The protection of sensitive information is critical for any organization, especially when it involves national defense. The effort is not only for protecting the information but also ensuring that the organization meets regulatory compliance and policies. The US government’s efforts to break down information silos and improve sharing of data have led to an increase in the number and diversity of people accessing and working with CUI. This has affected the control that the government has over its CUI.
Moreover, the adoption of the cloud, the introduction of numerous platforms and mobile devices, and evolving security threats leads to an urgent need for a standardized classification framework to protect CUI. After much deliberation, the National Archives and Records Administration (NARA) has released details of its regulation for the protection framework of CUI. This framework is designed to safeguard government data that has not been assigned as confidential or secret, but which should not be made public, as it is shared between different government and commercial entities.
What is CUI?
Controlled Unclassified Information (CUI) is federal non-classified information, that is, information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government. Such information requires safeguarding or dissemination controls compliant with law, regulations, and government-wide policies.
Why is CUI important?
The DoD’s requirement for CUI classification indicates that this unclassified information is sensitive and valuable to the country. It can be pursued by adversaries for their gain and so needs strong protection.
CUI poses a substantial risk to national security because it was not regulated like classified information. Moreover, such information may be easily accessed by foreign powers and malicious actors compared to classified information. Sometimes they can get bits of CUI and piece it together.
The main risk for companies handling CUI is the possibility of security breaches that allows it to be passed on to hackers, from where it can spread. Therefore, organizations must identify all the CUI they possess and handle it according to the classification and protection mandated by CUI regulations. The government has defined CUI policies to protect this class of information and ensure that it is disseminated according to explicit guidelines.
Classification of CUI
CUI enables the government to carry out its missions and business operations that affect the security, economy, and national infrastructure of the US.
There are two types of CUI: ‘CUI Basic’ and ‘CUI Specified.’ CUI Basic requires no specific controls whereas CUI Specified has specific handling controls. The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level and must be marked as CUI. CUI Specified is a subset of CUI where the authorizing law, policy, or regulation puts more restrictive controls on the handling and control of the content.
The underlying authority insists that only a designating agency may apply limited dissemination controls to CUI content. This cannot be done by any other agency. Also, the agency cannot increase CUI Basic’s impact level above moderate external to their agency without an agreement with the external agency or contractor operating an information system on their behalf.
How do I protect CUI?
- Implement NIST SP 800-171 if you have not already done so.
- Prepare for third-party (C3PAO) or government-led assessments.
- Reach out to a service provider who can help you identify CUI and provide the next steps for CMMC (Cybersecurity Maturity Management Certification) 2.0 compliance.
How to identify CUI?
Some information is easy to identify as CUI. It can be easily identified based on prior markings. Physical documents received from the government agency will be marked with the CUI acronym at the top and bottom of every page. In an email, the subject will be marked CUI.
Export Control includes any information subject to export control, such as the International Traffic in Arms Regulations (ITAR) and the Export Administration Regulations (EAR). ITAR includes items, commodities, technology, software, or other information whose export could be expected to adversely affect US National security. EAR contains all dual-use items.
Labeled information includes any non-classified information that is labeled with legacy or agency-specific designations and is CUI. Some projects may not have specifically labeled information which still could be CUI. In Defense projects for aerospace manufacturing, noncommercial technical details are often CUI. This may be called out in the task order, contract, or delivery order.
Technical information includes research engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identification, datasets, computer software executable code, and source code. All these with contract clauses denote that sensitive data must be handled appropriately.
CUI also applies to defense projects that include technical information with military or space application subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
It is also advisable that organizations identify their data type from CUI categories in the CUI Registry.
The following is a quick reference list of common categories of CUI Specified subsets:
The CMMC program mandates new cybersecurity requirements for the huge scope of organizations that comprise the defense industrial base (DIB).
CMMC is a verification mechanism to ensure that companies within the DIB implement proven cybersecurity practices to protect CUI. CMMC is based on the NIST 800-171, the main distinction being that CMMC is a mandated certification whereas NIST 800-171 relies on voluntary self-attestation.
To contract work with the Department of defense or continue doing business with the DoD, contractors must be certified by a CMMC Third-Party Assessment Organization for Level 2 and Level 3 by the end of 2025.