cnTnc

A Sentient Network

Protecting Controlled Unclassified Information

CUI requires defense-in-depth: encryption at rest and in transit, role-based access control, comprehensive audit logging, and tamper-evident evidence. smartNOC provides all four layers as integral platform capabilities.

CUI Lifecycle Technical Controls Audit Evidence
What is CUI?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to federal law, regulations, or government-wide policies. CUI categories include:

  • Federal Contract Information (FCI): Information provided by or generated for the government under contract
  • Export Controlled: Technical data subject to ITAR or EAR restrictions
  • Privacy Information: PII requiring protection under Privacy Act
  • Law Enforcement Sensitive: Information that could compromise investigations
  • Procurement Sensitive: Source selection and procurement information

NIST SP 800-171 establishes the baseline security requirements for protecting CUI in nonfederal systems. smartNOC implements these requirements through architectural enforcement, not policy documents.

CUI Lifecycle Protection

Full Lifecycle Controls

CUI must be protected at every stage of its lifecycle. smartNOC provides controls for creation, storage, transmission, processing, and destruction.

Creation & Ingestion

Entry Points: HTTPS APIs, SFTP, encrypted email, database inserts

Controls: TLS 1.3 in-transit encryption, certificate authentication, input validation, automatic CUI marking

Evidence: Ingestion logs with source, timestamp, certificate identity

Storage at Rest

Storage Layers: LUKS-encrypted filesystems, encrypted database columns, encrypted object storage

Controls: Encryption keys managed by certificate authority, file permissions enforced by SELinux, database row-level security

Evidence: Encryption status attestations, access control lists, key rotation logs

Transmission

Transport: mTLS for service-to-service, VPN for remote access, encrypted message bus for internal messaging

Controls: Cipher suite restrictions, certificate pinning, network segmentation, DNS policy enforcement

Evidence: Connection logs with cipher suite, certificate validation records, denied connection attempts

Processing

Compute Environment: SELinux-confined processes, encrypted memory where available, secure process isolation

Controls: Process allow-lists via monitoring agents, resource limits, mandatory access control, anomaly detection

Evidence: Process execution logs, resource usage metrics, SELinux AVC denials

Sharing & Dissemination

Mechanisms: Role-based access, time-limited sharing links, watermarked exports, need-to-know enforcement

Controls: CMDB approval workflows, recipient authentication, audit logging, expiration enforcement

Evidence: Share authorization records, access logs, recipient identity verification

Destruction

Methods: Cryptographic erasure, secure deletion tools, media sanitization procedures

Controls: Retention policy enforcement, multi-step approval, verification of deletion

Evidence: Deletion requests, verification confirmations, media sanitization certificates

Technical Implementation

Encryption Architecture

smartNOC implements encryption at multiple layers to ensure CUI is never exposed in clear text outside of authorized processing.

Layer Mechanism Key Management FIPS 140-2
Transport TLS 1.3, cipher suite: TLS_AES_256_GCM_SHA384 Certificate authority, automated rotation OpenSSL FIPS module available
Disk LUKS2 with AES-256-XTS Key escrow in TPM or key management service Kernel crypto API validated
Database Database encryption, column-level AES-256 Application-managed, rotated quarterly OpenSSL backend
Backups GPG encryption, AES-256 Offline key storage, multi-party GPG FIPS mode supported
Messaging Message bus over TLS, payload encryption optional Per-service certificates from certificate authority Erlang crypto library
Access Control Architecture

smartNOC enforces access control at four layers, ensuring defense-in-depth even if one layer is compromised.

Layer 1: Network

Firewall rules restrict CUI services to authorized subnets. VPN required for external access. Network segmentation isolates CUI processing from other workloads.

Layer 2: System (SELinux)

Mandatory access control confines processes handling CUI. Custom SELinux types restrict file access, network connections, and inter-process communication.

Layer 3: Application

mTLS authentication with certificate-based identity. CMDB-driven RBAC maps certificates to roles. Service allow-lists prevent unauthorized service access.

Layer 4: Data

Database row-level security restricts CUI table access by role. Column-level encryption for highly sensitive fields. View-based access controls for reporting.

Audit & Evidence Collection

Comprehensive Audit Trail

Every interaction with CUI generates audit evidence. This evidence is tamper-evident, time-stamped, and retained according to policy.

Audit Event Types

  • Authentication Events: Certificate validation, login attempts, session establishment, MFA challenges
  • Authorization Events: RBAC decisions, permission denials, privilege escalation, role changes
  • Access Events: File opens, database queries, API calls, CUI retrievals
  • Modification Events: CUI updates, deletions, exports, sharing actions
  • System Events: Service starts/stops, configuration changes, package updates, security alerts
  • Security Events: SELinux denials, anomaly detections, failed authentications, policy violations

Evidence Pipeline

Audit events flow through a multi-stage pipeline ensuring integrity and availability:

  1. Collection: SELinux auditd, application logs, database audit logs, system journal
  2. Enrichment: Monitoring agents add context (node ID, entity type, certificate identity, anomaly scores)
  3. Transport: Events collected and transmitted to centralized audit database, guaranteed delivery with disk buffering
  4. Storage: Audit database append-only tables, cryptographic hashes for tamper evidence
  5. Retention: Configurable by CUI category (typically 1-7 years), automated enforcement
  6. Access: Read-only auditor role, time-boxed exports, query logging

Evidence integrity is maintained through cryptographic hashing. Each log batch is hashed, and hashes are chained. Any tampering breaks the chain, providing immediate detection.

CUI Marking & Handling

smartNOC supports CUI marking and handling procedures through metadata and automated controls.

Automated CUI Marking

Files and database records containing CUI can be automatically marked based on:

  • Content inspection (keyword matching, pattern recognition)
  • Source system (ingest from CUI-designated source)
  • User designation (manual CUI flag on upload)
  • Policy inheritance (derived from CUI parent document)

Handling Procedures

CUI-marked data triggers automatic handling procedures:

  • Access Control: Restricted to roles with CUI authorization
  • Encryption: Automatically encrypted at rest and in transit
  • Audit Logging: Enhanced logging with retention extension
  • Dissemination: Watermarking on exports, recipient validation
  • Destruction: Secure deletion required, cannot be casually deleted

CUI Registry Integration

smartNOC can integrate with the NARA CUI Registry to:

  • Validate CUI category markings
  • Apply category-specific handling procedures
  • Generate required CUI cover sheets
  • Enforce dissemination restrictions

Incident Response for CUI

Rapid Response Capabilities

In the event of suspected CUI compromise, smartNOC's architecture supports rapid response:

Detection

Anomaly detection identifies unusual CUI access patterns. SELinux denials indicate attempted unauthorized access. Analytics engine correlates cross-node behaviors.

Containment

Instant certificate revocation via certificate authority. Network isolation through firewall updates. Service quarantine via monitoring agents. Process termination for compromised applications.

Investigation

Tamper-evident audit logs provide complete access history. Monitoring metrics show resource usage anomalies. Database queries identify affected CUI records.

Reporting

Automated incident report generation. CUI-specific breach notification workflows. Evidence package assembly for authorities. Timeline reconstruction from logs.

72-Hour Breach Notification: smartNOC's automated evidence collection enables rapid determination of breach scope, supporting the 72-hour notification requirement for CUI breaches.

Compliance Validation

Doghouse, smartNOC's automated compliance testing system, validates CUI protection controls:

  • Encryption validation: Verify all CUI storage locations are encrypted
  • Access control testing: Attempt unauthorized CUI access, verify denial
  • Audit completeness: Verify all CUI access generates audit events
  • Transmission security: Validate TLS configuration and cipher suites
  • Marking accuracy: Sample CUI records for correct marking
  • Destruction verification: Confirm deleted CUI is irrecoverable

Doghouse runs these tests pre-deployment, post-configuration change, and on-demand for auditors. Test results become part of the evidence package.

Ready to Protect Your CUI?

Schedule a demonstration of smartNOC's CUI protection capabilities. We'll show you:

  • Live demonstration of encryption at rest and in transit
  • Access control enforcement across all four layers
  • Audit evidence collection and tamper-evident storage
  • Incident response procedures and timeline reconstruction
  • Doghouse compliance validation testing
Request CUI Demo View 800-171 Controls Government Overview