CUI Fundamentals: 100 Questions (and Answers) About the United States Government's Controlled Unclassified Information Program

By James Goepel

The United States Federal Government's Controlled Unclassified Information ("CUI") program completely transforms the way unclassified information is shared and handled by and with the government. The CUI program impacts not only federal employees, but also government contractors and others who interact with the federal government.

<

• Language: English
• Publisher: CMMC Information Institute
• Release date: Sep 29, 2023
• ISBN: 9798989103713

James Goepel

James ("Jim") Goepel is a lawyer (JD and LLM from The George Mason University School of Law) and engineer (BSECE from Drexel University). He earned Provisional Instructor, Provisional Assessor, Certified CMMC Professional, and Certified CMMC Assessor certifications from the CMMC Accreditation Body (the "Cyber AB".)Jim has had a diverse career in and out of government. Prior to law school, Jim was a civilian engineer with the United States Coast Guard and worked in the civilian space program. He was also a software developer on US government contracts, and developer and systems administrator for several organizations, including for the United States Congress, where he managed and secured systems which processed approximately 85% of the legislation that came before Congress.During and since law school, Jim has advised government contractors, from small businesses to $1B+ organizations, on legal, cybersecurity, business operations, IT, intellectual property, technology transfer, and other topics.Jim is a co-founder of the CMMC Information Institute, a non-profit (501(c)(3)) educational organization. He is also a former professor at Drexel University, where he created and taught undergraduate and graduate cybersecurity courses.Jim is also one of the Founding Directors of the Cyber AB. During his tenure, he was elected as Board Treasurer and created and taught the ecosystem's first official CMMC educational program.

Book preview

CUI Fundamentals

100 Questions

(and Answers)

about the

United States

Government’s

Controlled

Unclassified

Information

Program

By: James Goepel

CUI Fundamentals: 100 Questions (and Answers) About the United States Government’s Controlled Unclassified Information Program

Copyright 2023 James Goepel, All Rights Reserved

First Edition

Although the author has made every effort to ensure that the information in this book was correct at press time, the author does not assume and hereby disclaims any liability to any party for any loss, damage, or disruption caused by any errors or omissions, whether such errors or omissions result from negligence, accident, or any other cause.

All liability from the contents of this book belongs to the author. All writing, opinions, and (purported) statements of fact are solely from and due to the author’s personal experience and research. None of the author’s employers or other related entities have reviewed the contents of this book nor have they reviewed any of the statements that may relate to them. Readers should not construe any statements contained in this book to be from or approved by any of those entities. All writing and statements are the sole responsibility of the author.

For reprint, excerpt, or other requests, the author can be emailed at Jim@FathomCyber.com or contacted via LinkedIn: https://www.linkedin.com/in/james-goepel-gc-cto-cyber/

Table of Contents

Chapter 1: About This Book

1.      Who is the intended audience for this book?

2.      Does this book provide legal advice?

3.      How is this book structured?

4.      Why are the questions numbered?

5.      Where can I learn more about CUI?

6.      What are the differences between NARA training and DoD training?

Chapter 2: CUI Program History

7.      Where did the CUI program come from?

8.      What motivated the government to create the CUI program?

9.      How did the government’s need-to-know approach to unclassified information allow for the 9/11 Attacks?

10.      What was the 9/11 Commission’s recommendation?

11.      How did the Government respond to the 9/11 Commission’s findings?

12.      Is the CUI program going away?

Chapter 3: CUI Program Overview

13.      What are some of the goals of the CUI Program?

14.      How does the CUI program achieve these goals?

15.      Is there only one sensitivity category for unclassified information?

16.      What are some of the advantages of this new approach?

17.      Who oversees the CUI program?

18.      What is the difference between the NARA CUI program and the Agency X CUI program?

Chapter 4: FCI and CUI

19.      Does the government care about safeguarding only CUI and classified information?

20.      What is FCI?

21.      What are some examples of FCI?

22.      Then what is CUI?

23.      What is the difference between CUI and FCI?

24.      What are some examples of CUI?

25.      Is there a list of all the LRGWPs?

26.      How many LRGWPs are in the CUI Registry?

27.      Are the LRGWPs organized in some way?

28.      What is the difference between CUI Basic information and CUI Specified information?

29.      Why is the distinction between CUI Basic and CUI Specified considered important?

30.      Can information ever stop being CUI?

31.      What can cause CUI to be decontrolled?

32.      Once information is decontrolled, can it be made available to the public?

Chapter 5: Designating and Marking CUI

33.      What is the difference between designating and marking information as CUI?

34.      Who is authorized to designate information as CUI?

35.      Does a government contractor have inherent CUI designation authority?

36.      Is delegation of authority the only issue with CUI designation?

37.      Why do we mark information as CUI?

38.      When must CUI be marked?

39.      What is dissemination?

40.      Who determines how to mark information as CUI?

41.      What must be included to properly mark CUI?

42.      What must be included in a CUI Banner marking?

43.      What must be included in a CUI designation block?

44.      Are there any quick reference guides for marking CUI?

45.      Where can I learn more about how to mark CUI?

Chapter 6: Copies and Derivative Works

46.      Must copies of CUI be marked as CUI?

47.      How should copies of CUI be marked?

48.      What is a derivative work?

49.      Should derivative works be marked as CUI?

50.      How do I know when my derivative work is different enough to no longer be CUI?

51.      How should the derivative work be treated while awaiting an answer?

52.      Can’t we just mark all information as CUI?

53.      Can we treat all information as though it is CUI?

Chapter 7: Legacy Information

54.      Is all information with