Controlled Unclassified Information - Handling, Storage and Controlling Access to Areas where CUI is Processed or Maintained

Overview

Finding IDVersionRule IDIA ControlsSeverity
V-245845IS-16.02.03SV-245845r1226309_rule-medium
Description
Failure to handle CUI in an approved manner can result in the loss or compromise of sensitive information. REFERENCES: Executive Order 13556, Controlled Unclassified Information (CUI) The Information Security Oversight Office (ISOO): https://www.archives.gov/cui CJCSI 6510.01F, INFORMATION ASSURANCE (IA) AND SUPPORT TO COMPUTER NETWORK DEFENSE (CND); Enclosure C, paragraph 25.d. NIST Special Publication 800-53 (SP 800-53), Controls: MP-4 and PE-3. DOD Manual 5200.01, Volume 3, 24 February 2012, SUBJECT: DOD Information Security Program: Protection of Classified Information; Enclosure 7, paragraph 13.f. DODI 5200.48 Controlled Unclassified Information (CUI) 32 CFR 117 and 32 CFR 2001 and 2003 as well as DOD Manual 5220.32 Volume 1
STIGDate
Traditional Security Checklist2026-06-17

Details

Check Text (C-245845r1226309_chk)

1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on CUI documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated National Agency Check (NAC). 2. After working hours, CUI information (documents and removable media) may be stored in unlocked containers, desks, or cabinets if government or government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and removable media) must be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases, CUI documents must be placed out of sight during nonworking hours. While not required, recommending implementation of a clean desk policy would be appropriate. 3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) must only be granted to persons with at least a favorable NAC. All others must be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks, or automated access control systems may be used to control access to such areas. TACTICAL ENVIRONMENT: The check is applicable for fixed (established) tactical processing environments where procedural documents (SOPs) should be in place. Not applicable to a field/mobile environment.

Fix Text (F-49231r1226308_fix)

1. During working hours, reasonable steps shall be taken to minimize the risk of access by unauthorized personnel. This would include things like placing cover sheets on CUI documents and allowing unescorted access to areas where CUI (documents and AIS storage media) is processed/handled to only those persons with at least a favorably adjudicated NAC. 2. After working hours, CUI information (documents and AIS storage media) may be stored in unlocked containers, desks, or cabinets if government or government-contract building security is provided. If such building security is not provided or is deemed inadequate, the information (documents and AIS storage media) must be stored in locked desks, file cabinets, bookcases, locked rooms, etc. In all cases, CUI must be placed out of sight during nonworking hours. While not required, implementation of a clean desk policy would be a good idea. 3. Unescorted access to computer rooms or areas containing major items of AIS equipment processing CUI information (servers and network components) must only be granted to persons with at least a favorable NAC. All others must be physically escorted. Access control measures such as reception personnel, guards, keyed locks, cipher locks, or automated access control systems may be used to control access to such areas.