01.03 Responsible Positions within...

Phase 1 - A suggested method would be to include in your policy, a statement that clearly defines the roles and responsibilities related to protecting Controlled Unclassified Information (CUI). Specifically, I recommend designating a CUI Program Manager who oversees the implementation and maintenance of your NIST 800-171 compliance program. This individual should be empowered to make decisions regarding CUI protection and should have the authority to delegate tasks and ensure accountability. Additionally, I believe it's crucial to identify other key personnel, such as system administrators, security officers, and even individual users, and outline their specific responsibilities concerning CUI handling. This could include things like access control, incident response, and security awareness training requirements.

Defining who is responsible needs to be done as soon as possible if we want to proceed with this. The example above can be used to define our environment.