Navigating Foreign National Access to CUI

As organizations which deliver products and services to the U.S. Federal Government increasingly engage global talent, navigating the complexities of Controlled Unclassified Information (CUI) access for foreign nationals is a challenge where many seek guidance. In alignment with the DoD memo entitled Change to Policy on Sharing Controlled Unclassified Information with Foreign Entities and the CMMC framework, Triumvirate Cybersecurity offers these recommendations to promote compliance while fostering collaboration with foreign employees and partners.

Understanding DoD Guidance

There are many rules and regulations governing the handling of CUI and restrictions applicable to access by non-U.S. persons. However, U.S. Department of Defense (DoD) memorandum entitled Change to Policy on Sharing Controlled Unclassified Information with Foreign Entities, publicly released in February 2024, provides critical guidance on managing foreign national access to CUI. Within the memo, DoD leadership defines a change in policy wherein a positive foreign disclosure decision is no longer required before releasing CUI to foreign entities as long as there is a legitimate purpose for such access (e.g., delivering services to the DoD under contract) and the information is not otherwise restricted.

Common restrictions which prohibit foreign national access to CUI are the applicability of export control laws, such as the International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR), or the information being labeled “No Foreign Dissemination” (NOFORN).

In the absence of such restrictions, organizations may provide CUI to foreign nationals in support of federal contracts. However, any organization intending to do so should proceed with caution. We’ve provided the following tips to help such organizations remain compliant.

Best Practices for Managing Foreign National Access to CUI

The following practices can help organizations working with foreign nationals ensure compliance with CUI regulations.

Always Check with Your Customers

The old adage about it being easier to beg forgiveness than ask permission doesn’t apply when it comes to export control regulations. Prior to sharing CUI with foreign nationals, organizations should always (a) check contracts for any restrictions — even if no export-controlled data is in-scope — and (b) request confirmation from customers to avoid any unpleasant surprises or misunderstandings.

Assess CUI Scope and Sensitivity

Organizations should conduct a comprehensive review of the CUI they handle and categorize information based on its sensitivity and applicable regulatory requirements. Clearly document which types of CUI are subject to export controls or other restrictions and ensure such information is labeled accordingly.

Leverage Access Control Mechanisms

Utilize access controls and segmentation to limit exposure of CUI to only those who are authorized. Best practices include:

• Implement role-based access control (RBAC) to restrict CUI access to authorized personnel based on need-to-know and citizenship status.

• Consider using separate, further-restricted network enclaves for handling export-controlled data.

• Encrypt CUI in transit and at rest, ensuring compliance with encryption standards outlined in CMMC Level 2 and Level 3, as well as any encryption requirements specific to a given type of regulated data.

Verify Eligibility and Conduct Vetting

Before granting access, ensure foreign nationals undergo appropriate vetting. This process should include:

• Citizenship verification, where applicable.

• Review export control licenses and agreements to confirm legal access, where required (e.g., for EAR/ITAR data).

• Conduct background checks consistent with organizational and regulatory requirements.

• Ensure all individuals are bound by appropriate employment and/or confidentiality contracts which clearly define individuals’ responsibilities related to CUI access and security.

Train and Educate Employees

Conduct regular training to educate employees on CUI handling and export control regulations. Tailor training to address:

• Recognition of CUI and its specific handling requirements.

• Your organization’s processes for ensuring compliance with ITAR, EAR, and other laws, as well as consequences of non-compliance.

• Security awareness and best practices for maintaining cybersecurity hygiene.

Monitor and Audit Access

Implement ongoing monitoring to detect unauthorized access or misuse of CUI. Key steps include:

• Logging all access attempts to CUI repositories.

• Conducting periodic audits to ensure compliance with access policies and authorizations.

• Identify and flag potential security breaches.

Obtain Export Licenses When Necessary

When foreign nationals require access to ITAR- or EAR-controlled CUI, secure the appropriate export licenses before granting access. Coordinate with legal counsel specializing in export control to ensure all compliance requirements are met. Maintain meticulous records of licensing decisions and ensure renewals occur well in advance of expiration.

Aligning with CMMC Requirements

The CMMC framework offers a structured path to safeguard CUI effectively, including requirements for Access Control, Personnel Security, and System & Communication Protection. Organizations should ensure policies and procedures include organizational practices to address foreign national access, specifically.

Conclusion

Balancing the need for global collaboration with regulatory compliance is no small task, but by implementing these best practices, organizations can confidently manage foreign national access to CUI while meeting DoD and CMMC requirements.

As a CyberAB Registered Practitioner Organization (RPO), Triumvirate Cybersecurity is here to guide you through this complex regulatory landscape, ensuring that your organization remains secure, compliant, and prepared for the future. For expert assistance with CUI management and CMMC compliance, schedule a discovery call today to discuss how we can help!