Controlled Unclassified Information, or CUI, is at the heart of Cybersecurity Maturity Model Certification.
How did we get here? An overview of classified information and CUI.
The classification of information by the US government exists to secure sensitive information that is not intended for public release. The classification system contains three levels Top Secret, Secret, and Confidential. Each level is based on the degree to which a disclosure would damage national security.
But it’s not just classified information that the US government is concerned about.
In recent years, US intelligence agencies have discovered that foreign adversaries are especially adept at gathering unclassified information and connecting it together like pieces in a puzzle to create a larger more revealing and potentially damaging picture.
In other words, there are mountains of data that exist below the classified levels that—especially when combined with other information—could pose a threat to US national security. Additionally, there is sensitive financial, immigration, patent, law enforcement information, and more that must remain private and secure.
Executive Order 13556—Controlled Unclassified Information (signed December 29, 2009) established “an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.”
Prior to the signing of this executive order, a uniform standard set of policies, procedures, and markings that applied to all agencies and departments did not exist.
Describing certain data as Controlled Unclassified Information (CUI) was a step towards “uniformity of Government-wide practice.”
Where does CUI come from?
CUI is created or possessed by Government or it may be information that an entity creates or possesses for or on behalf of government, under contract.
If your business is a government contractor, circumstances may dictate that you receive CUI as part of your performance of a contract, or likewise you may create CUI (drawings, documents, photos, and other forms of data). If information is created under government contract it is Federal Contract Information (FCI) and certain categories of data are CUI.
What is Controlled Unclassified Information?
According to the US National Archives, CUI is “unclassified information requiring safeguarding and dissemination controls, consistent with applicable law, regulation, or government-wide policy.”
The US National Archives Web site includes a CUI Registry which outlines 126 different categories of Controlled Unclassified Information. CUI Categories are listed on this site within organizational index groupings. For example, under the “Defense” organizational grouping, we find “controlled technical information” which is technical information with military or space application.
Once information is identified and designated as CUI, it must be marked in very specific ways. Following links in each category in the CUI Registry will lead to information on category markings as well as detailed marking notes and instruction.
If your organization has identified and marked CUI, it is your responsibility to keep that data secure at every stage of its existence—in use, in storage, in transmission—until destroyed, disseminated, or decontrolled. Only persons with lawful government purpose can have access to CUI. When destroying, CUI, it must be rendered unreadable, indecipherable, and irrecoverable.
Information technology systems make it easy to replicate and share data, but CUI must be strictly controlled.
Consider for example, a CAD drawing of a part that is manufactured by a subcontractor but will ultimately be installed in a fighter jet. This file contains CUI. Perhaps this drawing is stored on a file server. Absent limiting controls, it could be duplicated to a desktop computer and saved to removable media from there. It is likely duplicated in backups–both on premises and offsite. Without controls, it could be transferred via email, text message, or via a file sharing application. If you consider the many places that a file might exist, you can see how safeguarding CUI can be a daunting task!
(If this last paragraph has you feeling overwhelmed, be sure to register for our upcoming webinar “Right-Sized Solutions for NIST CMMC Compliance.”)
Why is safeguarding CUI so important NOW?
Of course, it has always been important to keep sensitive data secure. Recent legislation has imposed stricter regulation on organizations that handle FCI and CUI. (See our recent blog post for an overview of Cybersecurity Maturity Model Compliance for Small and Medium-Sized Businesses–The CMMC Rule.)
Now organizations in the defense industrial base are required to implement specific security requirements (NIST 800-171) and policies and procedures (CMMC Levels 1-5). Not only that, under the CMMC rule, organizations will soon be required to pass an audit performed by a certified third-party audit organization (C3PAO) in order to prove that the appropriate polices, practices, and procedures are in place. It’s not good enough to provide a self-assurance that CUI is secure. Now organizations will need to PROVE cybersecurity maturity to external auditors.
Failure to comply is not an option. In the very near future organizations will have to pass CMMC Level 3 audit or higher in order to accept a contract award from the federal government. This cybersecurity requirement flows through prime contractors to subcontractors.
Want more information on how to recognize CUI and what to do with it?
The DOD Mandatory Controlled Unclassified Information Training is available online and is a terrific resource for informative training straight from an authoritative source!