DOD Instruction 5200.48 Controlled Unclassified Information (CUI) Practice Exam

Access to CUI is controlled through a layered security approach that combines authentication, authorization, and continuous auditing. First, users must prove who they are through authentication, confirming their identity. Then authorization determines what actions they can take and what data they can access, typically implemented with role-based access control so permissions align with a user’s job responsibilities. This supports the principle of least privilege, giving each user only what is necessary to perform their duties. Ongoing auditing continuously monitors who accessed what, when, and from where, and can alert or record unusual or unauthorized activity for accountability and quick response.

Open access is insecure because it removes protections around who can view or modify CUI. Relying on device location alone doesn’t verify a user’s identity or grant appropriate permissions. Relying solely on manual policy enforcement fails to scale and lacks the traceability and real-time enforcement that automated authentication, authorization, and auditing provide.