Controlled Unclassified Information in Federal Supply Chain Security

Federal supply chain

Federal supply chain

CUI helps manage sensitive information collected by Federal agencies

Supply chain security has not only been of concern to private organizations but also for government entities for years. The federal supply chain involves all activities associated with the flow and transformation of materials and services from inbound upstream suppliers to end-users through downstream distribution and a service provider network. To garner the end-to-end supply chain visibility and real-time data for better decision-making, federal agencies require to integrate novel approaches and technologies.

In an article published on Fedscoop, Jim Richberg, CISO, Fortinet Federal noted that the concept of controlled unclassified information (CUI) has emerged as the leading standard to federal IT supply chains, putting all parties on the same page.


Understanding Controlled Unclassified Information

CUI refers to the information created or owned by the government that requires safeguarding or dissemination controls under and consistent with regulations and government-wide policies. It is not classified information, and is not corporate intellectual property unless created for or included in requirements related to a government contract. As there are fewer controls over CUI against classified information, it is the path of least resistance for adversaries.

While federal agencies routinely generate, use, store and share information, it requires protection for privacy, law enforcement, and other reasons pursuant to and consistent with law, regulation, and Government-wide policy. Previously, each agency created its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch wherein similar information might be defined and labeled differently, or where different information might share a definition and label, relying on the agency which originally created the information.

The introduction of the CUI program represents an unprecedented initiative to standardize practices across over 100 separate departments and agencies to enable timely and consistent information sharing and strengthen transparency throughout the Federal government and with non-Federal stakeholders. These include state, local, tribal and private sector entities; academia; and industry. 


CUI in Federal IT Supply Chain Security

According to Devin Casey, implementation lead for CUI oversight at the National Archives, the intent of controlled unclassified information as it is most often called, is to standardize and baseline security for the variety of unclassified information types that the government is required or permitted to protect. The CUI program standardizes the safeguarding, marking, handling and baseline requirements to identify and safeguard that information that is being used throughout the entire executive branch, contrasted with agencies having all of their own programs and markings and different standards, he said.

Jim noted that CUI helps to rationalize the alphabet soup of acronyms used across the federal government in managing this sensitive information.

Supply chain security has always been a top priority for the Federal supply chain. In 2018, the U.S.-China Economic and Security Review Commission in its report cautioned that software supply chain attacks would become easier and more rampant over time.