The CUI security requirements described in this publication have been developed based on three fundamental assumptions:
•Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal information systems or nonfederal information systems including the environments in which those systems operate;
•Safeguards implemented to protect CUI are consistent in both federal and nonfederal information systems and organizations; and
•The confidentiality impact value for CUI is no lower than moderate14 in accordance with Federal Information Processing Standards (FIPS) Publication 199.15
The above assumptions reinforce the concept that federal information designated as CUI has the same intrinsic value and potential adverse impact if compromised—whether such information resides in a federal or a nonfederal organization. Thus, protecting the confidentiality of CUI is critical to the mission and business success of federal agencies and the economic and national security interests of the nation. Additional assumptions also impacting the development of the CUI security requirements and the expectation of federal agencies in working with nonfederal entities include:
•Nonfederal organizations have information technology infrastructures in place, and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting CUI;
•Nonfederal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements;
•Nonfederal organizations can implement a variety of potential security solutions either directly or through the use of managed services, to satisfy CUI security requirements; and
•Nonfederal organizations may not have the necessary organizational structure or resources to satisfy every CUI security requirement and may implement alternative, but equally effective, security measures to compensate for the inability to satisfy a particular requirement.
|The moderate impact value defined in FIPS Publication 199 may become part of a moderate impact system in FIPS Publication 200, which in turn, requires the use of the moderate security control baseline in NIST Special Publication 800-53 as the starting point for tailoring actions.
|In accordance with 32 CFR 2002(g), CUI is categorized at no less than the moderate confidentiality impact value. However, when federal law, regulation, or govenmentwide policy establishing the control of the CUI specifies controls that differ from those of the moderate confidentiality baseline, then these will be followed.