What is Controlled Unclassified Information (CUI)?

What is CUI? 

CUI stands for Controlled Unclassified Information. Controlled Unclassified Information (CUI) and Covered Defense Information (CDI) are relatively new markings, but similar markings have a long history within the government.  CUI is an umbrella term that encompasses all CDI and Controlled Technical Information (CTI). These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system.  In the past, the government used many different markings to identify this kind of information. You may have seen or used some of these in the past: Unclassified Controlled Technical Information (UCTI), Sensitive but Unclassified (SBU), For Official Use Only (FOUO), Law Enforcement Sensitive (LES), etc.  These are now all rolled up into the classification of CUI content.
 
  • Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure.
  • An overarching term representing many difference categories, each authorized by one or more law, regulation, or Government-wide policy. 
  • Information requiring specific security measures indexed under one system across the Federal Government.
 

Controlled Unclassified Information is any information that law, regulation, or governmentwide policy requires to have safeguarding or disseminating controls, excluding information that is classified under Executive Order 13526,Classified National Security Information, December 29, 2009, or any predecessor or successor order, or the Atomic Energy Act of 1954, as amended

Executive Order 13556 “Controlled Unclassified Information” (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).

32 CFR Part 2002 “Controlled Unclassified Information” was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.

  1. CUI Basic contains the baseline handling and dissemination controls as identified in the Final Rule issued by NARA (the National Archives and Records Administration) on November 14, 2016. The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level and can be marked as either CUI or Controlled. 
  2. CUI Specified is a subset of CUI where the authorizing law, policy, or regulation puts more restrictive controls on the handling and control of the CUI Specified content. The underlying authority maintains the handling controls on CUI Specified content and ONLY a designating agency may apply the limited dissemination controls to CUI content.  This cannot be done by an agency that was not the original designating authority.  More importantly, agencies cannot increase CUI Basic’s impact level above moderate external to their agency without an agreement with the external agency or contractor organization operating an information system on their behalf. 

Why do I need to protect CUI? 

To protect our country from bad actors (hostile states, individuals, and corporations) who are trying to get CUI. If they succeed it could hurt individuals, organizations, or our national security. New hacking revelations occur frequently in news media when corporations lose important privacy information due to data mismanagement. 

CUI and CTI data doesn’t exist only within government data centers on government systems.  It exists across the entire defense industrial base spread across thousands of companies with widely varied IT infrastructures.  Many of those infrastructures are simply not up to the task of properly managing and safeguarding of the CUI/CDI/CTI information that they were entrusted with by the government.

Government investigations identified the lack of security as a primary contributor of security breaches; therefore, the CUI / DFARS 7012 programs were established to begin standardizing the security controls across the defense industrial base to better protect our important information in both government and commercial environments.

What you really need to know, is that failure to protect CUI/CDI/CTI data can result in a rapid loss of a contract.  

Ensure that you have properly identified and classified the data before you propose a contract to ensure that you have provided adequate margin in your contract or overhead calculations to implement controls in your information systems. The new DoD is implementing the Cybersecurity Maturity Model Certification (CMMC) Framework. Today, safeguarding CUI requires DIB contractors to be certified Level 2 in the Cybersecurity Maturity Model Certification Framework by a third-party CMMC assessor or C3PAO. This requirement was issued by the DoD in DFARS Clause 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021. Learn more about CMMC Level 2 Certification here.   

Who is responsible for identifying CUI?

The National Archives and Records Administration, per 32 CFR Part 2002 “Controlled Unclassified Information” establishes policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program.

Where can I find the CUI Registry?

The CUI Registry includes the CUI Categories, Category Markings, and additional resources.  The CUI Categories are available at: https://www.archives.gov/cui/registry/category-list

Who can I contact with questions about identifying, marking, safeguarding, disseminating, and disposing of CUI? 

The CUI Executive Agent can be reached at Information Security Oversight Office – Controlled Unclassified Information, National Archives and Records Administration700 Pennsylvania Ave, N.W., Room 100Washington, DC 20408-0001

E-mail:  cui@nara.gov

Why is CUI important?

  • The establishment of CUI was a watershed moment in the Department’s information security program, formally acknowledging that certain types of UNCLASSIFIED information are extremely sensitive, valuable to the United States, sought after by strategic competitors and adversaries, and often have legal safeguarding requirements.
  • Unlike with classified national security information, DoD personnel at all levels of responsibility and across all mission areas receive, handle, create, and disseminate CUI.
  • CUI policy provides a uniform marking system across the Federal Government that replaces a variety of agency-specific markings, such as FOUO, LES, SBU, etc.

Source: Controlled Unclassified Information: What is CUI and it’s Origins (summit7.us)

Where did CUI come from?

  • Executive Order 13556 established CUI on November 4, 2010.
  • Part 2002 of 32 Code of Federal Regulations prescribed Government-wide implementation standards on September 14, 2016.
  • DoD Instruction 5200.48, “Controlled Unclassified Information,” established DoD CUI policy on March 6, 2020. 

The Base Requirements

The March 6, 2020 release of DoD Instruction 5200.48 Controlled Unclassified Information (CUI)  includes the following requirements for DoD Contractors in section 5.3.

a. Whenever DoD provides information to contractors, it must identify whether any of the information is CUI via the contracting vehicle, in whole or part, and mark such documents, material, or media in accordance with this issuance.

b. Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls, including those directed by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, as appropriate.

c. DoD contracts must require contractors to monitor CUI for aggregation and compilation based on the potential to generate classified information pursuant to security classification guidance addressing the accumulation of unclassified data or information. DoD contracts shall require contractors to report the potential classification of aggregated or compiled CUI to a DoD representative.

d. DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will submit unclassified DoD information for review and approval for release in accordance with the standard DoD Component processes and DoDI 5230.09.

e. All CUI records must follow the approved mandatory disposition authorities whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section 1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance.

What are common CUI categories? 

The following is a quick reference list of common categories of CUI Specified subsets:

  • Agriculture
  • Critical Infrastructure
  • Emergency Management
  • Export Control
  • Financial
  • Geodetic Product Information
  • Immigration
  • Information Systems
  • Vulnerability Information
  • Intelligence
  • International Agreements
  • Law Enforcement
  • Legal
  • Natural and Cultural Resources
  • NATO Controlled
  • Nuclear
  • Patent
  • Privacy
  • Procurement and Acquisition
  • Proprietary Business Information
  • SAFETY Act Information
  • Statistical
  • Tax
  • Transportation
 

Source: CUI Categories

What resources does NIST provide for protecting CUI?

Relevant Publications:

  • NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI.
  • NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology that can be employed to conduct assessments of the CUI security requirements in NIST Special Publication 800-171. 
  • NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171, offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher than usual risk of exposure. 
  • Draft NIST SP 800-172AAssessing Enhanced Security Requirements for Controlled Unclassified Information, provides federal agencies and nonfederal organizations with assessment procedures that can be used to carry out assessments of the requirements in NIST SP 800-172. 
 

Relevant Templates:

  • NIST has developed example templates for system security plans (SSPs) and plans of action.   
  • There is no prescribed format or specified level of detail for system security plans. However, organizations ensure that the required information in [SP 800-171 Requirement] 3.12.4 is conveyed in those plans.
  • The templates are available as MS Word documents at SP 800-171 Rev. 1 publication page and the SP 800-171A publication page.  
 

Additional Resources

  • NIST, in coordination with the Department of Defense (DoD) and the National Archives and Records Administration (NARA), hosted the Protecting Controlled Unclassified (CUI) Security Requirements Workshop.  This workshop provided an overview of CUI, the DFARS Safeguarding Covered Defense Information and Cyber Incident Reporting Clause, and NIST Special Publications 800-171 and 800-171A. This workshop also featured a panel of Federal Government representatives discussing expectations for evaluating evidence and implementing the CUI Security Requirements and industry representatives sharing best practices and lessons learned.  Recordings of the workshop and presentations are available at the above link.