Compliance

NOTICE
Here are the major compliance requirements our customers frequently refer to. Please configure CICB accordingly to achieve your goal.

CMMC 2.0 Requirements

  1. Access Control (AC):
    AC.1.001: “Limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems).”
    This basic security requirement ensures that only authorized users can access the system, which implies a need for clear identification and marking of information, potentially including the use of classification banners.
  2. Identification and Authentication (IA):
    IA.1.076: “Identify information system users, processes acting on behalf of users, and devices.”
    This requirement ensures that only authenticated users can access classified information, which implies consistent information classification and marking, including the use of classification banners​​​​.
  3. Configuration Management (CM):
    CM.2.061: “Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”
    Maintaining baseline configurations involves ensuring consistent marking and handling of classified information across different systems and devices, which includes the use of classification banners​​​​.
  4. System and Communications Protection (SC):
    SC.1.175: “Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.”
    During information transmission, classification banners help to identify the classification level of the information, ensuring it is appropriately protected​​​​.
  5. Audit and Accountability (AU):
    AU.2.042: “Ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.”
    The use of classification banners aids in recording and tracking access to classified information, enhancing the effectiveness of audits and accountability​​​​.

Refer to CMMC for more details.

NIST SP 800-171 Requirements

Identification and Authentication (IA):
3.5.2: “Identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users).”

Configuration Management (CM):
3.4.1: “Establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.”

System and Communications Protection (SC):
3.13.1: “Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.”

Audit and Accountability (AU):
3.3.1: “Create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.”

Refer to NIST SP 800-171 for more details.

STIG Requirements

  1. Classification Marking in Classified Environments:
    “In a classified operating environment, all unclassified items must be marked in addition to all classified items. For instance: In areas where any classified equipment such as servers, client workstations, printers, routers, crypto, etc. are being used – all classified equipment, media and documents must be properly marked with classification levels and handling caveats – AND ALL UNCLASSIFIED equipment (servers, client workstations, printers, routers, crypto, etc.), media and documents must also be properly marked as unclassified and with handling caveats such as FOUO, when appropriate. This total marking of all assets in a classified environment eliminates the assumption that anything not marked is unclassified. Hence, all equipment, media and documents within SCIFs, Vaults, Secure Rooms and classified Controlled Access Areas (CAA) must be marked with classification levels and handling caveats.”
  2. Monitor Marking:
    “SPECIAL NOTE FOR MONITORS: Monitors connected to SIPRNet/NIPRNet are inert items of equipment in that they do not store/retain classified data. Typically, in a mixed classified/unclassified environment it is appropriate to physically label a monitor classification based on the system to which it is connected. If a classification banner is displayed on an active monitor screen then the physical monitor is not required to have a SF 710 (unclassified) or SF 707 (secret) sticker. Regardless, there is no prohibition against also using the SF labels as an additional identifier but it is not required.”
  3. Application Banner Requirement:
    “The application must display the Standard Mandatory DoD Notice and Consent Banner before granting access to the application. This ensures privacy and security notification verbiage used is consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance.”
  4. Sensitive/Classified Output Marking:
    “The application must have the capability to mark sensitive/classified output when required. We should implement a display banner on the client-side that shows the appropriate classification level for data viewed on Heimdall.”

Refer to STIG V-6146 for more details.

EO 13526 Requirements

Section 1.6 Identification and Markings

  • (a) At the time of original classification, the following shall be indicated in a manner that is immediately apparent:
    1. One of the three classification levels defined in section 1.2 of this order.
    2. The identity, by name and position, or by personal identifier, of the original classification authority.
    3. The agency and office of origin, if not otherwise evident.
    4. Declassification instructions, which shall indicate one of the following:
      • (A) the date or event for declassification, as prescribed in section 1.5(a);
      • (B) the date that is 10 years from the date of original classification, as prescribed in section 1.5(b);
      • (C) the date that is up to 25 years from the date of original classification, as prescribed in section 1.5(b); or
      • (D) in the case of information that should clearly and demonstrably be expected to reveal the identity of a confidential human source or a human intelligence source or key design concepts of weapons of mass destruction, the marking prescribed in implementing directives issued pursuant to this order.
    5. A concise reason for classification that, at a minimum, cites the applicable classification categories in section 1.4 of this order.
  • (c) With respect to each classified document, the agency originating the document shall, by marking or other means, indicate which portions are classified, with the applicable classification level, and which portions are unclassified. The Director of the Information Security Oversight Office may grant and revoke temporary waivers of this requirement.
  • (d) Markings or other indicia implementing the provisions of this order, including abbreviations and requirements to safeguard classified working papers, shall conform to the standards prescribed in implementing directives issued pursuant to this order.

Refer to Executive Order 13526 for more details.

ODNI Requirements

Section 2.3.1 – Marking Requirements:

  • Classification Banners: Must clearly indicate the classification status of the information on all electronic displays, computer screens, and documents. Color-coded banners should be used to display different classification levels, such as “UNCLASSIFIED” in green, “CONFIDENTIAL” in blue, “SECRET” in red, and “TOP SECRET” in orange. These banners must always be visible at the top or bottom of the screen and during any display or printing of classified information.

Refer to ODNI CG v2.1 § 2.3.1 for more details.

32 CFR Requirements

1. General Requirements

  1. 32 CFR §2002.16(a)(3):
    Prior to disseminating CUI, authorized holders must label CUI according to marking guidance issued by the CUI EA, and must include any specific markings required by law, regulation, or Government-wide policy.
  2. 32 CFR 2001.23(a)(1)-(5):
    Classified national security information in the electronic environment shall be:
    • Subject to all requirements of the Order.
    • Marked with proper classification markings to the extent that such marking is practical, including portion marking, overall classification, ‘Classified By,’ ‘Derived From,’ ‘Reason’ for classification (originally classified information only), and ‘Declassify On.’
    • Marked with proper classification markings when appearing in an electronic output (e.g., database query) in which users of the information will need to be alerted to the classification status of the information.
    • Marked in accordance with derivative classification procedures, maintaining traceability of classification decisions to the original classification authority. In cases where classified information in an electronic environment cannot be marked in this manner, a warning shall be applied to alert users that the information may not be used as a source for derivative classification and providing a point of contact and instructions for users to receive further guidance on the use and classification of the information.
    • Prohibited from use as a source of derivative classification if it is dynamic in nature (e.g., wikis and blogs) and where information is not marked in accordance with the Order.

2. Markings on Classified E-mail Messages

  • 32 CFR 2001.23(b)(1)-(6):
    • (1) E-mail transmitted on or prepared for transmission on classified systems or networks shall be configured to display the overall classification at the top and bottom of the body of each message. The overall classification marking string for the e-mail shall reflect the classification of the header and body of the message. This includes the subject line, the text of the e-mail, a classified signature block, attachments, included messages, and any other information conveyed in the body of the e-mail. A single linear text string showing the overall classification and markings shall be included in the first line of text and at the end of the body of the message after the signature block.
    • (2) Classified e-mail shall be portion marked. Each portion shall be marked to reflect the highest level of information contained in that portion. A text portion containing a uniform resource locator (URL) or reference (i.e., link) to another document shall be portion marked based on the classification of the content of the URL or link text, even if the content to which it points reflects a higher classification marking.
    • (3) A classified signature block shall be portion marked to reflect the highest classification level markings of the information contained in the signature block itself.
    • (4) Subject lines shall be portion marked to reflect the sensitivity of the information in the subject line itself and shall not reflect any classification markings for the e-mail content or attachments. Subject lines and titles shall be portion marked before the subject or title.
    • (5) For a classified e-mail, the classification authority block shall be placed after the signature block, but before the overall classification marking string at the end of the e-mail. These blocks may appear as single linear text strings instead of the traditional appearance of three lines of text.
    • (6) When forwarding or replying to an e-mail, individuals shall ensure that, in addition to the markings required for the content of the reply or forward e-mail itself, the markings shall reflect the overall classification and declassification instructions for the entire string of e-mails and attachments. This will include any newly drafted material, material received from previous senders, and any attachments.

3. Marking Web Pages with Classified Content

  • 32 CFR 2001.23(c)(1)-(5):
    • (1) Web pages shall be classified and marked on their own content regardless of the classification of the pages to which they link. Any presentation of information to which the web materials link shall also be marked based on its own content.
    • (2) The overall classification marking string for every web page shall reflect the overall classification markings (and any dissemination control or handling markings) for the information on that page. Linear text appearing on both the top and bottom of the page is acceptable.
    • (3) If any graphical representation is utilized, a text equivalent of the overall classification marking string shall be included in the hypertext statement and page metadata. This will enable users without graphic display to be aware of the classification level of the page and allows for the use of text translators.
    • (4) Classified Web pages shall be portion marked. Each portion shall be marked to reflect the highest level of information contained in that portion. A portion containing a URL or reference to another document shall be portion marked based on the classification of the content of the URL itself, even if the content to which it points reflects a higher classification marking.
    • (5) Classified Web pages shall include the classification authority block on either the top or bottom of the page. These blocks may appear as single linear text strings instead of the traditional appearance of three lines of text.

5. Marking Classified Dynamic Documents and Relational Databases

  • 32 CFR 2001.23(e)(1)-(2):
    • (1) A dynamic page contains electronic information derived from a changeable source or ad hoc query, such as a relational database. The classification levels of information returned may vary depending upon the specific request.
    • (2) If there is a mechanism for determining the actual classification markings for dynamic documents, the appropriate classification markings shall be applied to and displayed on the document. If such a mechanism does not exist, the default should be the highest level of information in the database and a warning shall be applied at the top of each page of the document. Such content shall not be used as a basis for derivative classification. An example of such an applied warning may appear as: ‘This content is classified at the [insert system-high classification level] level and may contain elements of information that are unclassified or classified at a lower level than the overall classification displayed. This content may not be used as a source of derivative classification; refer instead to the pertinent classification guide(s).

Refer to 32 CFR § 2001.23 for more details.

DoDI Requirements

  • General Marking Requirements: “All documents containing Controlled Unclassified Information (CUI) must be marked with ‘CUI’ at the top and bottom of each page.” This requirement ensures that the document is clearly identified as containing CUI and is handled accordingly.
  • Banners and Footers: “The banners and footers of the document must contain the ‘CUI’ marking. These markings serve as a reminder to the recipient that the document requires special handling in compliance with laws, regulations, or government-wide policies.”
  • Portion Marking: “When a document contains multiple sections, each with different classifications of information, each section must be marked accordingly. This ensures that information is correctly classified and handled.”

Refer to DoDI 5200.48 for more details.

DoD Manual Requirements

Marking Requirements:

  • Chapter 5, Marking: This chapter provides detailed instructions on how to mark classified information, including placing classification banners at the top and bottom of each page. These banners must indicate the classification level (e.g., Confidential, Secret, Top Secret) and any applicable control markings.

DoD Manual 5200.01, Volume 1:

  • Volume 1, Enclosure 3: This section elaborates on the marking and classification of various types of information, ensuring that information is consistently marked during transmission and storage. The classification banners help maintain clarity and consistency in marking the information’s classification level.
  • Enclosure 4: This section provides further requirements for the consistent marking and handling of classified information across different systems and devices, including the use of classification banners to ensure the clarity of information classification.

Refer to DoD Manual 5200.1R for more details.

U.S. Government Labeling Requirements

  1. SF706, SF707, SF708, SF709, SF710, SF-FMO, SF712, SF902, SF-CUI, SF-CUID, SF-SAR-P, AEC-RSS, SF-SAR-O
  2. AEC-UNOF, AEC-SNOF, AEC-TS-SAR, AEC-TSSCISAR, AF306, AF307, AEC-NATO-S
  3. AF-714, AF308, AF310, AF401, AF402, AF403, AF404, AF405, AF406, AF407, SF903, AF309, AF408, AF200
  4. NGP-001, NGP-002, NGP-003, NGP-004, NGP-005, NGP-006, NGP-007, NGP-008, NGP-009, NGP-010, NGP-012, NGP-014