Keyboard shortcuts

Press or to navigate between chapters

Press S or / to search in the book

Press ? to show this help

Press Esc to hide this help

CUI Compliance

Note: CUI policy framework requires Enterprise Edition.

The Controlled Unclassified Information (CUI) policy framework detects CUI exposure and generates violations according to NIST SP 800-171 requirements for federal contractors.

Overview

CUI is government-created or government-possessed information that requires safeguarding per 32 CFR Part 2002 and NIST SP 800-171. Aquilon DLP’s CUI policy helps federal contractors comply with:

  • 3.1.1 - Limit system access to authorized users
  • 3.1.2 - Limit system access to permitted transactions/functions
  • 3.1.3 - Control CUI flow per authorizations
  • 3.8.1 - Protect system media (physical and digital)
  • 3.8.2 - Limit CUI access to authorized users

CUI Categories

The CUI policy detects multiple categories defined by the CUI Registry:

CategoryDescriptionSeverity
Basic CUIStandard CUI without specified handlingHigh
Specified CUI (SP-*)CUI with additional safeguard requirementsCritical
FCIFederal Contract InformationHigh
CDICovered Defense Information (DFARS 252.204-7012)Critical
CTIControlled Technical Information (DoD 5230.24)Critical

Detection Methods

Government-Specific Scanners

ScannerDetectsSeverity
cui_markingCUI banners, markings (CUI, CUI//SP-*, CONTROLLED)Critical
export_controlITAR, EAR, ECCN markingsCritical
gov_identifierDoD EDI-PI identifiersHigh

PII in Government Context

When PII appears with government context signals, it triggers CUI violations:

ScannerGovernment Context RequiredSeverity
ssnFederal employee/contractor contextCritical
email.gov/.mil domain or federal contextMedium
api_keyGovernment system credentialsCritical
database_connectionFederal database stringsCritical
cryptoEncryption keys in government contextCritical

Configuration

Basic Configuration

[policies]
enabled_policies = ["cui"]

Advanced Configuration

[policies.policy_configs.cui]
settings = { detect_basic_cui = "true", detect_specified_cui = "true", detect_fci = "true", detect_cdi = "true", detect_cti = "true", confidence_threshold = "0.7" }

Configuration Options

OptionDescriptionDefault
detect_basic_cuiDetect standard CUI markingstrue
detect_specified_cuiDetect CUI//SP-* specified markingstrue
detect_fciDetect Federal Contract Informationtrue
detect_cdiDetect Covered Defense Informationtrue
detect_ctiDetect Controlled Technical Informationtrue
confidence_thresholdMinimum scanner confidence (0.0-1.0)0.7

Context Detection

The CUI policy uses context signals to determine CUI category and severity:

Government Context Keywords

  • Federal terms: federal, government, agency, DoD, contractor, grantee
  • Contract terms: contract, DFARS, FAR, solicitation, RFP, task order, IDIQ
  • Classification: controlled, unclassified, FOUO, CUI, SBU, LES
  • Document types: statement of work, SOW, PWS, CDRL, DD254

Defense Context Keywords

  • Defense terms: defense, military, DoD, Pentagon, armed forces, warfighter
  • Contractor terms: prime, subcontractor, DIB, defense industrial base, CAGE code
  • Technical terms: technical data, specifications, engineering, schematics, drawings
  • Programs: ACAT, PEO, PM, acquisition, milestone

CUI Marking Patterns

The policy detects standard CUI banner and footer markings:

  • Banner formats: CUI, CONTROLLED, CUI//SP-*
  • Specified markings: CUI//SP-EXPT, CUI//SP-CTI, CUI//SP-PRVCY
  • Legacy markings: FOUO, SBU, LES (mapped to CUI categories)
  • Distribution statements: Distribution A-F, EXPORT CONTROLLED

Source Code Context

CUI in development environments receives elevated severity:

  • Repository indicators: .git, src/, lib/, include/
  • Code file extensions: .c, .cpp, .h, .py, .java, .rs
  • Build systems: Makefile, CMakeLists.txt, Cargo.toml

Example Context Flow

Finding: SSN "123-45-6789"
Context: "DFARS contractor employee records for contract W911NF-20-C-0001"

Result: Severity elevated to Critical (CDI context - DFARS contract number)

Finding: CUI marking "CUI//SP-CTI"
Context: Found in file.cpp within git repository

Result: Critical violation (CUI spillage into source code)

Violation Metadata

Each CUI violation includes:

{
  "policy": "CUI",
  "severity": "critical",
  "cui_category": "cdi",
  "nist_control": "3.8.1",
  "regulation": "DFARS 252.204-7012"
}

Compliance Reporting

Query CUI Exposures

-- All CUI exposures
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'CUI'
ORDER BY timestamp DESC;

Defense Contract Compliance

For DFARS compliance reporting:

-- CDI and CTI exposures (DFARS 252.204-7012)
SELECT path, scanner, severity, timestamp
FROM aquilon_dlp_alerts
WHERE policy = 'CUI'
  AND severity = 'critical';

Best Practices

Monitoring Strategy

  1. Alert on Critical immediately: CUI markings, export control, CDI/CTI
  2. Daily review of High: FCI, government identifiers
  3. Weekly audit: PII in government context

CUI Category Prioritization

Different CUI categories require different response times:

Immediate Response (< 1 hour):

  • CUI//SP-* (Specified CUI with additional safeguards)
  • CDI (Covered Defense Information under DFARS)
  • CTI (Controlled Technical Information)
  • Export-controlled data (ITAR/EAR)

Same-Day Response:

  • Basic CUI markings
  • FCI (Federal Contract Information)
  • Government credentials/API keys

Weekly Review:

  • PII with government context (no explicit CUI marking)
  • Legacy markings (FOUO, SBU) requiring reclassification

Spillage Response Procedures

When CUI is detected outside authorized boundaries:

  1. Contain: Immediately restrict access to the file/location
  2. Preserve: Do not delete - preserve for incident investigation
  3. Notify: Alert your Facility Security Officer (FSO) or ISSO
  4. Document: Record in incident tracking system
  5. Assess: Determine if spillage constitutes a reportable incident
  6. Remediate: Securely delete or move to authorized storage
  7. Report: Update SPRS score if control failure identified

NIST SP 800-171 Assessment Support

Use Aquilon DLP findings to support your NIST assessment:

  • 3.1.1/3.1.2 (Access Control): Unauthorized access detected by CUI exposure
  • 3.8.1 (Media Protection): CUI on unprotected storage locations
  • 3.8.2 (Media Access): CUI accessible to unauthorized users
  • 3.13.1 (Boundary Protection): CUI spillage outside authorization boundary

Remediation Workflow

  1. Identify: Aquilon DLP detects CUI exposure
  2. Classify: Determine CUI category (Basic, Specified, CDI, CTI)
  3. Assess: Evaluate spillage scope and potential impact
  4. Contain: Move to authorized storage or encrypt
  5. Document: Record for NIST SP 800-171 assessment
  6. Report: Include in SPRS score if applicable
  7. Prevent: Implement controls to prevent recurrence