Marking Controlled Unclassified Information (CUI) in Microsoft 365

The protection of sensitive information is a critical priority for every business. This responsibility is not just for the protection of the organization, but to ensure compliance with applicable laws, regulations, and policies. The Controlled Unclassified Information program (CUI) was implemented which identifies information that must be safeguarded with a specific set of controls for safekeeping. Originally geared for defense contractors, CUI labeling is also used for the control of information moving within and outside the organization.

Microsoft 365 incorporates information protection through its MIP application to provide organizations with a way to classify, encrypt, and protect sensitive unclassified information through the CUI protocol. The following procedures document how to configure and implement the CUI protection.

Setting Up the Group For Access to the CUI

1. Access Office as an Admin and click into the Admin center.
2. Select Groups and click Active Groups . Since we are creating a new group, select Add a group from the top menu. Under the group types listed, pre-select Microsoft 365 (recommended). Then, click on Next.
3. On the Set up the basics page, type a name for the group, (i.e, CUI Approved Individuals). Fill in a description of the group, (i.e, Employees allowed to view, manage, and process CUI). Then, click Next.
4. On the Assign owners page, click under Owners. Select an owner from the list. Two owners should be created since one will function as a backup. Then, click Next.
5. On the Edit settings page, enter the unique group email address that will be used for team members to collaborate and share files with. Select the privacy option and then select Next.
6. Review the group’s details to ensure they are entered correctly, and then click Create group. The new group-created page will display information on which settings you can change and an option to add another group. Click Close to return to the **Active groups page.

Adding Members to the Group

1. From theActive group’s page, click on the search box on the right and enter the name of the group you created in the above steps. The group name and information will appear along with a right-side panel with the option to view all and manage owners** or **view all and manage members . Then, click on view all and manage members.
2. On the Manage group members page, search and select the users one at a time, that you wish to add. Click Save changes after adding all members. Then, the Active group’s page with your selected group displays.

Configuring Sensitivity Labels

Initial Steps

1. Select Compliance from the Admin center menu. The compliance center page displays. Under Solutions, click on Information protection from the left-side menu.

2. Select +Create a label. This will bring you to the label protection settings.

   • Type CUI-Controlled Unclassified Informationin the Namefield.
   • Type CUI for the Display name.
   • Lastly, type master group for undesignated CUI in the Description for users box.

3. The description for admins will be the same as that of the users . Next.

4. The page to define the scope for this label appears. Check the files and emails box. Azure Purview assets will also be checked, but this is still in preview mode. This option will allow you to apply labels and protect the information in SQL databases and Azure Blob Storage. Note: If sensitivity labels were previously applied in the past using Azure information protection (AIP), it is advised that you migrate all labels from AIP into the compliance center.

5. Click Next. The Choose protection settings for files and emails screen appears. Check the boxes for encrypting files and emails as well as for mark the content of files. Click Next.

6. On the Encryption page, check Configure encryption settings. Assign permissions now should already appear.

7. User access to content expires will default to Never.  However, this can also be set for a specific date or a number of days after the label is applied. This option is useful if information is locked down after a specified time period, such as that for an upcoming financial review. This setting can also be used to define a set number of days the user has left to authenticate with Azure active directory. Consider the type of information and the work environment when configuring these access settings. For example, if staff members travel often, require additional days for offline access to allow time for authentication. If staff is not accessing the information offline, then this access should be switched off. Up to 100 days can be specified for the offline access setting.

8. Click on Assign permissions and then add user or group. Type in the name of the group that you created above . Check CUI Approved individuals and click Add, then Save.

9. On the bottom of the encryption screen, there is the option to Use Double Key Encryption. This is encryption within Microsoft 365 where Microsoft holds the key while you hold a second key. You are able to specify a secondary double key encryption service where you hold the key, meaning even Microsoft employees cannot decrypt the information. However, should this key be lost, access to all information that was encrypted with the key is lost as well.  This type of encryption is only recommended for the strictest protection requirements.

10. Click Next to access the content marking settings. This screen enables you to add custom headers, footers, and watermarks. Never add a watermark to CIU information. The CUI Marking Handbook can be used as a guide on how to properly mark content. Additional information for CUI categories can be found here.

• Click to select Add a header, then Customize text. Since this will be a top-level for several different  CUI classes, a different type of header will be created.

• Under header text, type in CONTROLLED. While this is not an official marking, it is sufficient for this case.

• The suggested font size is 18 for easy visualization.

• Click Save to return to the previous screen.

• Click on add a footer, then customize text. Since the specifications in the CUI Marking Handbook state that the footer must include the organization’s contact information as well as who is controlling it, this will be entered here.

• In footer text, enter Controlled by (name and phone number of your organization).** Keep this font size smaller at 10. Click Save to return to the content marking screen.

• Note: This marking will be included on all documents including Powerpoint, Excel, and Word. However, it doesn’t apply to email messages.

11. Click Next to access the auto-labeling for files and emails screen. Toggle auto-labeling to off since this can cause a large amount of content to encrypt needlessly. This affects the accessibility and processing of information, notably if e-discovery with third-party applications. However, we can configure this setting to add trainable classifiers.

Microsoft’s Guide

A trainable classifier is a tool that can be trained to recognize content types from samples. After the classifier is trained, it can be used to identify items to apply the sensitivity labels, communications compliance policies, and retention label policies. Indeed, send forty or more documents to train the classifier. For more information and how to accomplish this training, refer to Microsoft’s guide.

1. Click Next to define protection settings for groups and sites. These settings allow you to apply sensitivity labels to protect content in containers for Teams, 365 groups, and Sharepoint sites. Indeed, more information on these settings can be found here.

2. Clicking Next brings you to the auto-labeling for the database columns screen. This allows you to select sensitive information types within the database to label them as protected. Clicking on Choose sensitive information types brings up the list of content available for protection.

3. Click Next for the review settings and finish screen. Click Create label after verifying the entries are correct. A confirmation screen then shows your label.

   • Select publish this label under Next steps.
   • Select Choose the sensitivity labels to publish. Check the box for CUI and click Add. The Publish to users and groups screen appears.
   • Click Choose users and groups and search for the CUI approved group and click Add, then click Done.

4. On the policy settings screen, Apply this label by default to documents and email should be None. Click the box for Users must provide justification to remove a label or lower classification label and the box for Provide users with a link to a custom help page. Enter a link to a help page, such as the CUI Information Page. Click Next.

5. Name the policy. In this case, we will call it CUI. Type in a description for the label policy in the dialog box. For example, we will type a top-level designator for CUI.

6. Click Next to review and finish settings. Click Done. Create a new policy appears, confirming your sensitivity label policy was successfully created. Click Done.

Creating Sub Labels

Create sub-labels for privacy and access for Teams, SharePoint sites, and 365 groups.

1. On the Information protection page, under Labels, click the ellipses appearing on the CUI group line and select +Add sub-label. This will bring up the screen to name and create a tooltip for your label.

2. In the Name field, enter a designator, such as CUI-Controlled Technical Information. For Display Name, type in a name but without the forward slashes, such as CUI-CTI. This is not the actual marking since the display name cannot support slashes in this field.

3. For Description for users, a suggestion is to use the category description found in the archives.gov CUI Category page. Enter the same description in the Description for admins field. Click Next.

4. The Define scope for this label screen appears. The files and emails and Azure Purview assets checkboxes should both be marked. Lastly, click Next.

5. On the Choose protection settings for files and emails screen, check the Encrypt files and emails and Mark the content of files. Lastly, click Next.

6. The Encryption page appears. Click on Configure encryption settings. Assign the same permissions to allow offline access as previously stated in step 7 above. Then, click Next.

7. On the Content marking screen, select Add a header. Since a real marking is used,  follow the rules on the CUI page for category marking for CTI.

   • Enter the banner marking as CUI//SP-CTI/NOFORN. In this example, NOFORN indicates no foreign nationals. Set the font size to 18. Set Align text to Center.
   • Click Save.
   • Click on Add a footer, then Customize the text to open the dialog box.
   • For the footer text, type in Controlled by (name and phone number of organization). Keep the font size at 10. Click Save, then click Next.

8. On the auto-labeling for files and emails screen, verify that this is toggled off. Click Next.

9.  Continue pressing Next until the review settings screen appears. Click on Create a Label. Under Next steps, click on Publish this label.

10. Click on Choose sensitivity labels to publish . Select both the CUI and CUI/CUI-CTI labels. Publish both the parent label and the subcategory. Click Add, then click Next.

11. Choose users and groups. Click the dialog box and type in CUI to locate the CUI Approved Individuals group. Click the checkbox next to the group. Lastly, click Add.

12. On the Policy settings screen, click the checkboxes for Users must provide justification to remove a label or lower classification label and Provide users with a link to a custom help page. Enter the URL for the CUI information website for the link to the help page. Click Next.

13. On the Name your policy screen, type CUI-CTI. For description, type Controlled technical information. Then, click Next.

14. Review the details of the policy and click Submit to publish it .Click Done.

Verifying Policies and Labels

1. In the Information protection screen, the list of labels should appear in order from the least restrictive to the most restrictive. The most restrictive policies can be verified by opening a new Word document, selecting the Sensitivity policy you wish to test, and attempting to save the document. If the policy then works, the ability to save as, download a copy, or save as a PDF is lost and the file is locked into the environment.

2. Now downgrade the policy to the least restrictive. The Justification Required dialog box appears. Select Other and type downloading from (restrictive file name) to (least restrictive file name) name. Click Change. Apply the new label under Sensitivity. The header and footer designated earlier apply automatically to the document. Encryption and sensitivity control apply to the document.

Learn More About CUI Implementation

The effective handling of CUI is a priority for organizations. The compliance solutions in Microsoft 365 indeed allow you to efficiently configure and deploy powerful labels and policies to protect sensitive information.

Agile IT is one of the top 100 Cloud Computing Solutions Providers in the world. In fact, recognized as a best-in-class Microsoft Partner, Agile IT provides solutions for digital transformation, security and compliance. Contact us for more information on how our technologies can help reduce costs and increase productivity for your business.