What Is CUI? An Overview and Its History
Controlled unclassified information, or CUI, is information that is created or possessed by the government or by an entity in service of the government. The CUI classification was created to cover the previous gray area of data: that which was not meant for public distribution but did not meet the standards to require clearance. The federal government now requires that specific security controls be in place to protect CUI from unauthorized distribution.
Largely in response to 9/11, the government recognized that rising threats to the United States both in terms of terrorism and cyberattacks could be linked to the improper handling of sensitive but unclassified information. As a result, the CUI program gradually advanced over the past 15 years, finally taking shape as the final rule 32 CFR Part 2002 in September 2016 and taking effect in November of that same year1.
Historically, federal contractors could have been subject to multiple classifications if contracts were in place with different departments within the government, but the CUI classification eliminates this issue by standardizing non-classified information protection across 100 departments and agencies. CUI standards and procedures are maintained by the National Archives2.
What Data Is CUI?
There are currently 20 organizational index groups and 125 categories of data that are considered controlled unclassified information. Category groupings are either specific or general, but some of the more common specific categories include3:
- Tax information
- Law enforcement data
- Critical infrastructure
- Controlled technical information, including schematics
- Unclassified nuclear
- Natural and cultural resources
Many defense contractors also create, store or process general categories such as:
- Controlled technical information
- Inventions and patent applications
- Proprietary manufacturer
- General proprietary business information
- General privacy
- Health information
- General procurement and acquisition
- Small business research and technology
What Does This Mean for Me?
The categories above are expansive, so it is likely that all contractors are responsible for controlled unclassified information in some fashion.
Why is this important? On January 31, 2020, the federal government released the Cybersecurity Maturity Model Certification (CMMC) version 1.04. They later released CMMC 2.0 in November 2021. This certification strives to create and maintain a standard of data security across the Defense Industrial Base.
The primary focus of the CMMC is CUI. Unlike previous regulations, it requires a third-party audit to determine compliance for some Level 2 organizations and all of Level 3. If an organization has a minimal amount of CUI, it may be possible to only classify that data.
The greater amount of CUI present, the more certification required. For example, computer systems and even entire physical sites may be required to be compliant.
The main takeaway: If contractors are not compliant, they are not eligible to work for the Department of Defense. Other government agencies will likely require CMMC certification in the future.
CUI and the systems that house the data must be clearly labeled as containing CUI. However, not all CUI requires markings. Legacy data does not require markings unless:
- It is reused or transported outside of the originating agency.
- There is a specific waiver in place.
Otherwise, all CUI data and systems must have the appropriate markings. For example, the primary marking is the Banner Marking5 which must be included at the top of each page of any document containing CUI. This banner can include up to three elements:
- Either “CONTROLLED” or “CUI”
- CUI Category and Subcategory
- Limited Dissemination Control Markings
The main takeaway: Organizations must do their research to determine what markings apply to their contract. If controlled unclassified information is improperly marked or not marked at all, the policies and regulations still apply, and the contractor may be subject to penalties or sanctions as outlined in the contract.
Minimum Security Requirements
The CMMC consists of three levels of certification. The contracts an organization holds with the government determine the level of certification it must attain. If an organization has a mature cybersecurity program, it is likely many of the controls required for CMMC (and thus, CUI) are already in place.
CMMC certifications are good for three years. If an organization wants to pursue a contract that requires a higher level than it currently holds, it must obtain a new certification at that time.
Should there be an incident, such as improper information disclosure, it must be reported within 72 hours. Decertification due to an incident is not automatic but rather handled on a case by case basis. However, depending on the severity of the incident, a new audit may be required at the discretion of the agency.
The main takeaway: If a contractor is in the service of the federal government, in particular the Department of Defense, certification in the appropriate CMMC level is now required. Without certification, contracting officers will exclude the contractor from future contracts. DoD expects the full rollout will take until 2025, but requires new contracts to work towards compliance now.
The CUI classification is far more streamlined than previous classifications and covers all departments within the federal government. By obtaining the appropriate CMMC certification level, contractors will enjoy the benefits of doing business with the government. A CMMC certification may also provide a competitive advantage for some contractors.
If your organization is new to federal contracts, is unsure what controlled unclassified information it possesses, or what level of certification it is subject to, InfoDefense is here to help.
Request our free self-assessment tool to start the steps to compliance. In addition, InfoDefense’s CyberSecure 360 services are designed to help contractors meet all of the requirements for CMMC certification at an affordable cost. Our flexible services can scale as needed, from assessing your current certification gaps to serving as your entire security program.
- National Archives CUI History
- National Archives
- National Archives category list
- OUSD A&S
- National Archives files
- NIST Computer Security Resource Center
- OUSD A&S CMMC