.svg){kind=logo}
Federal agencies and their external service providers routinely generate, use, store, and share information that, while not meeting the standards for classified national security information nevertheless requires safeguarding and dissemination controls.
This Guide will discuss Controlled Unclassified Information (CUI) and how to protect it best. We will be covering:
Controlled Unclassified Information (CUI) is a marking and control mechanism for all unclassified information or other data that meets standards for usage, safeguarding, and dissemination controls according to and consistent with applicable laws, regulations, and government-wide policies.
Types of data that fall under CUI includes, but is not limited to:
Important Information:
CUI refers to unclassified information that must be protected from public disclosure. CUI is not classification and should not be referred to as “classified as CUI.” A better way to phrase it is “designated as CUI.
Before the CUI Program, there were over 100 different ways of characterizing unclassified information. Different rules for each Federal Agency created conflict on when and how to share information, making it difficult to collaborate and ensure the information was protected.
Established in Executive Order 13556, the CUI Program standardizes how the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.
Important Information:
The CUI Program makes no changes to the Freedom of Information Act (FOIA) process. Standardized CUI markings help ensure that CUI is adequately protected by all agencies and facilitate timely information sharing to authorized recipients. Even the release of unclassified information can be damaging. Unclassified information can be pieced together to provide an adversary with a better understanding of classified information. The CUI Program helps mitigate and reduce threats of compromise or loss of information.
Only information requiring protection based on law, Federal regulation, or government-wide policy can qualify as CUI.
Like classified information, CUI is marked with bold banners, i.e., Controlled or CUI, and may also include limited dissemination controls making it clear how the information should be shared or distributed as directed by the responsible agency.
In this guide, we will cover the two types of CUI: CUI Basic and CUI Specified, and the specific protections required for each.
Join our free email series for tips and resources to achieve compliance.
CUI follows a lifecycle similar to all protected information. While the designation of certain types of information requiring safeguarding and dissemination may be new, the process should be very familiar to DIB partners.
Create : CUI is created when recorded on paper or entered into an information system
Identify & Designate: Realize that the information is generated for or on behalf of an agency within the Executive Branch under a contract and determine if the information falls into one of the more than one hundred categories of CUI in the National and DOD CUI Registries. It is also important to realize what is not CUI.
Mark/Label: At a minimum, CUI markings for unclassified DOD documents will include the acronym “CUI” or “CONTROLLED” in the banner of the document. It is a best practice to include markings in both the banner and footer of the document, and it is imperative to reference the CUI Marking Guide to ensure correct markings.
Store: CUI can be stored in NIST 800-171 compliant information systems or controlled physical environments.
Disseminate: Only authorized holders may disseminate in accordance with distribution statements, dissemination controls, and applicable laws.
Destroy: Hard and soft copies of CUI should be appropriately destroyed, meaning they are rendered unreadable, indecipherable, and irrecoverable. Review clearing, purging, and destruction in NIST SP 800-88: Guidelines for Media Sanitization.
Decontrol: All holders must promptly decontrol CUI once the CUI owner has properly determined the information no longer requires safeguarding or dissemination controls, unless doing so conflicts with the related law, regulation, or government-wide policy in accordance with DoDI 5230.09.
Access to CUI can be granted to individuals performing “any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes [as] within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement) on the need to know basis”.
Schedule a free consultation to get personalized advice tailored to your needs.
There are two types of CUI: CUI Basic and CUI Specified.
CUI Basic is the type of CUI that a law, regulation, or government-wide policy says must be protected, but doesn’t provide any further instruction for its protection. CUI Basic contains basic handling and dissemination controls.
CUI Specified is the type of CUI where the authorizing law, regulation, or policy puts more restrictive controls on the specific handling, marking, or sharing requirements to ensure adequate protection.
Important Points:
Since CUI Specified can call for different controls and protection than CUI Basic, it is mandatory to label the specific protection of the content in the banner (SP-)
Examples of CUI Specified Categories
CUI markings alert holders that the information must be protected. A cover sheet may also be used to identify CUI, alerting observers that CUI is present from a distance and serving as a shield to protect CUI from inadvertent disclosure. In the CUI program, there is a standard way to apply markings, as well as alternative methods to satisfy marking or identification requirements. Listed below are three components of marking CUI and an example of a CUI coversheet.
Designation Indicator
Banner Markings
Portion Markings
CUI must always be secured using controlled environments, both physically and electronically, that ensure access to CUI is only by authorized users with a lawful government purpose.
PHYSICAL BARRIERS
The CUI Program requires that inside a controlled environment there is at least one physical barrier to prevent unauthorized access to CUI such as the following:
CUI safeguards must also prevent unauthorized individuals from observing or overhearing discussions containing CUI. Public areas such as break rooms, lobbies, or public transportation, are not acceptable for the storage, discussion, or review of CUI.
ELECTRONIC BARRIERS
The CUI program requires that some barrier or compartmentalization exists to prevent unauthorized users from accessing electronic CUI, such as the following:
Information stored on electronic systems and networks must be compartmentalized and protected according to the lawful government purpose for accessing that information. All projects should establish procedures to ensure that only authorized individuals have access to CUI, and its access is removed when it is no longer required.
Need guidance on your CMMC compliance journey? Fill a short form and our experts would reach out to you.
Expert Cybersecurity Solutions for Federal, State and Commercial Organizations
Enter your details below and we will send an email with a download link.
Enter your details below and we will send an email with a download link.
Enter your details below and you'll receive insights, updated, and news related to Cybersecurity. No SPAM!