Controlled unclassified information (CUI) refers to information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies. However, CUI does not include classified national security information. With the increasing amount of sensitive information being stored and transmitted electronically, encryption has become an important tool for protecting CUI. This article examines the risks of unencrypted CUI, the benefits of encryption, and whether encryption should be mandatory for all CUI.
What is controlled unclassified information (CUI)?
CUI is information that requires protection under law or policy but is not classified national security information. Some examples of CUI include:
– Law enforcement sensitive information
– Personally identifiable information (PII)
– Proprietary business information
– Export controlled information
– Tax return information
– Census data
– Nuclear regulatory commission information
Federal agencies and contractors routinely handle large volumes of CUI in the course of their work. Protecting this information from unauthorized access or disclosure is important for privacy, security, and compliance reasons.
Risks of unencrypted CUI
When CUI is transmitted or stored without encryption, it is vulnerable to interception and misuse by malicious actors. Some of the risks include:
Data breaches
Unencrypted CUI is an attractive target for cyber criminals looking to steal and exploit sensitive information. High profile data breaches at agencies like OPM and security contractors like USIS demonstrate how hundreds of thousands of records containing PII and other CUI can be exfiltrated when not properly encrypted.
Privacy violations
Intercepting unencrypted CUI can lead to serious invasions of privacy when sensitive PII, trade secrets, or privileged information is obtained and misused by unauthorized parties. This undermines trust in government agencies and contractors to safeguard data.
Financial fraud
Sensitive financial account numbers, tax IDs, and other information found in unencrypted CUI can be used to commit identity theft and financial fraud. The Equifax breach of 2017 highlighted how 145 million consumers’ personal data can end up in criminal hands.
Intellectual property theft
Unencrypted proprietary business information, trade secrets, and sensitive research can be lucrative targets for economic espionage by foreign intelligence services and competitors when not properly protected through encryption.
Regulatory non-compliance
Many laws and regulations such as HIPAA, FERPA, and state data security laws mandate encryption of sensitive data like medical records and student records when transmitted or in storage. Handling unencrypted CUI often results in compliance violations.
Benefits of encrypting CUI
Encrypting CUI provides multiple security and compliance benefits:
Prevents unauthorized access
Encryption converts plaintext information into ciphertext that cannot be read without decryption. This helps prevent unauthorized parties from being able to access and read sensitive CUI.
Protects data integrity
Encryption makes it difficult for adversaries to alter or tamper with CUI without detection. This protects the integrity and reliability of the information.
Enables secure transmission
Encrypted CUI can be securely transmitted over networks and the internet without fear of interception. This allows broader information sharing while maintaining confidentiality.
Allows secure remote access
Encryption enables remote employees, partners, and others to securely access CUI from outside the office over VPNs and cloud services. This supports telework and mobility initiatives.
Complies with regulations
Encrypting CUI helps federal agencies and contractors comply with a growing array of laws, regulations, and policies mandating protection of sensitive information.
Builds public trust
Encrypting CUI demonstrates a commitment to information security that builds public confidence government and industry can be trusted custodians of sensitive data.
Arguments against mandatory encryption
While there are compelling reasons to encrypt CUI, some arguments against making it mandatory include:
Encryption has costs
Purchasing, implementing, and managing encryption across large enterprises represents a significant cost in technology, training, and overhead. Mandating encryption for all CUI could be cost prohibitive.
Incompatible legacy systems
Much CUI resides on older legacy systems that cannot support encryption capabilities without expensive upgrades or replacements.
Performance impacts
Encrypting all CUI could noticeably degrade network performance, application response times, and overall productivity for some organizations.
Encryption complicates auditing
Mandating encryption could hamper activities like eDiscovery during litigation or audits that require accessing and reviewing cleartext documents and communications.
Gives false sense of security
Encryption does not guarantee security or compliance. Weak encryption algorithms, poor key management, and insider threats all undermine its effectiveness.
Stifles information sharing
Universal encryption could negatively impact collaboration and information sharing between parties that cannot decrypt each other’s data.
Criteria for mandating CUI encryption
Rather than mandating encryption for all CUI, policymakers should take a risk management approach that considers:
CUI categories requiring encryption
Encryption should be mandatory for CUI categories where the benefits clearly outweigh the costs such as PII, medical information, trade secrets, and intellectual property.
Transmission encryption
Encrypting CUI during transmission over networks should generally be required to prevent interception.
Data-at-rest encryption
CUI data stored on laptops, mobile devices, removable media, cloud services, and other systems with higher risk of loss or theft should require encryption.
Legacy systems
Legacy systems that cannot support encryption may need exceptions or additional physical and access controls to compensate for lack of encryption.
Compliance mandates
CUI categories subject to regulatory mandates like HIPAA and FERPA should always be encrypted as required.
Cost-benefit analysis
The costs and benefits of encrypting specific types of CUI within an organization should be analyzed case-by-case in light of risk management priorities and constraints.
Best practices for CUI encryption
If implementing encryption for CUI, best practices include:
Select strong algorithms
Use approved algorithms like AES-256 and SHA-256 rather than older ones vulnerable to attack.
Properly generate and protect keys
Use secure processes for generating, storing, and escrowing encryption keys. Change default keys.
Validate encryption systems
Confirm encryption software is configured, maintained, and updated according to best practices.
Combine with access controls
Layer encryption with proper identity, authentication, and access controls for defense-in-depth.
Train end users
Provide training to prevent errors that compromise encryption strength like exposing keys.
Plan for emergency access
Have contingency methods like key escrow to decrypt and recover encrypted CUI when keys are lost.
Conclusion
While mandatory encryption of all CUI currently seems impractical and overly burdensome for many organizations, a risk-based approach targeting the most sensitive information and deployments provides substantial security and compliance benefits. As encryption technology continues advancing and becoming more scalable, ubiquitous encryption of CUI will become more feasible over time. But for now, encryption should at least be mandated and implemented wherever it can demonstrably support an organization’s risk management, compliance, and information protection requirements. Carefully assessing the categories of CUI that need encryption along with the systems and use cases that would benefit most is key to maximizing information security while managing constraints.