CUI Marking Tool Software Package

The National Science Foundation, Division of Administrative Services (DAS) has a requirement to manage the Controlled Unclassified Information (CUI) program in accordance with federal regulation, which applies to all executive branch agencies, their partners, and non-government organizations (such as federal contractors) that generate, process, store, or transmit CUI. The program requires agencies to mark documents, emails and correspondence that contain CUI, see examples below. In 2021, DAS acquired Titus Classification Suite software to support this effort. The software includes 4,000 licenses. The objective of this requirement is to renew the software license in continued support and to ensure compliance.

Established by Executive Order 13556 in 2010, the CUI program standardizes the way all government agencies and military entities handle unclassified information that requires safeguarding or dissemination controls. It clarifies and limits what kinds of information to protect, defines what is meant by “safeguard,” reinforces existing legislation and regulations, and promotes authorized information- sharing.

NIST SP 800-171 The US National Institute of Standards and Technology (NIST) promotes and maintains measurement standards and guidelines to help protect the information and information systems of federal agencies. In response to Executive Order 13556 on managing CUI, NIST SP 800–171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. CUI is defined as information—both digital and physical—created by a government (or an entity on its behalf) that, while not classified, is still sensitive and requires protection. NIST SP 800–171 was originally published in June 2015 and has been updated several times since then in response to evolving cyberthreats. It provides guidelines on how CUI should be securely accessed, transmitted, and stored in nonfederal information systems and organizations; its requirements fall into four main categories: • Controls and processes for managing and protecting • Monitoring and management of IT systems • Clear practices and procedures for end users • Implementation of technological and physical security measures.