Are you an I.T. specialist responsible for securing information in your corporation? Depending on the nature of information your organization deals with, you might have come across terms like classified information and standards like NIST 800-171. While classified information is clearly defined, you might never come across it; there is another type of information that you may come across now and then if your company undertakes Defense contracts, Controlled Unclassified Information (CUI).
What is CUI data? How can you protect it? Does my company deal with Controlled Unclassified Information? What are the information standards to use when protecting such data? Read on to get answers to all the questions you might have regarding Controlled Unclassified Information.
What is CUI
CUI refers to information created or owned by the Government that needs dissemination or safeguarding controls consistent with the applicable government-wide policies, laws, and regulations. As the term indicates, this information is not classified.
Controlled Unclassified Information (CUI) is a collective term that includes both Controlled Technical Information (CTI) and Covered Defense Information (CDI). These markings apply to the unclassified information that needs special protection within and out of the government information systems.
Although they may sound new, the information markings have been around for some time. The markings that were used to identify this type of information include Sensitive But Unclassified (SBU), Law Enforcement Sensitive (LES), UCTI (Unclassified Controlled Information), and FOUO (For Official Use Only). Today, all these terms comprise the Controlled Unclassified Information (CUI).
Initially, CUI was developed for the agencies within the executive branch of the United States federal government. Each agency used its set of markings, classifications, and rules to control and manage information before the current Controlled Unclassified Information was implemented. CUI greatly simplified and standardized the process.
Many laws, U.S. codes, and regulations specify how each CUI is controlled. The best way to know the requirements for any CUI type is by going to the CUI registry and searching for what content you are interested in. You can find a complete list of CUI categories in the CUI Registry. CUI is categorized into 24 categories and 83 sub-categories of content. However, the categories can be defined as CUI Specified or CUI Basic.
This is a subset of controlled Unclassified information where the authorizing policy, law, or regulation places more restrictive controls on controlling and handling the Controlled Unclassified Information specified content. The underlying authority maintains the handling controls of the CUI specified content, and only the designating agency might apply for limited dissemination control to the contents of the CUI.
If an agency wasn't the original designating authority, it could not do the above. An agency cannot increase the Controlled Unclassified information Basic's impact levels over moderate external to itself without agreeing with an external agency or a contractor organization running an information system for them.
This contains the baselines for dissemination and handling controls as per NARA's final rule on 14th November 2016. FISMA requires the CUI Basic to be protected at FISMA moderate level and maybe marked Controlled or CUI.
Does My I.T. System Have CUI Data?
This is a concern for many I.T. specialists. As a government contractor, do you have CUI data that should be protected? Sure, there is a DFARS 7012 clause but is there CUI content in your organization. Unfortunately, the answer is in the affirmative in most cases. Below is the common information to ensure protection under the DFARS if you are a defense contractor.
- Technical information like engineering drawings, engineering, and research data, standards, manuals, process sheets, catalog-item identifications, technical orders, technical reports, data sets, and associated lists. Others include computer software source code and executable code.
- Vulnerability information for computers and information systems.
- Any PII (personally identifiable information) you might be storing, processing, or transmitting on behalf of the U.S. government as part of contract delivery. Such data is "Government-owned" PIII and is considered CUI. For instance, if PII is within a contract used for processing the benefits, it can be regarded as CUI.
There is a lot of unclassified content that can be defined as controlled data. Any company under the DIB (Defense Industrial Base) has CUI data in its infrastructure. Most of them have a DFARS 7012 clause on one of the contracts.
What Qualifies As CUI?
The CUI categories and sub-categories are determined by the executive branch of the United States Federal Government. They include the following:
- All proprietary information regarding the protected, critical energy as specified in the AEA (Atomic Energy Act)
- Any proprietary information relating to the CUI Registry categories
- All proprietary information pertaining to export controls
- Proprietary information regarding geospatial, imagery, and geodetic intelligence
- CTI applying to aerospace, Government, or the Military
How Can I Protect CUI Data?
If your business deals with national security matters, ensure you conduct due diligence to comply with the applicable laws, regulations, and policies for the federal information sharing related to your defense contract. It will likely involve various compliance regulations and standards like DFARS, CMMC, and NIST. The Government provided a blueprint in the DFARS 7012 rule, which stipulates the types of controls you must instigate to protect CUI content within your information systems. In the rule, you have the following:
- The on-premise data center that has all your company's internal I.T. systems
- A CSP (cloud service provider) like Microsoft GCC High, AWS, or Azure
- A hybrid solution of on-premise systems and Cloud Service Provider that meets the NIST 800-171 specification
With either of the three solutions, ensure that the solution will address the 110 NIST SP 800-171security controls, POA&Ms (Program of Actions and Milestones), and SSP (Systems Security Plan). Organizations service the DIB have historically been managing data in localized data facilities.
Are There Consequences Of Not Protecting CUI?
The federal law does not specify the particular provision for penalties for not protecting the CUI. Instead, according to CFR-2017, misusing CUI is subject to the specified penalties under the applicable laws, government-wide policy, and regulations. Any non-executive branch should report any non-compliance at handling requirements to disseminating agency using the methods that the senior agency official has approved of that agency. If the disseminating agency isn't the designating agency, the designating agency must be notified immediately by the disseminating agency.
Essentially, businesses that do not comply with Controlled Unclassified Information requirements are subject to administrative, civil, or criminal action if they fail to prevent a cybersecurity threat or report that incident properly. More practically, you will lose your federal government contracts if you do not comply with all the CUI requirements.
Controlled classified information should be handled or disseminated according to existing government policies, laws, or regulations. When aggregated, CUI can become TOP SECRET. Carefully study the CUI Registry to know if your company has some CUI specified information to ensure you take the appropriate steps. Visit Cleared Systems for more details on information security.
CUI Reference Documents
Updated January 3, 2022 DoD CUI Marking Aid
Updated December 28, 2021 CUI Limited Dissemination Controls
CUI Quick Reference Guide Trifold
CUI Cover Sheet (SF901-18a)
Trigraph Country Codes (as of GENC Standard, Edition 2.0)