What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is a category of unclassified information that, by Executive Order, is required to have safeguards or dissemination controls around it.
According to the National Archives and Records Administration (NARA), the CUI initiative was put in place to help standardize how information is shared and protected across separate departments and agencies as well as private sector entities doing business with governmental agencies.
The program is designed to safeguard government data that is not designated as classified, confidential, or secret, but is instead information that should not be made public as it is shared. CUI is information that should be controlled. As part of this framework, there is a requirement for all CUI to be labeled with appropriate visual markings that indicate how it should be treated.
Executive Order 13556 standardizes how the Executive Branch handles CUI. It defines the security requirements for protecting CUI in non-federal information systems and organizations and standardizes how information that does not meet the criteria for classification under E.O. 13526 pertaining to “Classified National Security Information,” or the Atomic Energy Act, is handled.
Working with information that falls under CUI requires appropriate access control measures to be taken to ensure only the right people have access to data that falls under CUI labeling categories.
CUI is data that is created, or possessed, on behalf of the US federal government. It’s not classified but is required or allowed to be protected. Following are just some of the types of information that fall under CUI regulations:
- Personally Identifiable Information (PII)
- Sensitive Personally Identifiable Information (SPII)
- Proprietary Business Information (PBI), or currently known within the U.S. Environmental Protection Agency (EPA) as Confidential Business Information (CBI)
- Unclassified Controlled Technical Information (UCTI)
- Sensitive but Unclassified (SBU)
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES)
Under the CUI requirements, incorporating a labeling and tagging tool or data identification software tool can help guide how to handle materials being exchanged.
CUI-Related Programs for Non-Governmental Agencies
Non-federal organizations are not obligated to comply with the CUI guidelines, although their government contracts may specify compliance. It is in a commercial organization’s best interest to comply and demonstrate that they are prepared to apply the required controls on any CUI they may be handling.
Related to the Executive Order, but applicable only to commercial entities or non-government organizations doing business with the U.S. government, are several other programs, such as:
- National Institute of Standards Technology (NIST) SP800-171 Rev 2, which covers how CUI within non-federal systems and organizations should be protected
- The Cybersecurity Maturity Mode Certification (CMMC), which details what protections non-government entities need to take to achieve higher levels of control around data shared with government contractors and subcontractors
- International Traffic in Arms Regulations (ITAR), which controls the manufacture, sale, and distribution of defense and space-related articles and services and requires compliance. Any non-governmental entity that manages ITAR-regulated materials or data should follow security standards per NIST SP 800-53.
Need guidance on FISMA compliance? Get details on how to meet the requirements of the security controls outlined in the Federal Information Security Management Act.
CUI and Regulatory Compliance
One of the steps towards achieving compliance is to incorporate a data classification solution. With robust data classification technology in place, consistent and accurate labeling is applied to data according to the data governance policy and as required by NIST SP 800-171. Standardized labeling of CUI helps ensure appropriate protections around that data are used and enforced consistently. This labeling helps make complying with CUI data guidelines easier for those who handle CUI in their workday. Having this capacity in place is also proof that CUI is managed with the appropriate metadata and visual markings of information specified in the NARA CUI registry.
To comply with CUI rules, government and non-government entities working with governmental agencies need to have a strong security plan in place that covers 14 security control areas, including:
Awareness and training
Audit and accountability
Identification and authentication
System and communications protection
System and information integrity
These controls work in conjunction with the task of labeling or tagging material that falls under CUI into three categories to help users determine how it should be accessed and handled:
This is information that is to be subject to standard safeguarding measures to reduce the risks of unauthorized or inadvertent disclosure. Information in this category can be shared to the extent that it is reasonably believed it would further the execution of a lawful or official purpose.
This is information that requires safeguard measures designed to reduce the risk of unauthorized or inadvertent disclosure. The material identified at this level should contain additional instructions on what dissemination is permitted.
This content requires more stringent safeguard measures, as the inadvertent or unauthorized disclosure of it would create the risk of substantial harm. The material in this category should also contain additional instructions for handling.
DFARS and NIST CUI Compliance
Contractors and subcontractors with the US Department of Defense (DoD) need to follow the compliance steps published by the DoD in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause, regarding how they are to safeguard CUI. The DFARS clause outlines the implementation of the controls identified by NIST publication 800-171, and is required in all contracts except for contracts used only to purchase commercial, off-the-shelf items. It also applies to subcontracts involving covered defense information or operationally critical support.
To comply, contractors and subcontractors must:
- Safeguard covered defense information
- Report cyber incidents
- Submit malicious software
- Facilitate damage assessment
NIST 800-53, 800-171, and CUI compliance also go hand-in-hand with CUI rules and are supported with a robust data classification solution and policies to help streamline compliance and provide consistent labeling practices to relevant data. NIST SP 800-171 specifically addresses the confidentiality of CUI to help ensure CUI is not inappropriately shared.
To comply with NIST, organizations and governmental entities need to:
Who is Responsible for Protecting CUI?
The CUI regulation’s policies for designating, handling, and controlling CUI information applies to federal departments, agencies, and contractors who may develop products containing CUI or systems that process, store, or handle CUI.
Prior to the executive order establishing the CUI program, various government agencies used a variety of agency-specific policies, ad-hoc policies and procedures, and inconsistent markings to help control and safeguard information deemed sensitive. EO 13556 established a uniform program with only the categories of information listed in the CUI Registry to be identified and handled as CUI.
As such, the government oversees the designation of what level of protection information falls under. This information on markings, the CUI Marking Handbook, is listed in the CUI Registry. In addition, all CUI must have a designation indicator that identifies who has deemed the information as CUI.
Overall oversight for the CUI program is the Information Security Oversite Office. This office acts as the Executive Agent of the National Archives and Records Administration and monitors the implementation and compliance of the CUI Program by executive branch agencies.
A CUI Advisory Council, with representatives from each executive branch agency, also works with the EA on matters related to CUI.
How Fortra Helps with Protecting CUI
At the heart of the CUI program is data classification to ensure appropriate control and consistent handling of sensitive information, as well as enforcement of control across all branches of government and its contractors.
By tagging or labeling data with visual as well as metadata labels to highlight special handling requirements as specified by the CUI program, users can more easily comply with CUI rules. With robust data classification technology in place, users would receive an alert when personal data is leaving the organization or as a warning to prevent them from sending messages that contain sensitive information, as defined by the CUI Registry.
The automation and streamlined functionality of data classification solutions, such as that from Fortra Data Classification, helps both secure the information deemed sensitive as well as educate users about the sensitive of data they are handling, while adhering to the policies established.
Request a Demo
If you handle or may be handling CUI in the future, talk to a Data Classification expert today. A personalized demo can show you how easy it is to comply with the CUI Program with data classification technology.