Controlled Unclassified Information (CUI) - Do I Really Have Any?

What Is CUI? An Overview and Its History

Controlled unclassified information, or CUI, is information that is created or possessed by the government or by an entity in service of the government. The CUI classification was created to cover the previous gray area of data: that which was not meant for public distribution but did not meet the standards to require clearance. The federal government now requires that specific security controls be in place to protect CUI from unauthorized distribution.

Largely in response to 9/11, the government recognized that rising threats to the United States both in terms of terrorism and cyberattacks could be linked to the improper handling of sensitive but unclassified information. As a result, the CUI program gradually advanced over the past 15 years, finally taking shape as the final rule 32 CFR Part 2002 in September 2016 and taking effect in November of that same year1.

Historically, federal contractors could have been subject to multiple classifications if contracts were in place with different departments within the government, but the CUI classification eliminates this issue by standardizing non-classified information protection across 100 departments and agencies. CUI standards and procedures are maintained by the National Archives2.


What Data Is CUI?

There are currently 20 organizational index groups and 125 categories of data that are considered controlled unclassified information. Category groupings are either specific or general, but some of the more common specific categories include3:

Many defense contractors also create, store or process general categories such as:

What Does This Mean for Me?

The categories above are expansive, so it is likely that all contractors are responsible for controlled unclassified information in some fashion.

Why is this important? On Jan. 31, 2020, the federal government released the Cybersecurity Maturity Model Certification (CMMC) version 1.04. This certification is dedicated to creating and maintaining a standard of data security across the Defense Industrial Base.

CUI is the primary focus of the CMMC, and unlike previous agreements, a third-party audit is now required to determine compliance. If an organization has a minimal amount of CUI, it may be possible to only classify that data.

The greater amount of CUI present, the more certification required. For example, computer systems and even entire physical sites may be required to be compliant.

The main takeaway: If contractors are not compliant, they are not eligible to work for the Department of Defense. Other government agencies will likely require CMMC certification in the future.

Labeling CUI

CUI and the systems that house the data must be clearly labeled as containing CUI. However, not all CUI requires markings. Legacy data does not require markings unless:

  • It is reused or transported outside of the originating agency.
  • There is a specific waiver in place.

Otherwise, all CUI data and systems must have the appropriate markings. For example, the primary marking is the Banner Marking5 which must be included at the top of each page of any document containing CUI. This banner can include up to three elements:

The main takeaway: Organizations must do their research to determine what markings apply to their contract. If controlled unclassified information is improperly marked or not marked at all, the policies and regulations still apply, and the contractor may be subject to penalties or sanctions as outlined in the contract.

Minimum Security Requirements

The CMMC consists of five levels of certification. The contracts an organization holds with the government determine the level of certification it must attain. If an organization has a mature cybersecurity program, it is likely many of the controls required for CMMC (and thus, CUI) are already in place.

As a benchmark, if contractors are NIST 800-171 compliant6, that indicates satisfaction of the 110 security practices required7. NIST 800-171 most closely matches with CMMC Level 3 and the accompanying 130 security practices8.

CMMC certifications are good for three years. If an organization wants to pursue a contract that requires a higher level than it currently holds, it must obtain a new certification at that time.

Should there be an incident, such as improper information disclosure, it must be reported within 72 hours. Decertification due to an incident is not automatic but rather handled on a case by case basis. However, depending on the severity of the incident, a new audit may be required at the discretion of the agency.

The main takeaway: If a contractor is in the service of the federal government, in particular the Department of Defense, it is now required to be certified in the appropriate CMMC level. Without certification, the contractor will be excluded from future contracts. The full rollout is expected to take until 2025, but new contracts are expected to be compliant starting in early 2021.

What's Next?

The CUI classification is far more streamlined than previous classifications and covers all departments within the federal government. By obtaining the appropriate CMMC certification level, contractors will enjoy the benefits of doing business with the government. A CMMC certification may also provide a competitive advantage for some contractors.

If your organization is new to federal contracts, is unsure what controlled unclassified information it possesses, or what level of certification it is subject to, InfoDefense is here to help.

A free self-assessment is available to help you get started. In addition, InfoDefense's CyberSecure 360 services are designed to help contractors meet all of the requirements for CMMC certification at an affordable cost. Our flexible services can scale as needed, from assessing your current certification gaps to serving as your entire security program.

Free CMMC NIST 800 171 Tool Compliance Checklist
Find which CUI your company has with our free self-assessment tool.
Originally published September 28, 2020 , updated August 30, 2021

Kevin Wheeler

related posts: