What is CUI Specified & Basic? (CUI Classification & Data Type Examples)

What is CUI? Controlled Unclassified Information (CUI) is government created or owned information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies. Federal agencies routinely use, store, and share information that does not meet the requirements for classified information, but requires some level of protection from unauthorized access and release. This information, which may be required for privacy, legal, or other reasons, is designated as CUI. However, data is categorized as CUI only if it is collected, transmitted, created and/or stored as a requirement of a federal government contract with the DoD.

What is CUI Classification?

So exactly what does CUI mean? CUI full form is Controlled Unclassified Information, which is a category of unclassified information within the Government that, although not deemed classified, requires some level of protection. The CUI marking replaced several legacy markings for unclassified information, including FOUO, SBU, and LES.

So, what is controlled unclassified information (CUI)?

The CUI definition according to NARA is information that requires safeguarding from unauthorized access and release but does not qualify as classified information under EO 13526 “Classified National Security Information” or the Atomic Energy Act. CUI was established to standardize the way the Executive branch handles this type of sensitive information.

What is Federal Contract Information (FCI) and how is it different from CUI?

Federal Contract Information (FCI) is information not intended for public release. FCI is provided by or generated for the Federal Government under a contract to develop or deliver a product or service.  Click here for more information on the difference between FCI and CUI.

What is CUI Basic?

What is basic CUI? CUI Basic, a subset of CUI, contains baseline handling and dissemination controls for the protection of information, but for which the authorizing law does not apply specific dissemination controls; it is handled according to a set of controls in the DoD CUI Registry and DoDI 5200.48.

What is CUI Specified?

What is specified CUI? CUI Specified is a subset of CUI whereby a law, regulation, or government-wide policy requires specific handling or dissemination controls for the protection of information. An example marking of CUI Specified in a document that contains Controlled Technical Information (CTI) would be CUI//SP-CTI.

Types of Controlled Unclassified Information Examples:

Controlled Unclassified Information is a much broader category of information vs. classified information, as it includes many different types of sensitive information. What is considered controlled unclassified information? Some of the CUI information types and CUI data types include the following:

• Personally identifiable information (i.e., health documents)
• Proprietary Business Information (i.e., secret formulas, processes, and methods used in production)
• Unclassified Controlled Technical Information (i.e., engineering data and technical reports)
• Sensitive But Unclassified (i.e., tax return information)
• For Official Use Only
• Law Enforcement Sensitive

Need Help with CUI Compliance?

Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense’s tool used to ensure the CUI Program, which was established in 2010, is implemented evenly across the DoD and the Defense Industrial Base (DIB), to comply with the many federal laws and regulations governing CUI. The CMMC framework has built-in maturity methods to guide an organization to the level of compliance that demonstrates appropriate CUI security measures that vary based on the nature of work and government information. Do you want to understand the correct way to protect CUI according to CMMC? SoundWay Consulting Inc. understands the major challenges you face as an organization with CMMC compliance, and you can trust SoundWay to be your consistent expert guide towards compliance. Please contact SoundWay Consulting Inc. at 571-210-0624 or via email at CMMC@soundwayconsulting.com to see how we can assist you. Also, see FCI vs CUI.

What is CUI Data? Key Takeaways:

Although CUI isn’t classified information, the federal government determined that it needs to be protected because its malicious release poses a threat to national security. As a result, the CUI program was created. Once the CUI program began to be implemented throughout the government, there was a push for non-federal agencies to handle CUI appropriately and ensure the safety of government information, especially since the loss of aggregated CUI is one of the most significant risks to national security. In recognizing that information security is a foundational requirement for the DIB Industrial Supply Chain, the DoD developed the Cybersecurity Maturity Model Certification (CMMC) for the protection of CUI. CMMC assesses members of the DIB to ensure they have sufficient systems in place to protect any CUI that resides on their networks in conformance with NIST SP 800-171 “Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations”.

The CUI program impacts almost every government agency, which means that CUI’s presence is widely spread and needs to be safeguarded properly wherever it resides. The CUI program acknowledges that certain types of unclassified information are sensitive and valuable to the United States national security interests, so the CUI program is vital in prioritizing the safeguarding of CUI and protecting risks to our national security.

FAQs

Why Protect CUI?

In addition to protection requirements, the loss or improper safeguarding of CUI could be expected to have serious adverse effect on organizational operations, organizational assets, or individuals. Improper safeguarding of CUI can lead to: degradation in mission capability, damage to organizational assets, or financial loss or harm to individuals.

What is the CUI Program?

The Controlled Unclassified Information Program (CUI) was established for the purpose of standardizing the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies. The National Archives and Records Administration (NARA) serves as administrator of the Program.

What is the CUI Registry?

The DoD CUI Registry and the ISOO CUI Registry mirror one another. What is the purpose of the ISOO CUI Registry and the DoD CUI Registry? The DoD CUI Registry provides an official list of the Indexes and Categories used to identify the various types of DoD CUI. The ISOO National CUI Registry provides additional information on the relationships to DoD by aligning each Index.

What is NIST SP 800-171?

The National Institute of Standards and Technology Special Publication (NIST SP 800-171) provides agencies with recommended security requirements for protecting the confidentiality of Controlled Unclassified Information (CUI) when it resides in Non-Federal Information Systems and Organizations. There are a total of 110 controls that are divided into 14 control families.

Is PII Considered CUI?

Yes, Personally Identifiable Information (PII) is a category of CUI and considered to be CUI if it is required as a part of a contract with the DoD. Examples of PII include personal address, phone number, driver’s license number, social security number, passport number, and credit card number.

Is Financial Information CUI?

General financial information is a category of CUI and considered to be CUI if it is required as part of a contract with the DoD. Several examples of financial information include purchase orders, bank orders, or information which could be used to compromise the US economy.

CDI vs. CUI, What’s the Difference?

The DoD uses the terms CDI and CUI almost interchangeably as CUI is an umbrella term that encompasses CDI. However, CDI (Covered Defense Information) specifically means unclassified controlled technical information or other information and will usually come up in connection with DoD research agreements and other DoD contracts.

Who is Responsible for Protecting CUI?

The DoD developed the Cybersecurity Maturity Model Certification (CMMC) for the protection of CUI to assess members of the DIB (who can control CUI dissemination) and ensure they have sufficient systems in place to protect CUI. At the time of creation of CUI material, the authorized holder is responsible for determining CUI category, CUI markings and dissemination instructions.

What DoD Instruction Implements the DoD CUI Program?

DoD 5200.48 is the DoD Instruction that implements the DoD CUI Program. Specifically, DoD Instruction 5200.48 establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order 13556; Part 2002 of Title 32, CFR; and DFARS Sections 252.204-7008 and 252.204-7012.

Is Press Release Data CUI?

A press release is an official statement delivered to members of the news media for providing information, creating an official statement, or making an announcement directed for public release. So, is it CUI? Government press releases could be temporarily marked as “controlled unclassified information” to protect them from premature disclosure.

Which Document Contains the DoD Cyber Regulations for CUI and CTI?

The Cybersecurity Maturity Model Certification (CMMC) was established by the DoD and is designed enhance cyber protection standards for companies in the DIB to protect CUI as well as CTI (which is a category of CUI). The CMMC cybersecurity framework consists of 110 controls and is based largely on NIST 800-171.

What Level of System and Network Configuration is required for CUI?

The Cybersecurity Maturity Model Certification (CMMC) has built-in maturity methods to guide an organization to the level of compliance that demonstrates appropriate CUI security measures. An organization must meet the security requirements of CMMC Maturity Level 2 in order to receive or generate CUI.