Skip to content

What Is CUI?

Controlled Unclassified Information and CMMC 2.0

This page is built as an overview for aerospace and defense contractors supporting the Department of Defense who may handle, and/or store and process sensitive data. 

This page is intended to answer the following questions pertaining to unclassified government data in commercial IT infrastructures: 

  • What is Controlled Unclassified Information (CUI)? 
  • How do I know if I have CUI in my environment? 
  • What type of CUI do I have? 
  • Am I required to protect CUI? 
  • How do I protect CUI and meet compliance requirements? 

What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is Federal non-classified information that the U.S. Government creates or possesses, or that a non-Federal entity (DIB organizations) receives, possesses, or creates on behalf of the U.S Government. CUI is unclassified content that must be protected in a very specific manner both within and outside a government information system; as identified in a law, regulation, or government-wide policy. CUI is data that may require additional safeguarding or dissemination controls to be applied to limit access and exposure to unauthorized individuals. 

 

Many organizations in the Aerospace and Defense industry may have become accustomed to markings being applied to data such as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive but Unclassified (SBU), and Unclassified Controlled Technical Information (UCTI), etc... All of these are now Controlled Unclassified Information or CUI.  

The aforementioned content comes as a result of the development of the CUI program. The CUI Program was established as a result of Executive Order 13556 and is intended to standardize the way the government, and those doing business with the handle and protect unclassified information. This information, although unclassified is still crucial to national defense, and it warrants special protection to prevent unauthorized access or disclosure. Prior to the current CUI program, every agency used a different set of markings (FOUO, LES, SBU, UCTI, etc.), information classifications, and rules for how to manage and control the information. 

NARA CUI Registry Definitions:

There is an incredibly wide range of data that is unclassified but falls within the CUI definitions found in the NARA CUI registry, many of which are casually overlooked by organizations. Here are common examples of data you must protect under DFARS/CMMC as a defense contractor:

  • General Financial Information related to the duties, transactions, or otherwise falling under the purview of financial institutions or United States Government fiscal functions. Uses may include but are not limited to, customer information held by a financial institution. 
  • Personally Identifiable Information (PII) that you may be transmitting, storing, or processing on behalf of the government as part of the delivery of a contract, that data is "government owned" PII and would be considered CUI.  For example, if PII is included in a contract that processes benefits, this would be considered CUI. 
  • Technical information including research and engineering data, engineering drawings, associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analysis, and related information and computer software executable code and source code. 

Do I Have CUI?

When trying to determine if your organization has CUI, try asking yourself these questions:

  • C – Is the data originally Created by the government and provided to you in association with the contract?  
  • U- Is the data going to be Used to deliver your contractual responsibilities to the government? 
  • I- Can the data type Identified within the sub-categories listed on the NARA CUI registry? 

If the data is created by the government and distributed to you, used by you to deliver services listed in the contract, AND is identified by type as one of the sub-categories from the CUI registry; chances are the data you have IS CUI. Additionally, if your organization executes technical work for the government, which leads to data being created or transmitted; this output is possibly considered CTI, and by default CUI. This potential designation could lead to additional safeguarding and distribution requirements. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24 and found in the DoD provided guidance for CUI Markings for Unclassified Documents.

The controlling Department of Defense (DoD) office is responsible for determining if information is CTI and properly marking it prior to contractor access to the information. However, if a contractor develops CTI in the performance of a contract, the contractor must work with their contracting officer to verify that the appropriate forms are completed, statements of work are in place, and distribution statements are assigned to the data.

Who Is Affected?

The Defense Industrial Base

The release of CMMC 2.0 affects the following groups: 

According to the DoD, there will be around 300,000 aerospace and defense suppliers who need to meet CMMC 2.0 compliance.
 
  • Cut red tape for small- and medium-sized businesses
  • Set priorities for protecting DoD information
  • Reinforce cooperation between the DoD and industry in addressing evolving cyber threats.
 

The Three Levels Explained

assessment-controls-img

Level 1: 17 Practices and Self Assessment 

  • Classified as "Basic" by the DoD
  • Requires those who handle Federal Contractor Information (FCI) to meet Level 1
  • Contractors must self-attest that they have implemented the requirements

Level One consists of 17 basic cybersecurity practices. The requirement states that all federal contractors must implement these safeguard controls.

Level 2: NIST 800-171 and 3rd Party Assessments

One of the most significant changes from CMMC 1.0 Level 3, now CMMC 2.0 Level 2, relates to the fact that the 130 controls in 1.0 Level 3 now move to 110 controls for 2.0 Level 2.

You can keep reading a Q&A blog some of the details for 1.0 to 2.0 here.

Level 3: NIST 800-172

Timeline For Implementation and Rulemaking

"Everything is going to revolve around rulemaking for CMMC 2.0"

-Jacob Horne (Chief Security Evangelist at Summit 7 and industry thought leader).
DoD2022Timeline_CMMC_FAR_DFAR_NIST

The Key For Contractors
  • The DoD is claiming that costs, burdens, and barriers to entry are significantly reduced as a result of the changes in CMMC 2.0. However, accounting for these savings and reductions is done for the overall CMMC program, not for individual companies.
  • The allowance of POAMs, the removal of the "Delta 20" controls, and the removal of process maturity requirements are the basis for significant cost reductions. However, if an OSC's costs and burdens was a result of NIST SP 800-171, then these changes are not as helpful as the government is indicating.

Rulemaking is often triggered by direction from Congress. For example, much of the impetus for the CMMC interim rule was a result of the FY 2020 NDAA. Based on the statement that DoD will pursue rulemaking, here's what we know will be codified for CMMC 2.0 based on the two CFRS. The DoD has stated that they will pursue rulemaking in Title 48 and Title 32 of the Code of Federal Regulations.

What are the two CFRs that drive rulemaking?


Current Proposed Ruling

  • The current interim rule will likely not be republished since the requirements of the interim rule still stand. DFARS 252.204-7019 and DFARS 252.204-7020 are still required and flowing through the defense supply chain.
  • DFARS 252.204-7021 exists to indicate when CMMC certification is required. The process of including 7021 on a case-by-case basis is on pause so the current interim rule is unaffected.

This blog details information about the proposed and final changes for 2022 under the federal policies included in the calendar graphic above.

why-dod-rulemaking-cmmc

 

Preparing For CMMC 2.0


1) CMMC 2.0 Level 1: Contractors Handling FCI

  • If you haven't already done so, implement the 17 practices required for CMMC 1.0 and prepare to submit your annual self-assessment results. 
    • Not sure if you have Federal Contract Information (FCI)? Start here.

2) CMMC 2.0 Level 2: Contractors Handling CUI / ITAR Data

  • Implement NIST SP 800-171 if you have not already done so.
  • Prepare for third-party (C3PAO) or government-led assessments 
If you currently rely on or are preparing to use external service providers for CMMC compliance you will want to request a Shared Responsibility Matrix (SRM) from your Managed Service Provider.

Summit-7-SRM-Thumbnail


3) CMMC 2.0 Level 3: Contractors Handling CUI / ITAR Data / Secret / Top Secret Data

  • Since the CMMC 2.0 Levels are in aggregate you will need to implement the requirements for L1, L2, and L3
  • Implement the practices based on NIST SP 800-172
  • Prepare for Triannual government-led assessments of your environment(s)


3) CMMC 2.0 Level 3: Contractors Handling CUI / ITAR Data / Secret / Top Secret Data

  • Since the CMMC 2.0 Levels are in aggregate you will need to implement the requirements for L1, L2, and L3
  • Implement the practices based on NIST SP 800-172
  • Prepare for Triannual government-led assessments of your environment(s)

Microsoft 365 and CMMC 2.0 Compliance

Many contractors in the DoD supply chain have already chosen to tackle federal compliance in the Microsoft Government Cloud. Examples of some of the applications contractors rely on are:

Do You Need Microsoft 365 GCC High For CMMC 2.0?

The short answer: No

The long answer: You likely need to choose GCC High for your overall compliance strategy.

GCC High is not required to meet CMMC 2.0 at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 (formerly CMMC 1.0 Level 3) should deploy to Microsoft 365 GCC High. The Commercial and GCC versions of the platform can be configured to meet NIST 800-171, and the vast majority of CMMC's requirements with native security products/capabilities. CMMC 2.0 Level 2, for example, can be met in Commercial and GCC per the standards written to date.

What Is Microsoft 365 GCC High? Start here.

The graphic below represents the Microsoft Platform as it relates to relevant compliance frameworks such as CMMC, DFARS 7012, ITAR regulations.

compliance-framework


There are several long-term concerns and considerations to assess, and these are highlighted in this guide to GCC vs GCC High.

M365GCCvsGCCHigh

CS2: CMMC Industry Days

CS2 Full Logo Black-1What Is CS2?

CS2, or The Cloud Security and Compliance Series, is an ongoing informational series for contractors in the Defense Industrial Base looking to meet federal compliance mandates. These hybrid events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.

Areas of focus for CS2 events include, but are not limited to

 

More Resources

MSPartner-security-competencies