Proton
Who is responsible for protecting CUI?

In matters of national security, most people are familiar with the term “classified.” The big red stamp on materials only those with high-level clearance may access. But strict protections are federally mandated for some unclassified information. 

What is CUI?

Controlled Unclassified Information (CUI)(nouvelle fenêtre) is unclassified information created or owned by the government that is sensitive enough to need safeguarding under U.S. privacy laws, policies and regulations. CUI is only shared for a “lawful government purpose,”(nouvelle fenêtre) and defense contractors and subcontractors charged with handling the data find themselves in a web of responsibility where it isn’t always clear who’s on the line.

That responsibility is ever heightened by advances in cybercrime, as strategic competitors and adversaries view CUI as low-hanging fruit(nouvelle fenêtre) compared to classified information. Bad actors know to target smaller, more vulnerable links in the supply chain, and failing to protect what they’ve been entrusted with comes with heavy consequences. That could be corrective actions by the Department of Defense (DoD), or an organization falling victim to cyberattack and losing IP and operational ability—while putting the nation at risk.  

This article breaks down CUI, the parties responsible for marking and guarding it, and what goes into keeping it secure.

Types and examples of CUI

Before the CUI program was established(nouvelle fenêtre) by executive order in 2010, every agency within the government—as well as entities on state, local, tribal, private sector, academic, and industry levels—developed its own practices around sensitive unclassified information. That “system” was inherently clunky and inconsistent, and the need for standardization resulted in a set of practices that continues to evolve.   

The DoD maintains a CUI Registry(nouvelle fenêtre) with over 100 categories indexed into groups, ranging from intelligence and immigration to natural and cultural resources. Under those umbrellas, CUI splits into two types in terms of sensitivity/security measures required by any nonfederal systems and organizations into which it flows:   

CUI Basic

Information that requires protection but no specific controls on how it is handled and disseminated. The standards of protection are laid out by the National Institute of Standards and Technology (NIST) Special Publication 800-171(nouvelle fenêtre), which applies to all CUI as a baseline.  

Examples of CUI Basic: personally identifiable information (names, addresses, social security numbers), health records not covered under HIPAA, financial data (banking details and some tax information), proprietary business information (internal reports and trade secrets), contract-sensitive information (like government procurement data), unclassified law enforcement records, and unclassified controlled technical information.

CUI Specified

Information that requires protection and specific controls on how it is handled and disseminated. This includes physical and digital safeguards that go beyond what is required under NIST 800-171.

Examples of CUI Specified: Protected Health Information (PHI) covered under HIPAA, taxpayer information covered under IRS regulations, Grand Jury details, Critical Infrastructure Information (CII), export-controlled data (subject to International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR)), and nuclear and chemical information related to national security.

How is CUI marked?

Federal agencies are tasked with identifying and marking CUI(nouvelle fenêtre) and then notifying nonfederal entities that they are receiving protected information. The marking requirements range from email banners and file names to watermarks and physical signage, the CUI acronym emblazoned on materials and called out in supporting text. Unless it isn’t. Human error means that sometimes CUI is not properly marked, and contractors are expected to be familiar enough with CUI categories(nouvelle fenêtre) to know when to ask questions of whoever provided the materials.    

Who is responsible for protecting CUI?

CUI encompasses an inestimable swath of information, and that information must be circulated for government work to get done. That is where defense contractors come in, whether on the “prime” level (Lockheed Martin, Boeing, Raytheon), mid-sized/specialized, or smaller outfits supporting prime contractors.

Given the waterfall effect of organizations working together to handle CUI on behalf of the government, all parties need to know who is responsible for it. Any contract dealing with CUI will include a Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause(nouvelle fenêtre), which mandates compliance with NIST 800-171. If your contract contains that clause, then your organization is responsible for protecting the CUI no matter who else you team with to fulfill your work order.  

That means it’s on you to confirm that any subcontractors you hire (lawyers, research labs, cybersecurity firms, secure printing providers, etc.) are aware of and meet the requirements for handling CUI. 

How is CUI protected?

NIST 800-171 stipulates 110 security controls for protecting CUI in nonfederal systems. All are important, but some are critical. Things like access control, training employees on safe handling, disabling unnecessary software and ports to minimize vulnerability, enforcing best practices for user ID and authentication, conducting incident-response drills, doing internal security and compliance audits, constantly monitoring for threats, and so on. Everything a contractor is bound to must be flowed down to subcontractors. 

Encrypting CUI is one of the most critical functions, and for that contractors must use FIPS 140-2/FIPS 140-3 validated encryption(nouvelle fenêtre). A list of such vendors(nouvelle fenêtre) is maintained by NIST. Any provider of cloud services must meet the Federal Risk and Authorization Management Program (FedRAMP) Baseline Moderate or Equivalent standard. 

Any cyber incidents must be reported to the DoD’s Cyber Crimes Center (DC3)(nouvelle fenêtre), which will need access to servers and logs to aid investigation.  

In characterizing the gravity of protecting CUI, the Defense Counterintelligence and Security Agency has stated(nouvelle fenêtre) that loss of aggregated CUI is “one of the most significant risks to national security.”

Proton stands with all organizations working toward securing our increasingly digital world and offers encryption services that meet many compliance needs. Visit our Trust Center to see how we are leading in the realms of privacy and compliance.  

Articles similaires

en
  • Guides vie privée
Kids, parents, and grandparents, everyone needs to know how to use the internet wisely. Learn how to keep your kids safe online and your family's data private.
Minecraft offers parental controls you can use to keep your kids safe while they play.
en
  • Guides vie privée
Learn about Minecraft's parental controls and create a plan so your child has a fun, safe gaming experience without sacrificing their personal information.
Instagram now offers Teen Accounts, which turn on many several protections by default
en
  • Guides vie privée
Learn about Instagram's default safety settings for teens and its parental controls so you can help your child avoid inappropriate content.
Teens' accounts on TikTok have many privacy protections turned on by default
en
  • Guides vie privée
Many parents wonder if TikTok is safe. We explain the data TikTok collects, how its default protections work for teens, and how to use its parental controls.
A teen's account on Snapchat turns on many privacy protections by default
en
  • Guides vie privée
Many parents wonder if Snapchat is safe. We explain the data Snapchat collects, how it keeps kids engaged, and how to use its parental controls.
Family photos linked by AI, suggesting that your family photos may be used for training AI
en
Learn how Big Tech uses family photos to train AI, how it affects you, and how to protect your privacy to keep your memories out of datasets.