CUI Overview and History
Controlled unclassified information, or CUI, is sensitive information that is created or possessed by the United States government or by an entity in service of the government. The CUI classification was created to cover the previous gray area of data: that which was not meant for public distribution but did not meet the standards to require a security clearance. The federal government requires that specific security controls be in place, as defined in DFARS 252.240-7012“>252.240-7012“>252.240-7012“>252.240-7012, to protect CUI from unauthorized distribution.
In response to the 9/11 attacks, the government recognized that rising threats to the United States, both in terms of terrorism and cyberattacks, could be linked to the improper handling of sensitive but unclassified information. As a result, the CUI program gradually advanced over 15 years, finally taking shape as the final rule 32 CFR Part 2002 in September 2016 and taking effect in November of that same year1.
Historically, federal contractors could have been subject to multiple different classifications such as “Sensitive but Unclassified” or “For Official Use Only” if contracts were in place with different departments within the government, but the CUI classification eliminates this issue by standardizing non-classified information protection across 100 departments and agencies. CUI standards and procedures are maintained by the National Archives2.
> REQUEST OUR CMMC LEVEL 2 SELF-ASSESSMENT TOOL FOR A COMPLETE LIST OF CUI CATEGORIES
What is CUI?
There are currently 20 organizational index groups and 125 categories of data that are considered controlled unclassified information. Category groupings are either specific or general, but some common categories include3:
- Law Enforcement
- Critical Infrastructure
- Controlled Technical Information (CTI)
- Personnel Records
- Personally Identifiable Information
Many defense contractors also create, store or process information pertaining to categories such as:
- Inventions and Patent Applications
- Proprietary Manufacturer
- General Proprietary Business Information
- General Privacy
- Health Information
- General Procurement and Acquisition
- Small business research and technology
- Operations Security Information
What Does This Mean for Me?
The categories above are expansive, so many contractors are entrusted with controlled unclassified information in some fashion.
Why is this important? On January 31, 2020, the federal government released the Cybersecurity Maturity Model Certification (CMMC) version 1.04. They later released CMMC 2.0 in November 2021. This certification was created to create and maintain a standard of data security across the Defense Industrial Base.
The primary focus of the CMMC is CUI. Unlike previous regulations, it requires a third-party assessment to determine compliance for most Level 2 and all of Level 3 organizations. Some contractors that handle less sensitive CUI will have the option to self-certify.
The more sensitive the information, the more certification required. For example, computer systems and even entire physical sites may be required to be compliant.
The main takeaway: If contractors are not CMMC certified, they are not eligible to win new Department of Defense contracts. Other government agencies will likely require CMMC certification in the future.
Labeling CUI
Documents must be clearly labeled as containing CUI. However, not all CUI requires markings. Legacy data does not require markings unless:
- It is reused or transported outside of the originating agency.
- There is a specific waiver in place.
Otherwise, all CUI must have appropriate markings. For example, the primary marking is the Banner Marking5 which must be included at the top of each page of any document containing CUI. This banner can include up to three elements:
- Either “CONTROLLED” or “CUI”
- CUI Category and Subcategory
- Limited Dissemination Control Markings
The main takeaway: Organizations must do their research to determine what types of CUI apply to their contract. If controlled unclassified information is improperly marked or not marked at all, protection policies and regulations still apply, and the contractor may be subject to penalties or sanctions as outlined in the contract.
Minimum Security Requirements
The CMMC consists of three levels of certification. The contracts an organization holds with the government determine the level of certification required. Contracts that reference DFARS 252.204-7012“>252.204-7012“>252.204-7012“>252.204-7012 will likely require CMMC Level 2 certification upon renewal. If an organization has a mature cybersecurity program, it is likely many of the controls required for CMMC (and thus, CUI protection) are already in place.
As a benchmark, if contractors are fully NIST 800-171 compliant6, that indicates satisfaction of the 110 security practices required7. With a few exceptions, NIST 800-171 requirements are identical to those defined in CMMC Level 28.
CMMC certifications are good for three years with annual attestations of continued compliance by an executive. If an organization wants to pursue a contract that requires a higher-level certification than it currently holds, it can obtain a new certification at that time.
Should there be an incident, such as improper information disclosure, it must be reported within 72 hours to the Department of Defense Office of the CIO. Decertification due to an incident is not automatic but rather handled on a case-by-case basis. However, depending on the severity of the incident, a new assessment may be required at the discretion of the agency.
The main takeaway: If a contractor is in the service of the federal government, in particular the Department of Defense, certification at the appropriate CMMC level is now required. Without certification, contracting officers will be forced to exclude the contractor from future contracts. DoD expects full CMMC rollout will be completed in 2025 but requires new contracts to work towards compliance now.
What’s Next?
The CUI classification is far more streamlined than previous classifications and covers all departments within the federal government. By obtaining the appropriate CMMC certification level, contractors will continue to enjoy the benefits of doing business with the government. A CMMC certification may also provide a competitive advantage for some contractors, especially early adopters. Though CMMC implementation can be costly and time consuming, it will improve overall cybersecurity for the organizations that embrace it.
If your organization is new to federal contracts, is unsure what controlled unclassified information it possesses, or what level of certification it is subject to, InfoDefense is here to help.
Request our free self-assessment tool to start your journey to compliance. In addition, InfoDefense’s CyberSecure 360 services are designed to help contractors meet all of the requirements for CMMC certification at an affordable cost. Our flexible services can scale as needed, from assessing your current certification gaps to serving as your entire security program.
Sources
- National Archives CUI History
- National Archives
- National Archives category list
- OUSD A&S
- National Archives files
- NIST
- NIST Computer Security Resource Center
- OUSD A&S CMMC
- https://www.archives.gov/cui/registry/category-list
- https://www.acq.osd.mil/cmmc/faq.html
- https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r2.pdf
- https://infodefense.com/cybersecure-360/
- https://infodefense.com/cmmc-self-assessment-tool/
- https://www.acq.osd.mil/cmmc/draft.html