What is Controlled Unclassified Information?

Controlled Unclassified Information (CUI) encompasses various data types, including personal information, proprietary data, or information deemed vital for national security. Proper management of CUI is crucial to prevent its accidental exposure to unauthorized parties.

Controlled Unclassified Information (CUI) refers to information that is either created or possessed by the government, or created or possessed by an entity on behalf of the government, which must be managed according to safeguarding or dissemination controls as mandated or permitted by law, regulation, or government-wide policy but is not classified.

Federal agencies frequently handle information that needs protection against unauthorized disclosure but doesn't qualify as national security or atomic energy classified data. Historically, each agency had its own methods for managing sensitive but unclassified information, leading to a fragmented approach within the Executive branch. This resulted in inconsistencies in how similar information was labeled or how different information could be grouped under the same labels. The establishment of Controlled Unclassified Information (CUI) was a move to standardize how the Executive branch manages and controls the dissemination of this sensitive information.

Training resources are available here to better understand CUI https://www.cdse.edu/Training/Toolkits/Controlled-Unclassified-Information-Toolkit/

How Do I Know if I Have CUI?

First, it is important to determine if the requirement to handle and protect CUI is in a contract with a prime contractor or the DOD directly. If your contract contains the DFARS 252.204-7012 clause then you most likely will be handling CUI and you would be required to protect that data. If that specific clause isn’t there, you’ll also want to look for other related requirements to implement NIST SP 800-171, and/or to protect CUI. If your organization receives Controlled Unclassified Information (CUI) from a DOD prime contractor or directly from the Department of Defense, it is required that these documents are marked with "CUI" at both the header and footer. It is the responsibility of the creator to properly label CUI. If they don't do their job, we end up in a mess of not knowing what is CUI.

If you generate information as part of a contractual responsibilities you may have been provided with a Security Classification Guide or SCG from the prime contractor or the DOD. You'll want to check if the information your organization generates matches CUI criteria specified by the SCG. If so, you are probably handling CUI.

Lastly does the data match categories listed in the Federal CUI Registry. The CUI Registry shows authorized categories and associated markings, as well as applicable safeguarding, dissemination, and decontrol procedures. The CUI registry https://www.archives.gov/cui/registry/category-list holds.

Examples of CUI below:

• Controlled Technical Information (CTI)
  • Provided by a confidential source (person, commercial business, or foreign government) on condition it would not be released
  • Related to contractor proprietary or source selection data
  • Could compromise Government missions or interests
• Personally Identifiable Information (PII)
  Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. PII includes, but is not limited to:
  • Social Security Number
  • Date and place of birth
  • Mother’s maiden name
  • Biometric records
  • Protected Health Information
  • Passport number
• Protected Health Information (PHI)
  • Subset of PII requiring additional protection
  • Health information that identifies the individual
  • Created or received by a healthcare provider, health plan, or employer, or a business associate of these
  • Related to:
    • Physical or mental health of an individual
    • Provision of healthcare to an individual
    • Payment for the provision of healthcare to an individuals

Export Controlled Data: International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)
ITAR/EAR and CUI on paper have nothing to do with each other, but in reality it is almost inevitable that some data will fall into both camps.

CUI - can't be shared with anyone who doesn't have a need to know.

ITAR/EAR - can't be shared with anyone who isn't a U.S. Person.

A lot of things that are CUI are also ITAR, and vice versa but that doesn't mean that one will inherently imply the other.

‍

My Data Fits a Category in the CUI Registry. Is it CUI?

Holding data that matches a CUI category listed by NARA does not mean it is in scope. However, CUI received or generated on behalf of specific contracts would be.

DOD Contracts drive CUI, not the other way round. It’s important not to mark anything unless contractually required. To get in control over this identifying CUI dilemma, companies in the DIB need to get in control of CUI and should reach out to authorities if they have strongly suspected unlabeled CUI

There is data that is CUI and data that is not. It wouldn’t be fair for an assessor to second guess and decide that unlabeled CUI is actually CUI that needs to be in scope.

Marking CUI

This video was provided by US National Archives as guidance for marking CUI

Common Pitfall of Identifying CUI

"Let's just consider everything CUI". Not a statement that is helpful and we don't want to call a simple lunch menu CUI. If you strongly suspect that you hold CUI but are unclear on whether you are handling or producing CUI as part of a contract you should reach out to your contracting officer for confirmation.

Protecting CUI

To ensure your organization is handling CUI appropriately it's imperative to implement NIST SP 800-171. This sets a foundation for protecting CUI and will be required as part of a contract if you are handling CUI. Come 2025 a third-party assessor (C3PAO) will audit that these controls are in place and there is a history of implementation evidence as required in DFARS 252.204-7012 as written in a contract. It is also advisable to engage with a certified and trained CMMC implementer who can assist in accurately identifying Controlled Unclassified Information (CUI) and guide you through the necessary steps to meet the requirements of the updated CMMC 2.0 framework. This approach not only ensures compliance but enhances your organization's security posture against potential threats and overall reputation.