美国受控非密信息分类与安全控制解析

Analysis on categorization and controls of controlled unclassified information

在我国《中华人民共和国网络安全法》(本文简称《网络安全法》)和《数据安全管理办法》等政策中都使用了“重要数据”的概念,并与网络数据安全管理、数据出境安全评估等多项网络安全制度的实施密切相关。尽管国外没有使用“重要数据”的概念,但对非个人数据、非国家秘密信息的安全管理属于常态,只是各国的管理重点各有不同。美国将政府数据中介于保密数据与公开数据之间,需要限制公开或控制传播的数据归为受控非密信息(CUI),实施统一的登记备案和标识管理制度,并通过技术标准将其范围扩大到了非联邦机构和系统的CUI。文章梳理了CUI概念和分类,总结了CUI相关标准中的安全控制要求,并与一般安全保护要求进行比较。CUI研究对我国重要数据识别和管理方面的政策和标准制定具有借鉴意义。

The concept of"key data"is used in China's"Cybersecurity Law"and"Data Security Management Regulation"and other policies,and is closely related to the implementation of several cybersecurity requirements such as network data security management and data outbound assessment.Although the concept of"key data"is not used abroad,the security management of non-personal data and non-state secret information is normal practices,only varies from country to country.The United States defines CUI as government data between confidential data and public data,although it’s not state secret but may cause serious potential damage once it disclosed or damaged,and implements unified identification and management.Besides,the scope of application of CUI information is expanded to nonfederal agencies and systems through the development of technical standards.This article investigates the concept and categories of CUI,analyzes the management mechanism and security controls of CUI through NIST standards and compares with general security requirements.Research on CUI is meaning to the identification and management of key data.