We’ve written extensively about CMMC and NIST Special Publication 800-171, which cover the handling and protection of Controlled Unclassified Information (CUI). But what is CUI? How is it created, and why is it so important to protect?

Here, we’re digging into CUI and why it’s integral to significant cybersecurity frameworks in the federal marketplace. 

What Is Controlled Unclassified Information?

CUI is a classification of information that requires protection under laws, regulations, or government-wide policies but is not classified. That is, it is sensitive information that is not secret in the sense of national security but is still important enough to warrant protection from unauthorized access and disclosure. 

The program standardizes how the federal government handles unclassified information requiring protection. It establishes consistent, government-wide practices for marking, handling, disseminating, decontrolling, and destroying this information. The program aims to enhance information sharing with the government and appropriate external stakeholders while safeguarding sensitive information. 

The National Archives and Records Administration (NARA) guidelines detail the framework and provide a registry of its specific categories and subcategories. The framework is also included in documentation and security procedures for agencies like the General Services Administration (GSA) and the Department of Defense (DoD). 

What Are the Two Categories of CUI?

The Controlled Unclassified Information program identifies two broad categories of CUI based on the level of sensitivity and the need to disseminate the information:

• CUI Basic: This is the default category of CUI for which regulations or policies do not set out specific handling or dissemination controls other than those familiar to all CUI. If the information is categorized as CUI and does not fit into the CUI Specified category (see below), it is considered CUI Basic. The controls for CUI Basic are meant to be applied government-wide, offering a baseline level of protection.
• CUI Specified: This category is for information that requires handling controls above and beyond those for CUI Basic. Examples of CUI-specified information might include information covered by the Privacy Act, health information, export-controlled information, or law enforcement information that provides details on investigative techniques or sources of information. 

These categories help determine the protection and dissemination controls required for CUI information, facilitating a more standardized approach across government entities and contractors.

What Are Some Examples of CUI?

The CUI program encompasses various information types that require safeguarding or dissemination controls under and consistent with applicable laws, regulations, and government-wide policies. The CUI Registry, maintained by NARA, provides an extensive list of these specific categories and subcategories. Here are some examples:

• Private Data: Information involving personal privacy, such as Personally Identifiable Information (PII), requires protection from unauthorized disclosure.
• Procurement and Acquisition: Information related to government procurement and acquisition processes must be protected to ensure the integrity of procurement activities and protect sensitive data.
• Financial: Information related to government economic activities, including budgetary details, must be safeguarded due to sensitivity.
• Intelligence: Unclassified information related to intelligence activities that require controls to protect sources, methods, and analytical processes.
• Export Control: Information subject to export control laws and regulations, requiring protection to prevent unauthorized transfer outside the United States.
• Law Enforcement: Information related to law enforcement investigations or operations that could affect or protect life, public safety, or the conduct of justice.
• Critical Infrastructure: Information related to critical infrastructure sectors such as energy, transportation, and public health, which requires protection to ensure the security and resilience of these vital assets.
• Defense: Information related to defense and military activities that, while not classified, still require protection due to its sensitive nature.
• Legal: Information that is privileged or involves legal communications and proceedings, requiring protection to preserve confidentiality and legal integrity.
  
• Health Information: Although CUI doesn’t necessarily cover protected health information due to its sensitive nature, it still requires safeguarding.

The CUI Registry provides detailed guidance on what constitutes CUI, including definitions and marking requirements, to ensure consistent handling across the federal government and other stakeholders.

Where Is CUI Important in Federal Cybersecurity?

Security frameworks designed to protect Controlled Unclassified Information establish guidelines and requirements to protect it from unauthorized access or disclosure. Most prominently here, we’ve covered three major sources of CUI protection and regulation:

NIST Special Publication 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”

NIST SP 800-171 provides guidelines for non-federal contractors that handle CUI. This publication outlines requirements for protecting the confidentiality of this data when it is stored, processed, or transmitted on non-federal information systems and organizations. It specifies recommended security requirements in 14 families, including access control, incident response, and system and information integrity.

NIST Special Publication 800-172, “Enhanced Security Requirements for Protecting Unclassified Information”

NIST Special Publication 800-172 provides additional security requirements for systems that process, store, or transmit CUI when they face Advanced Persistent Threats (APTs). Therefore, this document extends NIST 800-171 and introduces enhanced requirements to address sophisticated cyber threats.

Cybersecurity Maturity Model Certification (CMMC)

CMMC is a certification process that builds upon NIST SP 800-171 requirements and adds additional practices and processes. The DoD designed the CMMC framework to protect CUI related to defense contracts. It introduces a certification process that measures a company’s cybersecurity practices and processes’ maturity. The CMMC framework is tiered across three levels, with the mid- and high-maturity levels equipping organizations to handle CUI properly.

Lazarus Alliance: Your Partner for CMMC and CUI Security

If you’re looking to kickstart your CMMC assessment or need to understand your CUI responsibilities and boundaries, contact Lazarus Alliance.

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171
• CMMC
• SOC 1 & SOC 2
• HIPAA, HITECH, & Meaningful Use
• PCI DSS RoC & SAQ
• IRS 1075 & 4812
• ISO 27001, ISO 27002, ISO 27005, ISO 27017, ISO 27018, ISO 27701, ISO 22301, ISO 17020, ISO 17021, ISO 17025, ISO 17065, ISO 9001, & ISO 90003
• NIAP Common Criteria – Lazarus Alliance Laboratories
• And dozens more!