WHAT’S CUI GOT TO DO WITH IT ? (SPOILER ALERT! TLS 3.0 IS INSUFFICIENT FOR ENCRYPTING CUI )

Sometimes you need a trusted turn-key cybersecurity provider like Aramint Cyber Compliance

(https://aramintcyber.com) to help you sort through the risks and pitfalls of protecting CUI.

Controlled Unclassified Information (CUI, https://ecfr.io/Title-32/pt32.6.2002) has been the focus of the continually-developing Cybersecurity Maturity Model Certification standards. It actually has two variations: CUI Basic and CUI Specified. CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls.

Both require protection at an appropriate risk-cost protection level just below classified information, with guidelines delineated as CMMC 2.0 Levels 1, 2, or 3 – Level 3 is the highest and is still being defined.

One way to look at information and to determine if it is CUI is to look at its origin and markings:
C – Is the data originally Created by the government and provided to you in association with a contract?

U- Is the data going to be Used to deliver your contractual responsibilities to the government?

I- Can the data type be Identified within the sub-categories listed on the NARA CUI registry?

Just like FOUO or SSI or other sensitive but unclassified information, CUI requires markings on cover pages and within documents, AND it must be encrypted when sent via email.  Per DoD guidance, CUI should be marked in the description (anything with the letters CUI basically suffices — the training at https://dodcui.mil explains the marking requirements), at the top and bottom of the email text, and at the top and bottom of any attachments on each page.  CUI itself must be encrypted using AES 256 encryption keys and FIPS 140-2 ciphers (this is something your IT department can set up).  Even though most people look at SSL (Secure Sockets Layer) and its follow-on implementation, TLS 3.0 (Transport Layer Security) as encryption, neither is sufficient to meet the needs for CUI encryption.  (NOTE:  Be wary – there are websites and descriptions with misleading information on this topic!).

Why?  Because TLS only encrypts from the sender’s SMTP email server to the first receiving mail server or mail transfer agent (MTA).  Or sometimes to neither (if an attack is present).  Regardless, to protect CUI, users must encrypt any portion of email messages containing CUI, and for simplicity, encrypting the whole message solves this problem.  Using application-level encryption (such as Powerpoint or Word) is easily cracked, usually has the wrong key length or cipher, and does not meet CUI protection requirements.  And to be more specific as to why encryption is necessary:

• The receiving SMTP server is not necessarily the final recipient’s email server.
• The receiving SMTP server is capable of forwarding the message on to another SMTP server without using TLS.
• The receiving SMTP server could be malicious (e.g., in case someone planted fraudulent DNS MX records) and can read the message contents and do something nefarious with the information contained in the email.

Now that you know what not to do, what can you do?  That’s where Aramint Cyber Compliance comes in.  When using other solutions or vendors, it’s difficult (or sometimes impossible) to know how their email is set up.  In some cases, they don’t even support the proper encryption necessary to protect CUI while transferring it to/from your Government customers, or across your supply chain.

Aramint Cyber compliance solves that problem.  By integrating with your existing Outlook and other Microsoft applications (or other clients such as Thunderbird if you prefer), Aramint Cyber ensures that the proper encryption keys, the proper encryption cipher methods, and the transmission paths are all protected so you can know that your CUI, and your full compliance, are all ensured.

And isn’t that what you want, so you can focus on your core services?(For more information, contact Aramint Cyber Compliance at 888-720-1150, or sales [at] aramintcyber.com)