How should CUI be treated when stored or processed outside DoD networks?

• A. With the same safeguarding controls, including encryption and access controls, as inside.
• B. With reduced safeguards if stored on approved external networks.
• C. It is prohibited to store CUI outside DoD networks.
• D. Only encryption is required; access controls may be relaxed outside.

Answer: (A)

CUI outside DoD networks must be protected with the same safeguards as inside. The reason is that the sensitivity of CUI requires consistent protections regardless of where it’s stored or processed. This means using encryption for data in transit and at rest, strong access controls that enforce least privilege and need-to-know, robust authentication, and ongoing monitoring with auditing and incident response capabilities. Reducing safeguards or relaxing access controls outside the network would create gaps for unauthorized access or disclosure, and storing CUI outside the DoD isn’t prohibited if those protections are maintained. Only encryption alone is not enough; a complete set of safeguards is required to keep the data secure.