Controlled unclassified information is a category of information defined by the U.S. federal government. Abbreviated as CUI and often pronounced “kyooie” (rhymes with “phooey”), controlled unclassified information is government-owned data that requires certain security controls to safeguard it from unauthorized access.
CUI is formally defined by Executive Order 13556; and as the name implies, CUI is not classified information. Rather, it is information that belongs to the government, relates to business dealings with the government, and is protected by government-wide policies.
Any contractor and subcontractor working with government organizations such as the Department of Defense (DOD) are required to safeguard CUI in the contractor’s possession, and to protect any IT systems that process CUI.
The compliance standards to protect CUI are included in Defense Federal Acquisition Regulation Supplement (DFARS) 7012 and NIST SP 800-171. DFARS defines a CUI information system as “an unclassified IT system owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information.”
The following are FAQs for Controlled Unclassified Information.
What qualifies as controlled unclassified information?
As determined by the executive branch, CUI categories and sub-categories include:
- Any proprietary information related to these CUI Registry Categories;
- Controlled technical information that applies to government, military, or aerospace;
- Any proprietary information regarding protected, critical energy infrastructure specified in the Atomic Energy Act;
- Any proprietary information regarding export controls; and
- Any proprietary information regarding geodetic, geospatial, and imagery intelligence.
What are examples of controlled unclassified information?
Some examples of DoD CUI include:
- Engineering data
- Research reports and studies
- Technical reports
- Data sets
- Process sheets
- Data analyses
- Software code or source code
- Financial statements
What is the difference between CUI basic and CUI specified?
CUI has two subsets, CUI Basic and CUI Specified. The difference between them is how the data is handled — otherwise known as dissemination controls.
CUI Basic is any CUI data where the authorizing law does not apply specific dissemination controls. CUI Specified does come with dissemination controls, which agencies must implement when handling that information.
From a government contractor’s perspective, then: If the CUI concerning your business relationship requires dissemination controls, the information is designated as “CUI Specified.” If your CUI doesn’t require specific controls for handling, it’s designated as “CUI Basic.”
What is the difference between CUI and ‘sensitive but unclassified information’?
“Sensitive by unclassified information” was the prior designation for CUI.
Today, the National Archives and Records Administration (NARA) has created a CUI Office to provide guidance around implementing CUI policy and sensitive information controls within an organization.
Who manages CUI regulation in the federal government?
As of 2018, the designated senior official responsible for regulating CUI was the Under Secretary of Defense for Intelligence (USDI).
In November of that year, a working group of executive branch agencies was formed to work together to manage CUI regulation and law enforcement. Members of the group include:
- The USDI
- The DoD chief information officer
- The Office of Undersecretary of Defense (OUSD) Acquisitions and Sustainment (A&S)
- The OUSD Research and Engineering (R&E)
- The Missile Defense Agency (MDA)
- The Defense Contract Management Agency (DCMA)
- The Information Security Oversight Office (ISOO)
The group’s objective is to prioritize and derive the assignment schemas, assessment protocols, and reciprocity across services and contracts, data repositories, and training.
What are the consequences of not protecting CUI?
Federal law doesn’t actually specify a particular provision for penalties. Instead, CFR-2017 states:
Misuse of CUI is subject to penalties established in applicable laws, regulations, or Government-wide policies; and non-executive branch entity must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency’s Senior Agency Official (SAO). When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency.
In essence, any business that doesn’t comply with CUI requirements can be subject to criminal, civil, and administrative actions if that business fails to prevent a cybersecurity incident or fails to disclose an incident properly.
On a more practical level, failure to comply with CUI requirements will most certainly result in the loss of your federal government contract.
How do you protect CUI?
If the scope of your business involves national security, it’s vital that you perform your due diligence to comply with all applicable regulations for federal information-sharing related to your defense contract. This will likely involve several compliance standards and regulations including NIST, DFARS, and CMMC, which all dictate what you must do to properly safeguard your CUI.
ZenGRC can help to automate the process of compliance preparation so the days of manually gathering documentation or managing requirements via spreadsheets are over.
ZenGRC can support a variety of compliance frameworks and security requirements, and help you to streamline your efforts by cross-reference existing documentation you may already have that can satisfy multiple requirements.
Our easy-to-use dashboard can help you visualize your compliance stance across all applicable frameworks; and identify gaps in your cybersecurity program, and tell you how to fill them.
Furthermore, the ZenGRC system stores and organizes your documentation according to pre-made compliance templates, so it’s readily available when it’s time for an audit.
Worry-free compliance and risk management is the Zen way! Learn how ZenGRC can help your organization implement a strong CUI program, book a demo today.