Page 48 - Cyber Defense eMagazine September 2023
P. 48
This type of data sovereignty laws has either been adopted or proposed in many regions. China,
Germany, France (proposed), the Kingdom of Saudi Arabia and Dubai are good examples—they share
characteristics such as categorization schemes to define the types of information subject to sovereignty,
access controls, and conditions under which cloud offerings are used.
The United States has not adopted a specific data sovereignty statute (apart from export restrictions
already in place), but the government has introduced a regulation for Confidential Unclassified
Information (CUI). The purpose is to “standardize the way the executive branch handles information that
requires protection under laws, regulations, or government-wide policies, but that does not qualify as
classified.’’
As the purpose noted, the intent was to standardize how federal agencies handle CUI, but it also
encompasses those contracting or working with the government. CUI obligations for third parties are
enforced based on contractual provisions, now required for anybody handling or managing CUI (or
associated systems). This may also include state or local agencies doing business with the federal
government or involved in data sharing relationships.
The CUI regulation, like the data sovereignty statutes described above, is based on a broad set of
categorized information. It defines areas such as critical infrastructure, financial, immigration,
intelligence, export control and transportation. Each of these broader categories is further divided into
sub-categories that further defines the types of information subject to controls.
All CUI is subject to a marking requirement, which outlines whether the information is subject to “basic”
or “specified” restrictions/controls. All CUI (including “basic”) must be protected consistent with standards
and policies such as FIPS 199, FIPS 200, and NIST SP-800-53. These are quite familiar within both
government agencies and many private sector entities. Additional control requirements may be specified
(“specified CUI”), along with other restrictions such as prohibition of sharing with non-citizens,
contractors, or outside specific controlled environments. The objective behind all these standards is
ultimately to protect this information from unauthorized access, or disclosure.
While some federal agencies and contractors are already negotiating CUI, many entities will likely learn
about it only when an update to a contract is requested, or flow-downs from a prime contractor pushes
this to smaller organizations. Meanwhile, global corporations will soon have to deal with international
digital borders.
But just as these are digital problems, there are digital solutions. There are technologies already available
to help manage the data categorization, along with requisite access control and security requirements. It
might help to consider government-controlled cloud environments, since much of this information will
outlast many technology contracts.
In sum, CUI is coming, and it will be important. Staying ahead of it—rather than trying to catch up—with
technologies now on the market will offer a major advantage.
Full a complete list, See https://www.archives.gov/cui/registry/category-list
Cyber Defense eMagazine – September 2023 Edition 48
Copyright © 2023, Cyber Defense Magazine. All rights reserved worldwide.
