Managing Controlled Unclassified Information (CUI)
Introduction to Controlled Unclassified Information (CUI)
There are more than 350,000 contractors currently doing business with the Department of Defense (DoD). They range in size from very large firms, like Raytheon, the missile manufacturer, which employs tens of thousands of employees, to a small, family-owned company with a dozen employees making uniform insignia.
Regardless of size and revenue, there is something a large segment of these firms all have in common: the management of Controlled Unclassified Information (CUI) — a basic fact of business life when handling contracts and doing business with the Department of Defense.
This requirement is an important part of the Cybersecurity Maturity Model Certification (CMMC) program, which introduces new cybersecurity requirements for firms that are part of the vast Defense Industrial Base (DIB).
In order to continue doing business with the DoD, all contractors need to be certified by a CMMC Third-Party Assessment Organization (C3PAO) by the end of 2025. The introduction of the CUI CMMC program and the new CUI requirements signal a new era of strict information security practices for companies working with the DoD.
CUI is defined as information the government owns or creates, or that a firm or organization possesses or creates for the government, which needs to be safeguarded and shared using the information security controls required under current government laws, regulations and policies.
In November 2010, the administration passed Executive Order 13556, which specified categories of nonclassified information to be safeguarded given vulnerability and risk.1 This was the legal basis that established the framework and procedures for control and protection of CUI within the government and throughout the DIB.
The categories include agriculture, copyright, critical infrastructure, emergency management, export control, financial, foreign government, geodetic product information, immigration, information systems, intelligence, law enforcement, legal, NATO, nuclear, patent, privacy, proprietary, the Safety Act, statistical, tax and transportation.
The term “Controlled Unclassified Information” was designed by the DoD as a safeguarding system for unclassified information. It is described not as a classification but as a category, with a preferred description of “controlled as CUI,” as opposed to “classified as CUI.”
Naturally, classified information tends to get a lot more attention than its lesser-known cousin, Controlled Unclassified Information. Given how often classified information is mentioned in movies and books on espionage and throughout popular culture, that’s probably not surprising.
Classified information covers three sensitive classifications — confidential, secret and top secret — across categories that include military plans, weapons systems, information on foreign governments, intelligence-gathering activities and valuable scientific, technical and economic information.
The government has mandated that CUI also be protected and shared only under strict guidelines in order to prevent potentially harmful releases. The DoD has made a serious effort in recent years to communicate the importance of safeguarding CUI by publishing standards to help contractors maintain information security best practices.
The Department of Defense has done this as part of an ongoing initiative to communicate with its network of suppliers what is required in terms of ensuring information security standards, and also in response to the sharp increase in data breaches and cybersecurity attacks in the last 10 years.
CUI Guide for DoD Contractors
The risk for DIB companies is the possibility of information security gaps or breaches in their computer networks that could allow protected information to fall into the hands of adversaries. To counter that possibility, firms need to be able to identify all CUI that has entered their networks, whether or not it was marked as such when they received it.
One way for a supplier to know if they are handling CUI is to look at the DoD request for proposal (RFP) to see what category of information is written on the contract documents. This, however, is not a guarantee, because even a well-crafted document coming from the Department of Defense might contain incorrect information.
The DoD offers suppliers access to its online CUI Registry, which lists specific categories of information that the government requires to be protected. The list includes critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements and law enforcement.
The DoD CUI Registry goes on to specify additional categories of information, including legal, natural and cultural resources, NATO, nuclear, privacy, procurement and acquisition, proprietary business information, provisional, statistical and tax information.
There are six basic steps for DoD contractors to follow to determine if the information being handled as part of their contract work falls under the CUI category.
- The firm should ask if the information meets the standards for classification according to instruction DoDM 5200.01, Volume 1.
- If the answer is yes, the supplier should stop and refer to DoDM 5200.01, Volume 1, for guidelines on processing classified information.
- If the answer is no, the contractor should ask if the information falls within a current law, regulation or government policy.
- If the response turns out to be no, the supplier should stop and note that the information cannot be designated CUI.
- If the response turns out to be yes, the contractor should identify the categories the information falls into, using the detailed online DoD CUI Registry.
- The contractor will be able to see the CUI category on the document in the CUI Designation Indicator block. It will be displayed in the following format: Controlled by: OUSD(I&S), Controlled by: CL&S INFOSEC, CUI Category: PRVCY, Limited Dissemination Control: FEDCON, POC: John Brown, 703-555-0123.
Safeguarding Controlled Unclassified Information
The DoD offers a set of basic requirements for handling and safeguarding CUI while working on a defense contract in DoD instruction 5200.48. All firms interested in working with the DoD should make sure these requirements are well understood and followed within their organizations.
The DoD must let the contractor know about any CUI and make sure it is marked accordingly as part of its communications with suppliers. When the department is providing CUI, it must spell this out in all contracts and related documents.
DoD contracts stipulate that suppliers must track CUI internally and communicate classifications to their DoD contract officer. CUI will be classified at a “moderate” confidentiality level consistent with instructions DoDI 8500.01 and 8510.01 within all DoD systems.
Another requirement stipulates that all non-DoD computer systems and networks must provide effective security measures and that this be reflected in all legal documents shared with non-DoD entities based on prescribed DoDI 8582.01 guidelines. Simply put, when information containing CUI moves down the supply chain to additional firms outside of the DoD, it is important that CUI is labeled accordingly, allowing it to be protected.
DoD representatives and contractors must submit all unclassified DoD information for review and approval based on department instruction 5230.09 before release. All CUI records must follow the approved mandatory disposition authorities and protocols whenever the DoD provides CUI to, or whenever CUI is generated by, anyone other than the DoD.
There are two subsets of Controlled Unclassified Information: basic and specified. Government rules identify the handling and dissemination controls for CUI Basic as moderate under the Federal Information Systems Modernization Act (FISMA), with information marked as CUI or controlled.
CUI Specified requires additional controls with respect to handling, and an agency designated to apply specific controls related to dissemination for each information category. Examples of agency subset categories for CUI include agriculture, legal, transportation, financial, tax and immigration.
In contrast to classified information, DoD personnel across all levels of responsibility and mission areas receive, handle, create and disseminate CUI on a regular basis. Because of this, CUI policy provides a uniform marking system across the federal government that replaces previous agency-specific markings.
Examples of different markings include personally identifiable information (PII), sensitive personally identifiable information (SPII), proprietary business information (PBI), unclassified controlled technical information (UCTI), sensitive but unclassified (SBU), for official use only (FOUO) and law enforcement sensitive (LES).
Handling Controlled Unclassified Information
Experienced defense contractors should know that there are specific categories of information that automatically signal CUI and that require special handling under the designation. This may not be the case for new suppliers working with the DoD on a contract for the very first time.
The categories include defense critical infrastructure information (DCRIT), export-controlled information, sensitive international agreements, law enforcement, legal privilege, pre-decision budget or policy information, privacy art information and naval nuclear propulsion information (NNPI).
To ensure safe handling of CUI, a company should start by incorporating all the requirements spelled out in the Cybersecurity Maturity Model Certification program. CMMC addresses CUI security requirements and best practices for all DoD industry partners.
The CMMC program model offers a CUI guide for DoD suppliers to ensure security practices in the handling and sharing of CUI within computer systems and supplier networks. Maturity levels within CMMC range from basic cybersecurity hygiene to advanced progressive hygiene as part of the information security protocol for handling CUI.
Conduct an informal survey of cybersecurity experts on the subject of protecting Controlled Unclassified Information, and one of the recommendations that comes up again and again is data classification. The process starts with making all staff aware of what CUI flows through a company’s networks and what protection measures are in place.
That’s followed by implementing an effective system of classification and protection that is understood and adhered to by all employees within the organization. It may seem like a daunting task for a small company not able to rely on an in-house team of IT professionals, but the benefits of implementing a smart data classification system far outweigh the costs.
It does require an investment of time, effort and resources, but proactively implementing cybersecurity best practices will be a decided advantage for any small firm considering doing business with the DoD. They are simply putting in place what they know the department will require if and when they are considered for a defense contract.
As Rhia Dancel, information security expert at NSF-ISR, notes, “Implementing security controls early on helps to set security expectations within the organization, resulting in a security-focused workforce.”
That’s why cybersecurity experts point to data classification as the cornerstone of an effective data security system. Smart firms take the time and make the effort to understand the kinds of sensitive data flowing through their networks, so that it can be protected as required by their partners at the DoD.
They also train staff in the data classification process, make sure policies are easy to understand, use automation tools wherever possible and implement a process of continual monitoring to ensure that the information security plan they’ve put in place can be adjusted for changing circumstances.
Standards for Sharing Controlled Unclassified Information
The Department of Defense has issued guidelines to help contractors and their supply chains understand the kinds of Controlled Unclassified Information that can be shared under a range of circumstances. The guidelines are based on a number of governing principles.
CUI access should be encouraged and permitted when it complies with the law, regulation or government policy identifying the information as CUI; furthers a lawful government purpose; is not restricted by an authorized limited dissemination control; and is not otherwise prohibited by any other law, regulation or government policy.
Agencies may place limits on disseminating Controlled Unclassified Information for a lawful government purpose only by using the authorized and published dissemination controls listed or by using other methods that have been authorized by a specific law, regulation or government policy.
When handling executive branch CUI, DoD personnel will follow appropriate governance criteria for when the application of dissemination controls and its markings are allowed, and by whom, while ensuring that the policy is in accordance with Part 2002 of Title 32, CFR.
Limited dissemination controls or distribution statements cannot restrict CUI access unnecessarily, given that DoD components need to retain certain agency-specific CUI within their organizations. DoD components may use the limited dissemination controls to limit access to those on an accompanying dissemination list.
For example, raw data, information or products must be processed and analyzed before determining if further dissemination is required or permitted. The Limited Dissemination Control list should be used as a guide to determine what dissemination is allowed.
The DoD also has designations related to the authorized sharing of CUI to specific recipients. One is federal employees only (FED ONLY), and it restricts the sharing of CUI to employees of governmental executive branch departments and agencies or armed forces personnel of the United States or the Active Guard Reserve.
Another category is federal employees and contractors only (FEDCON), which restricts dissemination to employees of government branches, departments and agencies; armed forces personnel; or individuals or employers who contract with a U.S. department or agency to perform a specific job, supply labor and materials, or sell products and services.
A related category, NOCON, or no dissemination to contractors, prohibits dissemination to federal contractors who enter into a contract with a government department or agency to perform a specific job, supply labor and materials, or sell products and services. This control is intended for dissemination to state, local or tribal employees and restricts sharing with federal contractors.
There is also a special category called dissemination list controlled (DL ONLY), which authorizes release only to those individuals, organizations or entities included on an accompanying dissemination list. Use of this dissemination control supersedes other controls and must be applied consistently with federal law, regulation or government policy.
CUI dissemination controls include an area related to attorney-client privilege that calls for the marking PRIVILEGE. This control protects against the release of information to parties beyond the attorney, the attorney’s agents and the client.
The only exception is in the case of a special release authorized by the agency’s executive decision makers.
A final example of CUI dissemination control covers the legal area known as attorney work product. The designated marking for this kind of regulated CUI is ATTORNEY-WP. This control protects against the unauthorized sharing of privileged attorney work product beyond the attorney, the attorney’s agents and the client.
Sharing Controlled Unclassified Information With Foreign Governments
The Department of Defense has also addressed how and when Controlled Unclassified Information can be shared with foreign governments and nationals. It is important for all defense contractors to be aware of CUI markings that reflect this special category of restricted information.
There are types of CUI designated and marked as NOFORN, or no foreign dissemination, which refers to these specific categories of information. The designation means the CUI may not be disseminated or communicated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-U.S. citizens.
Another special category is referred to as authorized for release to certain nationals only (REL TO USA, LIST). Under this heading, a designated agency has determined that the CUI can be released or has been released only to specified foreign countries and international organizations. This category represents a specified, targeted, authorized release of CUI.
A final designation for CUI related to foreign governments and nationals is referred to as DISPLAY ONLY. Under this marking, information can be shown to a foreign recipient, but the individual seeing the information does not receive a physical copy of any kind for themselves or for their country or international organization.
CUI Best Practices
Smart DoD contractors, large and small, have surveyed the defense landscape, recognized the importance of CMMC compliance and made the necessary moves to train their staff on the importance of protecting Controlled Unclassified Information, within both their internal operations and those of their supply chain partners.
Their motivation is simple. They want to continue doing business with the Department of Defense, and they recognize that having effective information security systems in place to protect CUI allows them to maintain this important business relationship, and also to follow best practices for the entire spectrum of information they manage.
Information security experts recommend a few basic steps companies should take to identify their CUI exposure, the critical services they offer and the internal parts of the operation that support them. Taking such an approach also helps them prepare for a CMMC assessment and find ways to reduce the costs of managing CUI internally.
A key step in the process is defining company assets. They fall into four categories: people, information, technology and facilities. Establishing and separating out these basic categories within the operation is part of the essential mapping-out process needed to identify and protect CUI.
People are the human component within the operation, including the staff responsible for delivering the products and services a firm offers.
Information refers to the data related to the firm’s products, product design, and customer and order information.
Technology covers the hardware and software used to provide essential services, which could include a managed service provider (MSP) or a cloud service provider (CSP).
Facilities refers to the buildings, offices and warehouses where the firm’s staff use technology and information to generate the products or services the company delivers.
After a firm has identified services and assets, the next step is focusing on the people, information, technology and facilities components that support them. In the process, a company will also be able to pinpoint what parts of its operation are not connected to the essential products or services it provides.
Mapping out essential services starts with asking relevant questions across the four key categories. Within the people category, it’s important to know who supports the portal operation, including staff and third parties. A firm also needs to know what people and departments have access to the portal.
Specific questions regarding information would include: What information is stored where? Is it stored locally on the server on a SAN/NAS device or hosted in the cloud?
Another technology question would be: Is the portal on a server, cloud-based or virtual? Another relevant question worth asking: How does the information flow within the company’s network? This question-and-answer process requires staff time and effort, but it will yield a very useful map of how CUI flows into and through a company’s networks.
Some of the questions a firm asks as part of this process will span multiple categories, including people, technology and facilities. For example: Is portal information backed up? If so, where? Another key question: Does the firm have a disaster recovery site for the portal?
The same three categories are reflected in questions like: Who supports the operation of the portal, and who has access? Where is this staff located within the company? It’s important to remember that this question-and-answer process has a very specific goal: to create a data flow diagram to identify and protect CUI within the firm’s operations.
Larger contractors will already have information security systems in place for identifying and protecting CUI inside their operations. For them, this is a normal part of how they manage sensitive information to meet DoD requirements.
The challenge is greater for newer and smaller firms looking to earn their place within the DoD’s vast defense industrial base.