By George T. Tziahanas, AGC and VP of Compliance, Archive360
It might seem counterintuitive that in a distributed digital world, the location of data is increasingly important. However, based on current trends, national borders are indeed establishing a presence in cyberspace.
Governments have long sought to control national security-related information (such as classified data), but since the dawn of the Internet Age, they didn’t concern themselves too much with non-classified data sharing—or if they did, the targets were typically quite narrow. The adoption of cloud solutions, initially deployed and used without much concern over boarders, just drove the point home.
But all that is changing: Over the last few years, countries have reconsidered their hands-off approach, and now are extending their reach into areas more aligned with their national interest. These include concerns around citizens’ privacy, critical transportation or energy infrastructure, financial markets, and non-classified government information. They clearly want to mitigate cyber and other risks, and guard against a broader impact to their economies and population.
This type of data sovereignty laws has either been adopted or proposed in many regions. China, Germany, France (proposed), the Kingdom of Saudi Arabia and Dubai are good examples—they share characteristics such as categorization schemes to define the types of information subject to sovereignty, access controls, and conditions under which cloud offerings are used.
The United States has not adopted a specific data sovereignty statute (apart from export restrictions already in place), but the government has introduced a regulation for Confidential Unclassified Information (CUI). The purpose is to “standardize the way the executive branch handles information that requires protection under laws, regulations, or government-wide policies, but that does not qualify as classified.’’
As the purpose noted, the intent was to standardize how federal agencies handle CUI, but it also encompasses those contracting or working with the government. CUI obligations for third parties are enforced based on contractual provisions, now required for anybody handling or managing CUI (or associated systems). This may also include state or local agencies doing business with the federal government or involved in data sharing relationships.
The CUI regulation, like the data sovereignty statutes described above, is based on a broad set of categorized information. It defines areas such as critical infrastructure, financial, immigration, intelligence, export control and transportation. Each of these broader categories is further divided into sub-categories that further defines the types of information subject to controls.
All CUI is subject to a marking requirement, which outlines whether the information is subject to “basic” or “specified” restrictions/controls. All CUI (including “basic”) must be protected consistent with standards and policies such as FIPS 199, FIPS 200, and NIST SP-800-53. These are quite familiar within both government agencies and many private sector entities. Additional control requirements may be specified (“specified CUI”), along with other restrictions such as prohibition of sharing with non-citizens, contractors, or outside specific controlled environments. The objective behind all these standards is ultimately to protect this information from unauthorized access, or disclosure.
While some federal agencies and contractors are already negotiating CUI, many entities will likely learn about it only when an update to a contract is requested, or flow-downs from a prime contractor pushes this to smaller organizations. Meanwhile, global corporations will soon have to deal with international digital borders.
But just as these are digital problems, there are digital solutions. There are technologies already available to help manage the data categorization, along with requisite access control and security requirements. It might help to consider government-controlled cloud environments, since much of this information will outlast many technology contracts.
In sum, CUI is coming, and it will be important. Staying ahead of it—rather than trying to catch up—with technologies now on the market will offer a major advantage.
Full a complete list, See https://www.archives.gov/cui/registry/category-list
About the Author
George T. Tziahanas, Vice President of Compliance, Archive360
George has extensive experience in complex compliance and information risk challenges. He has worked with numerous financial services corporations to design and deploy petabyte-scale compliant books and records systems, supervision and surveillance, and eDiscovery solutions. George also has deep expertise in developing strategies and roadmaps addressing compliance and data governance requirements. He has specialized in working with emerging and advancing technologies to address real-world problems. He’s conducted AI/ML-driven analytics across legal and regulatory use cases, and helped companies adopt new solutions.