Best Practices for Emailing CUI to Protect Your Organization

Author

Reads 1.2K

Chapel of Mercy on Nui Cui Mountain View from Below at Sunset, Vietnam | Catholic Pilgrimage Site Landscape
Credit: pexels.com, Chapel of Mercy on Nui Cui Mountain View from Below at Sunset, Vietnam | Catholic Pilgrimage Site Landscape

To protect your organization, it's essential to follow best practices when emailing CUI. CUI, or Controlled Unclassified Information, requires special handling to prevent unauthorized access.

Use a secure email system that uses encryption and two-factor authentication to protect CUI in transit. This is a must-have for organizations that handle sensitive information.

Limit access to CUI to only those who need it, and use role-based access controls to ensure that employees can only view the information they're authorized to see. This helps prevent accidental disclosure.

Use secure protocols like S/MIME or PGP to encrypt CUI in emails.

Broaden your view: Email Addresses to Use

What Is

Emails are considered Controlled Unclassified Information (CUI) if they require a CUI designation from Federal government entities or entities working on behalf of the federal government.

The CUI designation is usually marked in the subject line and body of an email, and if Proofpoint detects these markings, it will flag the email as CUI and apply certain policies.

Federal government entities or entities working on behalf of the federal government are responsible for including a CUI designation in electronic communications if required.

Proofpoint checks the subject line and body of an email for CUI-related markings, which can trigger a CUI flag and specific policies.

If this caught your attention, see: Why Is Cui Important

Marking and Flagging

Credit: youtube.com, How and When to Use All 9 Non-Traditional CUI Markings

CUI flagged emails won't be delivered directly to your mailbox, instead, they'll come in from the original sender with the original subject line.

Additional processing for CUI emails can slow down delivery, so it may take a few moments for the email to show up in your quarantined mailbox.

If you get an error trying to access a CUI email, wait a few minutes before trying again.

To mark CUI in emails, a banner marking will be placed at the top of the email body and the email must carry a CUI Designation Indicator.

When forwarding an email that contains CUI, you must include all the original CUI markings.

NARA recommends terminating the subject line with the phrase "[Contains CUI]".

If an email includes an attachment that contains CUI, NARA recommends indicating the presence of CUI in the file name, such as "FileName[CONTAINS CUI].docx".

Suggestion: Print Emails

Controls

Emailing CUI requires special handling to ensure confidentiality and security.

Incoming CUI emails will be quarantined, encrypted, and restricted from forwarding.

Credit: youtube.com, Controlled Unclassified Information - Introduction to Marking

The encrypted email portal will automatically log out after a period of inactivity.

Decryption keys have an expiration time, after which the emails will no longer be available.

Here are some key controls to keep in mind when emailing CUI:

  • Quarantine: Incoming CUI emails will be quarantined.
  • Encryption: Incoming CUI emails will be encrypted.
  • Restrictions: CUI emails will be restricted from forwarding.
  • Internal flags: CUI emails, both incoming and outgoing, will be flagged internally.
  • Tracking: CUI emails will be tracked.

Please exercise caution and good judgement in storage and sharing of emails labeled as CUI.

Challenges and Awareness

The DoD Inspector General recently released a highly critical report about the Department's implementation of the CUI program, highlighting the problems with CUI warnings.

Ironically, unwarranted CUI warnings can themselves constitute a policy violation, obstructing public transparency and congressional oversight.

A generic CUI warning is insufficient to comply with marking requirements, which demand headers, footers, and portion markings like classified information.

The CUI program is becoming a potent tool for whistleblower reprisal and exercising personal vendettas, as I wrote about earlier this year.

Why Are Emails Considered Spam?

Some emails are considered spam because they contain certain keywords or phrases that trigger spam filters.

See what others are reading: Emailing Spam

Credit: youtube.com, Understanding Spam and Phishing

Spam filters often check the subject line and body of an email for these keywords, just like Proofpoint checks for CUI-related markings in emails.

Emails that are flagged as CUI are also often considered spam, as they may contain sensitive information that shouldn't be shared widely.

Spam filters can be overly sensitive and flag emails that are not actually spam, which can be frustrating for senders and recipients alike.

Certain email senders, like Federal government entities or entities working on behalf of the federal government, are more likely to send emails that are flagged as spam due to their use of CUI-related markings.

Challenges with Warning

Ironically, using a CUI warning can itself be a policy violation if it's unwarranted. CUI warnings can't be used to obstruct public transparency or congressional oversight, which is exactly what happens when they're misapplied.

The DoD Inspector General recently released a highly critical report about the Department's implementation of the CUI program, highlighting the problems with CUI warnings. This issue is not new and is not limited to the DoD context.

A generic CUI warning is insufficient to comply with marking requirements that demand specific headers, footers, and portion markings, similar to those used for classified information.

Designation and Indicators

Credit: youtube.com, Controlled Unclassified Information - Introduction to Marking

To indicate that an email contains Controlled Unclassified Information (CUI), you must include a CUI Designation Indicator. This can be done through a letterhead, a signature block that includes the agency, or a "Controlled by" line.

The CUI Designation Indicator is required to ensure that the recipient knows the email contains sensitive information. This is a crucial step in maintaining the security and integrity of the information.

You can use a letterhead that includes the agency's name and logo to indicate CUI, or add a "Controlled by" line to the email.

Designation Indicator: All Documents Must Indicate Agency

The designation indicator is a crucial part of marking documents that contain Controlled Unclassified Information (CUI). It requires the use of a letterhead that includes the agency's name.

To accomplish this, you can also include the agency's name in a signature block. This is a common practice that helps ensure compliance.

The CUI Designation Indicator is required by law, and its purpose is to clearly indicate that the document contains sensitive information.

Determine the Category

Lawyer Working on his Computer
Credit: pexels.com, Lawyer Working on his Computer

Determining the category of Controlled Unclassified Information (CUI) is a crucial step in ensuring its proper handling and protection.

The originator of media that contains CUI is responsible for determining its category at origination.

You should consult relevant contract documents, the Prime contractor, or government program management office for guidance on identifying and marking media with necessary CUI markings and distribution limitations.

Laws, policies, and regulations associated with how information is produced or used determine whether information is deemed CUI.

For example, if a company produces a widget for the DoD, the engineering drawings, research data, and process sheets are considered CUI and must be marked as such.

But if the same widget is produced for commercial use, those same engineering drawings, research data, and process sheets are not CUI.

On a similar theme: Cold Emailing for Research

Federal Contractors and Employees

If you're a federal contractor or employee dealing with Controlled Unclassified Information (CUI), it's essential to know where to start. Go straight to the source and read 32 CFR Part 2002, Executive Order 13556, and the National Archives and Records Administration's (NARA's) CUI Registry.

Credit: youtube.com, Emailing Federal Contracting Officers Effectively

To get the most up-to-date information, access all of this through NARA's CUI website. Inquire with your organization's security office whether your department or agency has implemented the CUI program yet. There are a handful of outliers that haven't yet done so.

If your organization has implemented the CUI program, ask your security office for any agency-specific trainings or policy memoranda that supplement the primary authorities identified above. DoD Instruction 5200.48 is a significant one to be aware of.

Katrina Sanford

Writer

Katrina Sanford is a seasoned writer with a knack for crafting compelling content on a wide range of topics. Her expertise spans the realm of important issues, where she delves into thought-provoking subjects that resonate with readers. Her ability to distill complex concepts into engaging narratives has earned her a reputation as a versatile and reliable writer.

Love What You Read? Stay Updated!

Join our community for insights, tips, and more.