CUI in locked cabinets. Only provide authorized personnel with keys to the locked cabinet.
Protecting the Confidentiality of CUI on Digital Media
To protect the confidentiality of CUI on digital media, FIPS validated cryptography is used along with the physical security protections. Do you have to encrypt all digital media containing CUI? If you are transporting CUI on digital media outside of a “controlled environment” in your facility the answer is yes, you need to encrypt the digital media device. This is in accordance with the requirement “Implement cryptographic mechanisms to protect the confidentiality of CUI stored on digital media during transport unless otherwise protected by alternative physical safeguards” (CMMC MP.3.125, NIST SP 800-171 3.8.6).
If the digital media device containing CUI is remaining at your facility in a secured room or cabinet it does not have to be encrypted to meet your compliance requirements although you certainly should encrypt it as it is possible for someone to simply steal or lose the digital media containing CUI.
You can use Bitlocker to encrypt the hard drives on your Microsoft workstations and servers that store CUI. Bitlocker can also be used to encrypt removable storage devices. You can use FileVault to encrypt your Mac workstations. Both Bitlocker and Filevault use FIPS validated encryption. Companies like Apricorn, sell secure removable storage devices that use FIPS validated encryption. These devices are a good option for companies that need to use USB removable storage devices.
Protecting the Confidentiality of CUI in Transit
CUI in transit refers to CUI that is being sent over computer networks. This can include sending an email containing CUI, sharing a digital document containing CUI over a network, or entering CUI into a form on a website. To protect CUI sent over email, S/MIME encryption can be used. To protect CUI in digital documents during transit, SFTP can be used in place of FTP. When entering CUI into a website you should ensure that TLS is used to encrypt your connection to the site.
Protecting the Confidentiality of CUI When Speaking
CUI can also be transmitted with your voice.You can talk to someone about CUI in person, via the phone, or other voice technology. To protect the confidentiality of CUI, only authorized persons should hear discussions involving CUI. CUI should not be discussed outside of controlled areas. Discussing CUI in a coffee shop is not appropriate. Discussing CUI over an unencrypted voice technology is also not appropriate.
Quick & Simple
Discover Our Cybersecurity Compliance Solutions:
Whether you need to meet and maintain your compliance requirements, help your clients meet them, or verify supplier compliance we have the expertise and solution for you
NIST SP 800-171 & CMMC Compliance
Become compliant, provide compliance services, or verify partner compliance with NIST SP 800-171 and CMMC requirements.
HIPAA Compliance
Become compliant, provide compliance services, or verify partner compliance with HIPAA security rule requirements.
FAR 52.204-21 Compliance
Become compliant, provide compliance services, or verify partner compliance with FAR 52.204-21 Basic Safeguarding of Covered Contractor Information Systems requirements.
ISO 27001 Compliance
Become compliant, provide compliance services, or verify partner compliance with ISO 27001 requirements.