This page is built as an overview for aerospace and defense contractors supporting the Department of Defense who may handle, and/or store and process sensitive data. This page is intended to answer the following questions pertaining to unclassified government data in commercial IT infrastructures:
What is Controlled Unclassified Information (CUI)?
How do I know if I have CUI in my environment?
What type of CUI do I have?
Am I required to protect CUI?
How do I protect CUI and meet compliance requirements?
Can I protect CUI with Microsoft 365?
Are there industry events to help with protecting CUI?
What Is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is Federal non-classified information that the U.S. Government creates or possesses, or that a non-Federal entity (Defense Industrial Base organizations) receives, possesses, or creates on behalf of the U.S Government.
CUI is unclassified content that must be protected in a very specific manner both within and outside a government information system; as identified in a law, regulation, or government-wide policy. CUI may require additional safeguarding or dissemination controls to be applied to limit access and exposure to unauthorized individuals.
*Disclaimer: The video above is reflective of the CMMC 1.0 model; however, the information presented is still applicable to protecting CUI under CMMC 2.0.
The CUI Program was established as a result of Executive Order 13556 and is intended to standardize the way the government, and those doing business with the DoD handle and protect unclassified information. Prior to the current CUI program, every agency used a different set of markings (FOUO, LES, SBU, UCTI, etc.), information classifications, and rules for how to manage and control the information. Many organizations in the Aerospace and Defense industry may have become accustomed to markings being applied to data such as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive but Unclassified (SBU), and Unclassified Controlled Technical Information (UCTI), etc... All of these are now Controlled Unclassified Information or CUI. This information, although unclassified, is still crucial to national defense and it warrants special protection to prevent unauthorized access or disclosure.
NARA CUI Registry Definitions:
There is an incredibly wide range of data that is unclassified but falls within the CUI definitions found in the NARA CUI registry, many of which are casually overlooked by organizations. Here are common examples of data you must protect under DFARS/CMMC as a defense contractor:
- Controlled Technical Information (CTI): Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24 and found in the DoD-provided guidance for CUI Markings for Unclassified Documents.
- ITAR Data: Export controlled data that The International Traffic in Arms Regulation (ITAR) deems as defense-related articles and services on the United States Munitions List (USML). The USML is a list of articles, services, and related technology designated as defense and space-related by the United States federal government. Read more about handling ITAR here.
- Personally Identifiable Information (PII): data this is transmitted, stored, or processed on behalf of the government as part of the delivery of a contract that data is government-owned. For example, if PII is included in a contract that processes benefits, this would be considered CUI.
Do I Have CUI?
When trying to determine if your organization has CUI, try asking yourself these questions:
- C – Is the data originally Created by the government and provided to you in association with the contract?
- U - Is the data going to be Used to deliver your contractual responsibilities to the government?
- I - Can the data type be Identified within the sub-categories listed on the NARA CUI registry?
If the data is created by the government and distributed to you, used by you to deliver services listed in the contract, and is identified by type as one of the sub-categories from the CUI Registry; chances are the data you have is CUI. Additionally, if your organization executes technical work for the government, which leads to data being created or transmitted; this output is possibly considered Controlled Technical Information (CTI) and by default CUI.
This potential designation could lead to additional safeguarding and distribution requirements. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24 and found in the DoD-provided guidance for CUI Markings for Unclassified Documents.
The controlling Department of Defense (DoD) office is responsible for determining if information is CTI and properly marking it prior to contractors' access to the information. However, if a contractor develops CTI in the performance of a contract, the contractor must work with their contracting officer to verify that the appropriate forms are completed, statements of work are in place, and distribution statements are assigned to the data.
What type of CUI do I have?
Within the NARA CUI Registry, there are 125 total CUI categories listed that are divided into 20 index groupings. An investigation into the CUI category for the data will reveal its type: CUI-Basic or CUI Specified.
- CUI Basic contains the baseline handling and dissemination controls as identified in the Final Rule issued by NARA (the National Archives and Records Administration) on November 14, 2016. The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level and must be marked as CUI.
- CUI Specified is a subset of CUI where the authorizing law, policy, or regulation puts more restrictive controls on the handling and control of the CUI Specified content. The underlying authority maintains the handling controls on CUI Specified content and ONLY a designating agency may apply the limited dissemination controls to CUI content. This cannot be done by an agency that was not the original designating authority. More importantly, agencies cannot increase CUI Basic’s impact level above moderate external to their agency without an agreement with the external agency or contractor organization operating an information system on their behalf.
There are multiple sets of regulations, laws, and U.S. codes that may apply to each of the CUI-Specified data types. It is advised that organizations identify their data type from the CUI categories in the CUI Registry.
Once the data type is identified, the organization should click on the data type and find the Safeguarding and/or Dissemination Authority information located at the bottom of the page and identify their specified requirements from the provided guidance. The following is a quick reference list of common categories of CUI Specified subsets:
CUI Protection Requirements
CMMC 2.0 compliance and CUI
In 2023, the Department of Defense will finalize the rulemaking process effectively putting the DFARS clause 252.204-7021 into the rotation of contract clauses that can be applied to DoD contracts. As a result, contracting officers and prime contracts will be able to attach this clause to the contract's flowdown Cybersecurity Maturity Model Certification (CMMC) requirements in their supply chains.
You can read more on the requirements for those who handle CUI by clicking the button below.
Should my business spend money before CMMC 2.0 rules are established?
Protecting CUI with Microsoft 365
Many contractors in the DoD supply chain have already chosen to handle sensitive data such as CUI and ITAR data in the Microsoft Government Cloud. Microsoft has two versions of M365 that are suited for handling CUI, Microsoft 365 GCC High and Microsoft 365 GCC.
GCC High is not required to meet CMMC 2.0 at any Level. However, Microsoft's official recommendation is for organizations planning or required to meet CMMC 2.0 Level 2 (formerly CMMC 1.0 Level 3) should deploy to Microsoft 365 GCC High.
Resources for getting started with protecting CUI in Microsoft Government:
CS2: CMMC Industry Days
What Is CS2?
CS2, or The Cloud Security and Compliance Series, is an ongoing informational series for contractors in the Defense Industrial Base looking to meet federal compliance mandates and protect CUI. These hybrid events are specifically curated towards aerospace and defense contractors and those in higher education institutions looking for practical approaches to address security threats, invest in the culture of cybersecurity for their organization, and glean best practices for their cloud investments.
Areas of focus for CS2 events include, but are not limited to