CUI Marking and Labeling – Episode #018 Video

This 27m video discusses time and money saving CUI Marking and Labeling Solutions / techniques (and automation!) to meet NIST 800-171 & CMMC CUI Marking and CUI Labeling Requirements featuring subject matter expert – Carl Johnson!

CUI Marking and Labeling discussion with Subject Matter Expert – Carl Johnson

Today, Kyle and I are talking with our new friend and Microsoft security professional, Carl Johnson. Carl has over 22 years of experience working with SharePoint, Teams, Azure, Information Protection, and Data Loss Protection; and his focus is on high compliance and regulatory organization. We will be discussing some of the CUI marking and labeling solutions for the requirements of CMMC and NIST 800-171.

CUI Marking Guides and CUI Labeling Handbooks are available!

What are some of the pains and challenges of handling CUI?

Most of the emails and calls I receive are from federal contractors that are about to go through either CMMC or related DFARS and NIST 800-171. They’re trying to understand how to manage and organize the information they’ve been accumulating over the years in an unstructured environment. Now they need to protect CUI and are concerned about how they can manage this information from a regulatory perspective with CUI.  They’re looking for CUI marking and labeling solutions.

Let’s take a step back for a moment- what exactly is CUI?

CUI was first developed and created by the DOD and stands for Controlled Unclassified Information. Let’s say you’re a federal contractor and you have all these documents sitting in libraries or in folders, but there’s no system for CUI labeling or marking. It isn’t clear then, whether or not the information is classified, or in this case controlled unclassified information, it only appears as specific to your industry. For instance, I deal with a lot of aerospace companies and they have to tell the government what exactly they’re exporting to other countries and how they’re marking those documents, so it’s related to that specific CUI markings or that specific DOD CUI labels requirement.

Why do we need to mark and label CUI, and what are some of the requirements?

The DOD /CMMC is now requiring CUI markings & labeling for federal contractors who handle CUI information, as well as for classified information; to treat it with “white gloves”. From the DOD’s perspective, the reason why marking is important is that if an auditor comes into your organization, within 10-15 minutes you should be able to tell that auditor what information relates to confidential, what information relates to FYEO (what we call “For Your Eyes Only”), or what information you’re sharing with external parties outside your organization. More importantly, you should be able to have a risk score associated with how much of these documents you have. A great example is if you’re a federal contractor and, let’s say you’re working with FEMA, you might have a lot of information about some type of cash payout or a resident’s personal information. All of that information has to be classified in some way so it doesn’t go into the wrong hands.

Specific to CUI marking and labeling, what are the biggest challenges?

We have tons of technology that does marking very well, but before you can do any marking, you have to train your staff on how to identify what needs marking and what does not. For (CUI Marking Examples), if you’re creating a document, normally it’s not a routine to say “I have to mark or identify this document as classified”. So, the biggest challenge is getting the people involved and making sure they understand the importance of marking and how that impacts not only the city your company is in but also the industry. The second biggest challenge is deciding what to do with those thousands of documents you’ve been storing over the past 10-15 years. Where exactly is the line where it says you no longer have to worry about marking archive documents? Those are the biggest challenges and, especially from a financial perspective, it takes a lot of resources to go back and mark all those documents that you had from 10-15 years ago. But somebody has to do it. 

Can CUI marking and labeling solutions be done automatically?

Absolutely. Being with Microsoft for the last 20-something years, and especially in the cyber security world, the biggest challenge is “how do we automate as many tasks as possible”? For example, the last thing you want is a user to manually input form information because you don’t know if it’s going to be accurate. The same is true about marking. We can train, especially inside of Azure Information Protection (AIP), to scan the documents looking for identifiable information and make the determination of whether or not that should be marked. The second way is to create templates for your organization so that even a basic document already has some type of marking (confidential, unclassified, financial, etc.) so that the user can’t create documents that don’t have markings. By creating templates that run throughout your whole organization, no one can go and create just a regular, blank document. They would have to select from one of the documents, that way you can make it at the very lowest level of classification which would still protect your company, rather than having none at all. I think that’s the best way to automate. At the end of the day, it’s about training the staff and telling them the importance of why we’re doing this, even before you actually roll out an Azure Information Protection or a labeling/marking program for your organization.

What’s the high level process of automated CUI marking and labeling solutions?

If you invited me to your company and we’re doing a whiteboard session, the first step is to inventory what exactly we have inside the organization. If we’re talking about a federal contractor, there might be many proposals- which are CUI – and depending on the stage of the proposal, there might be a lot of financial information involved. The second step is looking at what Microsoft has built in. Microsoft has done an amazing job of creating labeling and marking templates so you don’t have to recreate the wheel. So I may say to you, depending on your budget and depending on how many resources you have: “Let’s use the built-in templates that Microsoft has already created for your labeling in your markings”. If you’re a medium-large organization, you’re going to have a more complex environment where you’re going to need to create custom markings and custom labeling. For example, if you have a finance department, you also might have finance that deals with Europe, Asia, Australia, etc. which all have different requirements when it comes to labeling, marking and regulations. So we might need to create sub-labels to help you with those other countries or locales so that you and your organization will be ready to work with them.

Is there an easy method of doing CUI inventory?

It reminds me of back in the day when I worked at a supermarket. Management would say once or twice a year that we had to inventory the whole entire store. It’s similar to when you’re working with an inventory of files you’ve had for 10-15 years. What I always suggest and advise is that you want to get the business units themselves- the stakeholders themselves- involved in inventorying their own information that they’re responsible for. We could use tools and do scans to figure out what’s there, but in my opinion, the best recipe is to first allow the users to identify the information. I’m also a firm believer that if you can go ahead and delete it or remove it off your system, by all means, do so. Don’t be a hoarder of information if you don’t need to be. That way you don’t need to worry about being part of an e-discovery or audit. We can use tools to scan, but you really want the users to be involved in this process and be able to tell you which types of forms they use so you can start seeing a pattern. The more I see a pattern, the more I can program my tools to look for that particular pattern as we scan and start to do the labeling process. However, I really do need the user’s input first.

What are some Microsoft 365 tools that are good for CUI marking and labeling solutions?

There are a lot of customers using Office 365 and they may be saying “maybe we have these tools already” but it’s really about licensing. If you have a Microsoft E3 or E5 license, the Azure Information Protection itself is available and you can enable it. The ones I would recommend the most if we’re talking about CUI labeling and marking would be Azure Information Protection. We would enable it to allow you to use your organization’s custom labels and markings. If you deal with the DOD, the Pentagon, the Justice Department, etc. you may have specific markings that you want to choose from and use, which can all be done inside of Azure Information Protection. The actual technology is the simple part- it’s the planning of the requirements that would take the most time. Once we understand what you’re trying to do, we would advise you on the best method and then go ahead and do the implementation for you. Finally, we would teach you how to do it yourself as you grow and expand. 

What do Microsoft AIP, Unified Labeling Platform, and Azure Rights Management do?

For Azure Information Protection, think of it in terms of the display in the encryption. So we’re talking about putting the labels on the document, which could be your excel files, your powerpoint files, your word document files, etc. Any of these emails going back and forth require some type of labeling. That’s the first part. For the second part, let’s think of a scenario where you’re sharing information outside your organization with an untrusted vendor- a vendor that you just started doing business with. You don’t know where that information is going, so you have encryption built into your AIP to ensure that only you and that person are going to be able to read that email. If that email somehow gets into the wrong hands, it won’t be able to be opened because of the encryption. A lot of people believe that once it leaves your tenant, there’s no longer any encryption, which is not true. The encryption stays on that document, so if the other person doesn’t have the right key, they won’t be able to open it. So you’re protected years down the line. The second part I like to address is the DLP, which is data loss protection. Data loss protection involves scanning your environment to look for things relating to your PII (personal identity information)- Social Security number, date of birth, address, etc. Nowadays, since we live in a world of social media, PII can be expanded even more to look for your geolocation, your Twitter username, your Instagram username, etc. We’re constantly scanning not only for the protection of the user, but the protection of the organization as well, to make sure that no one is sharing our information. Those are the two concepts you really want to understand when we’re talking about DLP and Azure Information Protection. 

Unified Labeling Platform – how does it help with CUI marking and labeling solutions? Is it available in Microsoft 365 GCC High?

Most of my customers are dealing with GCC High for CMMC, which is inside the government tenant for Microsoft Office 365. Unified labeling is being rolled out across all the tenants, compared to before when only commercial tenants had unified labeling. With unified labeling, your whole organization is protected. You can create the labels and markings at the high level of your organization, which will trickle down through all of the Microsoft applications you’re using. From my background with SharePoint in the early days of trying to protect an organization that had labeling on their documents or inside their office product, but then they had a totally separate labeling inside of SharePoint, a lot of it was either redundant or it would cancel the other out. So now I can look at your organization and have a plan that can protect everything inside of this tenant. 1. your budget is a lot lower because you’re not doing twice the amount of work and 2. you can sleep a little easier knowing that if you’re sharing through SharePoint externally, that’s protected the same way as if you’re sharing through exchange by sending an email.

Azure Rights Management – can it help CUI management?

Microsoft has really beefed up the rights protection over the years. By using Artificial Intelligence (AI), it’s able to identify what exactly the organization is trying to protect and use that as a template. With rights protection, everything inside of the tenant is protected, and it’s also protected when the information leaves the tenant. So you don’t have to worry about a one-sided protection. Everything is protected- the documents, devices, etc. All of that information you have on your phones or on your tablet devices. You no longer have to worry about the person who was terminated two weeks ago, and the fact that they still have information on their phone. With Azure Information Protection, everything that is your property as an organization is protected.

How long will it take to implement these Microsoft 365 tools for CUI marking and labeling solutions?

It depends on how extensive you want the implementation to be and also the complexity of it. If you’re a small-medium business, it would probably be within two weeks. I always like to spend time with the organization and understand how it does business, especially if you’re doing business with the government. Understanding how you interact with different agencies will allow me to create a template or blueprint for you. For a larger company, let’s say 500 users and above, you should probably plan for a three month implementation. Not necessarily because of the technology, but more so because you may have all types of data and information that needs to be examined, inventoried, and understood so we’re making the right decision. If we want to automate labeling and automate markings, knowing and understanding your typical documents that you use helps us create this template for you so you don’t have to do anything. You, meaning the users, don’t have to do anything and you allow Azure Information Protection to do all the work.

What are some common AIP labels that contractors will use?

For the most part, the one I see the most is FYEO (for your eyes only). This is when you’re exchanging information and you just want those parties to see that information and don’t want anyone else to share it. This information would be considered “confidential”. This doesn’t necessarily mean confidential from a DOD or federal perspective, but it might be confidential to your organization. For example, your financial information, HR information, information from marketing proposals, etc. A common AIP label that is specific to DOD / CMMC would be a labeling named “CUI” followed by the name of the agency itself. If you’re dealing with multiple agencies, their definition may be a little different from one agency to another.

KLC provides NIST 800-171 and CMMC Compliance Solutions

KLC Consulting Provides CUI marking and CUI labeling solutions

Visit our blog post to find a guide for defense contractors to determine your CUI boundary.

Please visit our YouTube channel for other free resources and cybersecurity discussion topics. LIKE and SUBSCRIBE!

And please visit us on LinkedIn.