What Is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
CUI can include a wide range of information, such as personal information, proprietary information, or information that is considered critical to national security.
It is important to properly handle CUI to ensure that it is not inadvertently disclosed to unauthorized individuals.
Where's My CUI
What are CUI assets?
Controlled Unclassified Information (CUI) assets are assets that process, store, or identify CUI.
Controlled Unclassified Information assets are essential to the success of a DIB organization in its support of the DoD, so identifying these assets should be at the top of the list when it comes to not only compliance but healthy cybersecurity practice as a whole. Organizations should clearly define the workstations, file servers, cloud collaboration services, and/or managed service providers.
Read more: How to Identify CUI Assets
Types of CUI: CUI Basic vs CUI Specified
Within the NARA CUI Registry, there are 125 total CUI categories listed that are divided into 20 index groupings. An investigation into the CUI category for the data will reveal its type: CUI-Basic or CUI Specified.
What is CUI Basic?
CUI Basic is CUI that only requires applying NIST 800-171 to protect such information. If you see the CUI Basic marking, unless otherwise educated with other controls, you're going to apply NIST 800-171 in that environment and around that data.
CUI Basic contains the baseline handling and dissemination controls as identified in the Final Rule issued by NARA (the National Archives and Records Administration) on November 14, 2016.
The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level and must be marked as CUI.
What is CUI Specified?
CUI Specified is a subset of CUI where the authorizing law, policy, or regulation puts more restrictive controls on the handling and control of the content.
CUI Specified is CUI that has a law, regulation, or government-wide policy saying you have to do things above and beyond NIST 800-171 to protect the data.
For example, you must comply with DFARS 7012 which says you have to (among other things):
- Do cyber incident reporting with covered defense information
- Do flow-downs for potential forensic imaging
- Have an appropriately built external cloud provider if you are using such technology
The underlying authority maintains the handling controls on CUI Specified content and ONLY a designating agency may apply the limited dissemination controls to CUI content. This cannot be done by an agency that was not the original designating authority.
More importantly, agencies cannot increase CUI Basic’s impact level above moderate external to their agency without an agreement with the external agency or contractor organization operating an information system on their behalf.
Identifying and Categorizing CUI
When trying to determine if your organization has CUI, try asking yourself these questions:
- C – Is the data originally Created by the government and provided to you in association with the contract?
- U - Is the data going to be Used to deliver your contractual responsibilities to the government?
- I - Can the data type be Identified within the sub-categories listed on the NARA CUI registry?
These three criteria should help you navigate figuring out whether the data you're handling is CUI.
Here's something else that might help you identify whether or not you're handling CUI. This a copy of what the DoD typically workshops in their public documentation. We changed the verbiage a little bit for simplicity's sake.
The first question is, are you dealing with classified or truly unclassified information?
Next up, does the information fall within a law, regulation or government-wide policy? If not, it's not CUI.
All of the proprietary data you have – if you're not delivering on a contract and it doesn’t call it out as something unique to the government – it's probably not CUI.
If it does have a law, regulation or government-wide policy, you'll need to look up those categories in the National Archives or the DoD CUI Registry. We'll do that in the next step.
Walkthrough of CUI categorization
For this example, we're going to use the National Archives CUI website. Visit the website, then click on Category list.
You’ll see a column called Organizational Index Groupings with the CUI categories underneath.
One of the examples we like to talk about when it comes to CUI is Controlled Technical Information, which is found next to the Defense section.
If you click Controlled Technical Information, you’ll see a category description. This one has a long category description, but it’s basically telling you what CTI is, where the reference documentation is located, that DFARS 7013 has the definition, and lots of other great stuff.
As you read through it, you might start to think that everything is CUI. But if you look all the way down at the very bottom of the Controlled Technical Information page, you’ll see a table with a heading titled Safeguarding and/or Dissemination Authority.
This is going to tell you which reference document to look at to determine if this applies to you. It’s also going to tell you if it's Basic or Specified CUI as well as the banner marking that you're going to need if/when you mark it.
But if you click the link under the Safeguarding and/or Dissemination Authority heading, a document will be opened that will tell you things like which types of systems that you need, how you need to configure them, which type of a cloud environment you need to use – and it’s all wrapped up in this document.
For the sake of this example, do a search in the document for “Controlled Technical Information” and you’ll see the definition of what CTI is.
It even goes into things like distribution statements that you might see coming from the DOD.
But this poses another great question. You might think, “Okay, I get the word “controlled,” is there a better definition of what "technical information” is?
If you scroll over within that same clause, it actually tells you that “technical information” means technical data or computer software as those terms are defined in the referenced DFARS clause.
And if you look at what that clause is called, Rights in Technical Data for Non-Commercial Items, you can tell something just from that: it means this definition does not apply to consumer off the shelf items. If you can go to Walmart and pick up, then this clause doesn’t apply.
But to dig a little deeper, you’ll next want to do a Google search for the clause that’s referenced in the document. In this case, it’s “DFARS 252.227–7013”. If you do a Google search for it, you’ll find a page on Acquisition.gov with the document on it.
As you're going through that page, you'll see that it covers definitions of computer database, computer program, and computer software.
This is what helps you refine and understand if the data you're handling is actually going to be CUI, or in this case Controlled Technical Information.
Read more: Identifying CUI with Microsoft 365 For CMMC
Common Mistakes with Identifying CUI
It's important to remember that not everything is CUI.
For example, some companies think their budget should be considered CUI. They might be concerned about different ERP systems and other kind of technologies they have with budget information. And, to be safe, they think it wise to consider it CUI.
But if we look at the CUI categories on the DoD CUI Program site and go to Financial, then go to Budget and look at the actual summarization of the category, what we’ll find it that a budget is only CUI Specified when it's a budget for federal agencies. As long as you're not a federal agency, it's not CUI.
Another thing to consider is whether this CUI has a government-wide policy, law, or regulation in place that applies to contractors. Going back to our budget example, if you're not a federal agency reporting your budget to the Office of Management and Budget, then there's no reason to consider it CUI.
This video from the US National Archive explains how organizations can properly mark CUI data. Summit 7 does not own the rights to this video.
History of CUI
The CUI Program was established as a result of Executive Order 13556 and is intended to standardize the way the government and those doing business with the DoD handle and protect unclassified information.
Prior to the current CUI program, every agency used a different set of markings (FOUO, LES, SBU, UCTI, etc.), information classifications, and rules for how to manage and control the information.
Many organizations in the Aerospace and Defense industry may have become accustomed to markings being applied to data such as:
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES)
- Sensitive but Unclassified (SBU)
- Unclassified Controlled Technical Information (UCTI)
All of these are now Controlled Unclassified Information or CUI.
This information, although unclassified, is still crucial to national defense and it warrants special protection to prevent unauthorized access or disclosure.
CMMC 2.0 compliance and CUI
In 2023, the Department of Defense will finalize the rulemaking process effectively putting the DFARS clause 252.204-7021 into the rotation of contract clauses that can be applied to DoD contracts. As a result, contracting officers and prime contracts will be able to attach this clause to the contract's flowdown Cybersecurity Maturity Model Certification (CMMC) requirements in their supply chains.
You can read more on the requirements for those who handle CUI by clicking the button below.
How do I protect CUI?
- Implement NIST SP 800-171 if you have not already done so.
- Prepare for third-party (C3PAO) or government-led assessments.
- Reach out to a service provider who is able to help you identify CUI and provide next steps for CMMC 2.0 compliance.
Should my business spend money before CMMC 2.0 rules are established?
Protecting CUI with Microsoft 365
Many contractors in the DoD supply chain have already chosen to handle sensitive data such as CUI and ITAR data in the Microsoft Government Cloud. Microsoft has two versions of M365 that are suited for handling CUI, Microsoft 365 GCC High and Microsoft 365 GCC.
GCC High is not required to meet CMMC 2.0 at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 (formerly CMMC 1.0 Level 3) should deploy to Microsoft 365 GCC High.
Resources for getting started with protecting CUI in Microsoft Government:
The graphic below represents the Microsoft Platform as it relates to relevant compliance frameworks such as CMMC, DFARS 7012, ITAR regulations.
CS2: CMMC Industry Days
What Is CS2?
CS2, or The Cloud Security and Compliance Series, is an ongoing informational series for contractors in the Defense Industrial Base looking to meet federal compliance mandates and protect CUI. These hybrid events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.
Areas of focus for CS2 events include, but are not limited to
- Handling CUI and FCI
- CMMC 2.0
- NIST 800-171
- The DFARS 70 Series (7012, 7019, 7020)
- ITAR regulations
Frequently Asked Questions About Controlled Unclassified Information (CUI)
Does a picture of a part or part number related to an ITAR drawing qualify as CUI?
Is a part number taken from an ITAR drawing and then used in the company’s ERP system to support considered CUI?
If a CMMC required client has no desire to keep any CUI in the cloud or email is GCC or GCC High necessary?
What is a good approach for commercial companies that have only a small part of their business that handles ITAR data?
How does a company manage CMMC when they utilize 3D CAD systems such as SolidWorks or Fusion?
Does Summit 7 ever recommend Microsoft 365 Commercial plus PreVeil or bolt-on email drive for CUI?
How can I know for sure if we need to meet CMMC level 1 or CMMC level 2?
How many of the 320 assessment objectives in NIST 800-171A does Summit 7 claim to fulfill for their MSSP clients?
Do you no longer need your on-premises server if you move towards Microsoft 365 GCC or GCC High?
Does an MSP supporting a GCC High client require CMMC certification?
What causes Microsoft Commercial to fail to meet the requirements for NIST 800-171?
What is involved in a migration?
Do we still need the Microsoft Government cloud if we are encrypting sensitive emails and not using SharePoint to store data?
Migrating from Microsoft Commercial to Microsoft GCC High, are there any steps that are different from migrating to Microsoft GCC?
Is there a way to configure Google for compliance with CMMC Level 2?