In matters of national security, most people are familiar with the term “classified.” The big red stamp on materials only those with high-level clearance may access. But strict protections are federally mandated for some unclassified information.
What is CUI?
Controlled Unclassified Information (CUI)(neues Fenster) is unclassified information created or owned by the government that is sensitive enough to need safeguarding under U.S. privacy laws, policies and regulations. CUI is only shared for a “lawful government purpose,”(neues Fenster) and defense contractors and subcontractors charged with handling the data find themselves in a web of responsibility where it isn’t always clear who’s on the line.
That responsibility is ever heightened by advances in cybercrime, as strategic competitors and adversaries view CUI as low-hanging fruit(neues Fenster) compared to classified information. Bad actors know to target smaller, more vulnerable links in the supply chain, and failing to protect what they’ve been entrusted with comes with heavy consequences. That could be corrective actions by the Department of Defense (DoD), or an organization falling victim to cyberattack and losing IP and operational ability—while putting the nation at risk.
This article breaks down CUI, the parties responsible for marking and guarding it, and what goes into keeping it secure.
Types and examples of CUI
Before the CUI program was established(neues Fenster) by executive order in 2010, every agency within the government—as well as entities on state, local, tribal, private sector, academic, and industry levels—developed its own practices around sensitive unclassified information. That “system” was inherently clunky and inconsistent, and the need for standardization resulted in a set of practices that continues to evolve.
The DoD maintains a CUI Registry(neues Fenster) with over 100 categories indexed into groups, ranging from intelligence and immigration to natural and cultural resources. Under those umbrellas, CUI splits into two types in terms of sensitivity/security measures required by any nonfederal systems and organizations into which it flows:
CUI Basic
Information that requires protection but no specific controls on how it is handled and disseminated. The standards of protection are laid out by the National Institute of Standards and Technology (NIST) Special Publication 800-171(neues Fenster), which applies to all CUI as a baseline.
Examples of CUI Basic: personally identifiable information (names, addresses, social security numbers), health records not covered under HIPAA, financial data (banking details and some tax information), proprietary business information (internal reports and trade secrets), contract-sensitive information (like government procurement data), unclassified law enforcement records, and unclassified controlled technical information.
CUI Specified
Information that requires protection and specific controls on how it is handled and disseminated. This includes physical and digital safeguards that go beyond what is required under NIST 800-171.
Examples of CUI Specified: Protected Health Information (PHI) covered under HIPAA, taxpayer information covered under IRS regulations, Grand Jury details, Critical Infrastructure Information (CII), export-controlled data (subject to International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)), and nuclear and chemical information related to national security.
How is CUI marked?
Federal agencies are tasked with identifying and marking CUI(neues Fenster) and then notifying nonfederal entities that they are receiving protected information. The marking requirements range from email banners and file names to watermarks and physical signage, the CUI acronym emblazoned on materials and called out in supporting text. Unless it isn’t. Human error means that sometimes CUI is not properly marked, and contractors are expected to be familiar enough with CUI categories(neues Fenster) to know when to ask questions of whoever provided the materials.
Who is responsible for protecting CUI?
CUI encompasses an inestimable swath of information, and that information must be circulated for government work to get done. That is where defense contractors come in, whether on the “prime” level (Lockheed Martin, Boeing, Raytheon), mid-sized/specialized, or smaller outfits supporting prime contractors.
Given the waterfall effect of organizations working together to handle CUI on behalf of the government, all parties need to know who is responsible for it. Any contract dealing with CUI will include a Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause(neues Fenster), which mandates compliance with NIST 800-171. If your contract contains that clause, then your organization is responsible for protecting the CUI no matter who else you team with to fulfill your work order.
That means it’s on you to confirm that any subcontractors you hire (lawyers, research labs, cybersecurity firms, secure printing providers, etc.) are aware of and meet the requirements for handling CUI.
How is CUI protected?
NIST 800-171 stipulates 110 security controls for protecting CUI in nonfederal systems. All are important, but some are critical. Things like access control, training employees on safe handling, disabling unnecessary software and ports to minimize vulnerability, enforcing best practices for user ID and authentication, conducting incident-response drills, doing internal security and compliance audits, constantly monitoring for threats, and so on. Everything a contractor is bound to must be flowed down to subcontractors.
Encrypting CUI is one of the most critical functions, and for that contractors must use FIPS 140-2/FIPS 140-3 validated encryption(neues Fenster). A list of such vendors(neues Fenster) is maintained by NIST. Any provider of cloud services must meet the Federal Risk and Authorization Management Program (FedRAMP) Baseline Moderate or Equivalent standard.
Any cyber incidents must be reported to the DoD’s Cyber Crimes Center (DC3)(neues Fenster), which will need access to servers and logs to aid investigation.
In characterizing the gravity of protecting CUI, the Defense Counterintelligence and Security Agency has stated(neues Fenster) that loss of aggregated CUI is “one of the most significant risks to national security.”
Proton stands with all organizations working toward securing our increasingly digital world and offers encryption services that meet many compliance needs. Visit our Trust Center to see how we are leading in the realms of privacy and compliance.
