· 22 min read
Identifying and Protecting Controlled Unclassified Information (CUI)
Introduction to Controlled Unclassified Information (CUI)
Amid the alphabet soup that swirls around the world of U.S. Department of Defense (DoD) contracts, there is one acronym that has widespread impact across the board and yet is not always well understood.
The acronym is CUI, and it stands for Controlled Unclassified Information. CUI is defined as information the government owns or has created that needs to be safeguarded and disseminated using only controls consistent with government laws, regulations and policies.
Prior to 2010, CUI was referred to as information that was “for official use only” or “sensitive but unclassified.” At that time there were no standardized guidelines for CUI, so one firm could refer to information as “extremely sensitive,” while another could call it “less sensitive.” Fortunately, less-than-clear information security standards are becoming a thing of the past.
During the last decade, the DoD has made a concerted effort to standardize and publish standards related to information security. It has done so not only to communicate to contractors what is required, but also to address a dramatic surge in cybersecurity attacks involving both government agencies and firms that do business with the government.
A History of Cybersecurity Breaches and Government Responses
In 2008, the White House issued a memorandum titled “Designation and Sharing of Controlled Unclassified Information (CUI).”1 It was the first significant effort by the federal government to highlight the importance of CUI and to standardize practices within government departments.
In October 2009, a major data breach at the National Archives and Records Administration put the records of millions of military veterans at risk.2 The response was Executive Order 13556, “Controlled Unclassified Information,” issued in November 2010, which created a program to manage Controlled Unclassified Information for the first time.3
In November 2011, The Washington Post reported on an accidental release of records involving Tricare Health Systems and IT contractor Science Applications International Corporation that compromised the medical histories of more than 4.9 million military personnel.4 The data included names, Social Security numbers, addresses, birthdates, phone numbers and medical lab test results.
The government’s Office of Personnel Management (OPM) was the target of another data hack in November 2013 involving two government contractors, U.S. Investigations Services LLC (USIS) and KeyPoint.5 These companies gathered sensitive personal data during background checks conducted for OPM as part of the hiring process for new government employees.
The response to the OPM, USIS and KeyPoint data breaches was Executive Order 13636, issued in February 2013 by the Obama White House.6 The order was titled “Improving Critical Infrastructure Cybersecurity,” and it was designed to upgrade cyber risk management practices within critical infrastructure.
The order directed the National Institute for Standards and Technology (NIST) to work with the private sector to identify current voluntary standards and build them into a cybersecurity framework. The plan was to encourage the private sector to incorporate the new framework into its operations on a voluntary basis.
In 2014, OPM was once again the target of a serious data breach. This time the private-sector IT contractor involved was Keystone Government Solutions. Millions of SF-86 forms used in background checks and containing highly sensitive personal information and fingerprints were stolen.7,8
The new OPM breaches led to a congressional investigation,9 the resignation of a top OPM executive10 and the creation of NIST Cybersecurity Framework 1.0, which laid out new, detailed information security protocols to be followed by government departments and their private-sector contractors.11
From 2015 through the first part of 2021, there were confirmed news reports of serious cybersecurity attacks at Uber,12 the Democratic National Committee,13 Equifax,14 Marriott,15 U.S. Customs and Border Protection,16 SolarWinds17 and Colonial Pipeline.18 These were only the largest, most publicized data breaches. Thousands of others went unreported.
Government responses have included NIST SP 800-171, the Cybersecurity and Infrastructure Security Agency Act, the Cybersecurity Maturity Model Certification (CMMC) program announcement, the Defense Federal Acquisition Regulation Supplement interim rule and the official CMMC program rollout.
What’s important to understand is that these responses to data breaches over the last 10 years represent in large part a concerted effort to protect Controlled Unclassified Information. CUI isn’t classified, but the government has determined that it needs to be controlled, because its malicious release is considered a threat to national security.
CUI and Cybersecurity Maturity Model Certification
Announced in November 2020, the CMMC program mandates new cybersecurity requirements for the more than 350,000 organizations that make up the defense industrial base (DIB). To continue doing business with the DoD, all contractors need to be certified by a CMMC Third-Party Assessment Organization (C3PAO) by the end of 2025.
The DoD introduced the CMMC program in response to the sharp increase in cybersecurity attacks over the last few years. The department considers these a serious threat to the nation’s economic and national security. The high-profile attacks on SolarWinds, Kaseya, Accenture and Colonial Pipeline are just the most recent examples.
“SolarWinds is a great example,” says Tony Giles, an information security expert with NSF-ISR. “In December 2020, this large, publicly traded firm was breached. You can walk through their incident response. There’s so much involved with that. Information security seems to be top of mind for everybody these days.”
It is estimated that $600 billion, nearly 1% of global GDP, is lost due to cybercrime every year, according to a report from the Center for Strategic and International Studies and information security firm McAfee. The estimate is up sharply from a 2014 study that placed global losses at about $445 billion annually.
Nearly 1% of global GDP is lost due to annual cybercrime.
The CMMC program is a key aspect of the Defense Department’s overall response to rising cybersecurity threats. It’s designed as a verification mechanism to ensure that companies within the DIB implement proven cybersecurity practices to protect CUI.
CMMC will have a five-year, phased rollout by the Department of Defense. CMMC requirements will appear in all contracts starting in fiscal year 2026. This means that all DoD contractors and their supply chain partners will need to comply in order to bid on future defense contracts.
The CMMC model includes five levels of cybersecurity practices, with NIST SP 800-171 controls as the foundation for Levels 1-3. Level 1 represents basic cyber hygiene and focuses on the protection of federal contract information. Level 2 is a transitional step in the cybersecurity maturity progression to protect Controlled Unclassified Information.
Level 3 focuses on the protection of CUI. It includes all the controls specified in NIST SP 800-171, plus an additional 20 practices from other information security standards and references. Level 4 targets proactive steps a firm can take to detect and respond to threats. Level 5 focuses on the protection of CUI from advanced persistent threats.
The Importance of Controlled Unclassified Information
One of the stated goals of the CMMC program is to secure the nation’s information through the protection of Controlled Unclassified Information within the defense industrial base. It’s important for DoD contractors to understand the importance of CUI both in the context of the CMMC process and also within their internal operations.
Rhia Dancel, information security expert at NSF-ISR, describes CUI in these simple terms: “CUI is information that is generated by or provided by the government and that requires protection and safeguarding measures. CUI is a fundamental part of the initial CMMC assessment and is what drives the conversation.
“The main CUI categories we see are Controlled Technical Information (CTI) and Proprietary Manufacturer (MFC),” Dancel adds. “Blueprints or technical drawings would fall under the category of CTI. Manufacturing a part or component based on a technical drawing or spec would fall under the category of MFC.”
For the DoD, creating an entire information security protocol around CUI was a significant step. It meant communicating clearly to all firms in the DIB that certain types of unclassified information are very sensitive, valuable to the country and pursued by adversaries, and therefore need strong protection.
In contrast to classified national security information, DoD staff across all levels of responsibility and mission areas receive, handle, create and disseminate CUI. Current DoD policy on CUI provides a uniform marking system across federal government departments, with specific instructions on how documents need to be marked.
Unclassified Versus Classified Information
DoD guidelines describe Controlled Unclassified Information as a safeguarding system for unclassified information and stress that CUI is not a classification between unclassified and confidential. In fact, the preferred description is “controlled as CUI,” as opposed to “classified as CUI.”
In the ongoing comparisons between classified information and CUI, classified tends to get all the attention. That’s not surprising given how the former is often portrayed in blockbuster Hollywood movies dealing with espionage.
Dancel suggests that firms ask themselves these questions to help identify CUI within their organizations: “Do you receive any information that is marked as CUI? Do you receive technical drawings for a part or component from the government or a prime contractor to manufacture?”
Giles offers this example: “There’s just a lot of CUI that’s been developed. It might be the drawing of a part, something that may be stamped or marked as CUI. And they don’t always stamp things. It’s something that’s been communicated as Controlled Unclassified Information.”
The three most sensitive categories of government classified information are confidential, secret and top secret. These categories refer to types of information that could cause damage, serious damage or exceptionally grave damage if they were released and if they fell into the hands of adversaries.
Classified information controls are designed to protect a wide variety of government proprietary information in a range of categories, including military plans, weapons systems, information on foreign governments, intelligence-gathering activities and valuable scientific, technical and economic information.
Given the critical importance of classified information, it’s not surprising that CUI tends to have a lower profile in public discussions on information security. At the same time, the government has mandated that CUI be protected and disseminated only under clear guidelines in order to prevent potentially harmful releases.
The legal basis for the control and protection of Controlled Unclassified Information was established in November 2010, when the administration passed Executive Order 13556, which created 10 categories of nonclassified information that needed to be protected given vulnerability and security risks.19
The objective was to craft a uniform system for safeguarding and disseminating CUI. The final rule was passed in 2016 by the National Archives Records Administration.20 It provided implementation direction for the previous Executive Order 13556 and advanced a standardized method for assessing CUI.
How to Identify CUI
For experienced DoD contractors, the task of identifying and protecting Controlled Unclassified Information within their firms is likely a normal part of their information security practices. For companies new to securing and managing DoD contracts, however, this may not be the case.
For these firms, it’s vitally important that they are able to answer the critical questions of how to identify and how to protect CUI. One way to tell is simply to look at the contract. Any DoD contractor who responds to a request for proposal (RFP) will see that the category of information to be protected is displayed on the cover document.
That by itself does not ensure compliance, because it’s possible that the RFP could have incorrect information printed on the documents. The most useful approach is to implement an internal review that identifies the types of information the firm handles and use it as a starting point to guide CUI compliance.
The CUI Registry details the specific categories of information the government protects. The CUI Registry includes 18 organizational index groupings: critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, privacy, procurement and acquisition, proprietary business information, provisional, statistical and tax.
The obvious risk for companies when handling CUI is the possibility of information security gaps or breaches that could allow protected information to fall into the hands of adversaries. To counter that possibility, firms need to be able to identify all CUI that has entered their network, whether or not it was marked as such when they received it.
For example, a contractor should be able to identify technical drawings for parts they receive from the government or a prime contractor to be manufactured. A firm that has made a commitment to information security will implement best practices and cybersecurity training to identify and protect CUI
Part of the company’s information security best practices will ensure its ability to monitor and document threat information, take the needed steps to become NIST SP 800-171 compliant, evaluate supply chain risk, use two-factor authentication, utilize data-loss prevention technology and carry out regular self-audits.
Government contractors with questions about identifying CUI within their operations should speak with their contracting officers to get answers. They should also visit the Department of Defense website for CUI requirements and specific CUI categories.
What Qualifies as Controlled Unclassified Information
The executive branch has specified eight categories of Controlled Unclassified Information that require protection. These include defense critical infrastructure, export controls, sensitive international agreements, law enforcement, legal privilege, critical budget or policy information, and Privacy Act or Naval Nuclear Propulsion data.
Defense critical infrastructure includes Department of Defense sectors that provide infrastructure services within the department, including defense financial services, defense information infrastructure, defense logistics, defense transportation, defense space and defense personnel.
Export control regulations are federal laws that prohibit the unlicensed export of certain commodities or information for reasons of national security or protection of trade. Export controls can arise for a number of reasons. One would be that the nature of the export has actual or potential military applications or economic protection issues.
Another legitimate government concern related to exports might have to do with the destination country, organization or individual. Yet another would be a real government concern about the declared or suspected end use of the item being exported or the intended end user of the export.
Sensitive international agreements could also include Controlled Unclassified Information. Agreements negotiated and ratified with foreign governments or organizations that include sensitive information also fall into one of the specified categories related to CUI that needs to be protected.
Law enforcement information is a category that includes techniques and procedures for law enforcement operations, investigations and prosecutions. Law Enforcement Sensitive (LES) is the term for unclassified information that, if disclosed, could cause harm to law enforcement activities and jeopardize investigations.
Legal privilege is a broad category of protected CUI that covers governmental privilege, attorney-client privilege and work product privilege. Attorney-client privilege, attorney-client communications and the work product that results from those interactions are areas protected by federal and state laws.
Budget and policy deliberations are considered sensitive areas in federal government operations. As a result, CUI is generated as part of these important discussions, deliberations and decisions that requires protection as specified under the DoD guidelines.
The Privacy Act of 1974 protects the records of individuals, including names, Social Security numbers and other personal data, which are also referred to as Personally Identifiable Information (PII). This is vital information that can be used to distinguish or trace an individual’s identity and, for that reason, is a category of CUI that requires protection.
The final category of Controlled Unclassified Information requiring protection is referred to as Naval Nuclear Propulsion Information (NNPI). This covers nuclear reactor safety, naval nuclear propulsion plants, radiation control, naval nuclear activities, and the safety and health of workers and the general public across these sensitive areas.
Steps to Identify Controlled Unclassified Information
CUI is a broad category that encompasses a number of different information types. DoD contractors should be able to identify information that is not classified but that still requires protection like CUI. This is a critical part of doing work for the DoD and maintaining good standing within the defense industrial base.
There are seven CUI information types, including Personally Identifiable Information (PII), Sensitive Personally Identifiable Information (SPII), Proprietary Business Information (PBI), Unclassified Controlled Technical Information (UCTI), Sensitive but Unclassified (SBU), For Official Use Only (FOUO) and Law Enforcement Sensitive (LES).
The Department of Defense also lays out specific requirements in the DoD Instruction (DoDI) 5200.48 on how contractors working with the government must handle CUI. Note the use of the word “requirement.” Not “suggestion” or “recommendation,” but “requirement.”
First of all, the DoD must inform the contractor of any CUI and mark it accordingly. When providing CUI, the DoD must communicate this fact clearly and prominently in all contracts and related documents. DoD contracts require contractors to monitor CUI and report classifications to their contract officer.
CUI will be classified at a “moderate” confidentiality level and follow DoDI 8500.01 and 8510.01 in all DoD systems. Non-DoD, private-sector systems need to provide effective security, with requirements described in all legal documents for non-DoD entities consistent with DoDI 8582.01 guidelines.
DoD representatives and contractors will submit all unclassified DoD information for review and approval based on the Department of Defense Instruction 5230.09 before release. All CUI records must follow approved mandatory disposition rules whenever the DoD provides CUI to, or whenever CUI is created by, anyone other than the DoD.
There are six specific steps a DoD contractor should follow to determine if the information being handled as part of their contract falls under the CUI category.
- The firm should ask if the information meets the standards for classification according to DoDM 5200.01, Volume 1.
- If the answer is yes, the contractor should stop and turn to DoDM 5200.01, Volume 1, for guidance on processing classified information.
- If the answer is no, the firm should ask if the information falls within a current law, regulation or government policy.
- If the response is no, the company should stop right there and note that this information cannot be marked as CUI.
- If the response is yes, the firm should identify the categories the information falls into, using the detailed, comprehensive online DoD CUI Registry.
- The contractor will be able to see the CUI category annotated on the document in the CUI Designation Indicator block. For example: Controlled by: OUSD(I&S), Controlled by: CL&S INFOSEC, CUI Category: PRVCY, Limited Dissemination Control: FEDCON, POC: John Brown, 703-555-0123.
What Is Not Considered Controlled Unclassified Information
In all the discussion about types of government information that need to be protected, it’s important to distinguish CUI from its high-profile cousin, classified information. The two may be related, but they are distinctly different. CUI is important and needs to be protected, but it is not on the same level as classified information.
If a DoD contractor is doing work that their contracting officer has designated confidential, secret or top secret, the contractor is working in the realm of classified, not controlled unclassified, information. The three classified categories reflect types of information that could cause damage, serious damage or exceptionally grave damage if released.
Controls on classified information are rigorous and comprehensive, as they are intended to safeguard government information and national security in critical areas, such as military plans, weapons systems, information on foreign governments, intelligence-gathering activities and valuable economic, scientific and technical information.
On the other end of the spectrum, if the information circulates freely within the government, inside universities and research organizations, and in the private sector, and does not fall under DoD CUI information requirements, it is not proprietary and not subject to the same protections as CUI.
There is also a wide spectrum of information across the government, university, research and private sectors that has been reported and published and is publicly available online. An example would be a blog post written and published by a university cybersecurity expert on the subject of DoD CUI requirements. This would not be considered CUI.
What Newer Firms Must Do to Protect Controlled Unclassified Information
Experienced DoD contractors understand the fact that their firms need to have effective information security systems in place so that all staff recognize the importance of protecting Controlled Unclassified Information. They know this is a critical requirement of working with the Department of Defense.
The challenge lies more with newer firms looking to secure their first DoD contract and still navigating the deep channels of the vast defense industrial base. A large part of the learning curve for them lies in appreciating the importance of implementing the kinds of information security practices that meet the department’s stringent standards.
Tony Giles, information security expert at NSF-ISR, states, “Small to midsized businesses can begin with the basics. Security awareness training, password controls, top-level management commitment and changing the culture to be more security focused are good first steps.”
The newer firms that succeed in their quest to gain a share of DoD business for their young companies are the ones that embrace the information security approach the DoD demands and implement the kind of rigorous staff training and data-protection protocols that are needed in an era of constant cybersecurity attacks.
They will do what cybersecurity experts recommend, including conducting cybersecurity training, optimizing incidence response, analyzing and communicating threat information, becoming NIST SP 800-171 compliant, evaluating supply chain risks, using two-factor authentication and data-loss prevention tools, and conducting regular internal audits.
Over the last decade, the Department of Defense has made a concerted effort to codify and publish standards related to information security in response to a dramatic surge in cybersecurity attacks. These published information security standards convey to contractors what is required to do business with the department. The motivated firms have responded accordingly.
Think Your Organization Is Ready to Begin the CMMC Process?
Contact us with questions or to schedule a CMMC gap assessment.
Managing Controlled Unclassified Information (CUI)
Eight Steps to the New Cybersecurity Maturity Model Certification (CMMC) Now Required by the DoD
Cybersecurity Maturity Model Certification (CMMC) Terminology and FAQs
1 Designation and Sharing of Controlled Unclassified Information (CUI). White House Memorandum. (2008, May 7). National Archives. www.archives.gov/files/cui/documents/2008-WH-memo-on-designation-and-sharing-of-cui.pdf
2 Singel, R. (2009, October 1). Probe Targets Archives’ Handling of Data on 70 Million Vets. Wired. www.wired.com/2009/10/probe-targets-archives-handling-of-data-on-70-million-vets/
3 Executive Order 13556 -- Controlled Unclassified Information. (2011, December 12). Whitehouse.Gov. obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information
4 Vogel, S. (2011, November 24). Tricare military beneficiaries being informed of stolen personal data. Washington Post. www.washingtonpost.com/politics/tricare-military-beneficiaries-being-informed-of-stolen-personal-data/2011/11/23/gIQAcRNHtN_story.html
5 Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China’s Captain America. CSO Online. www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html
6 Executive Order -- Improving Critical Infrastructure Cybersecurity. (2013, February 12). Whitehouse.Gov. obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity
7 Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China’s Captain America. CSO Online. www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html
8 Cybersecurity Incidents. (2015). U.S. Office of Personnel Management. www.opm.gov/cybersecurity/cybersecurity-incidents/
9 Committee on Oversight and Government Reform. (2016, September). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. House Oversight and Government Reform. republicans-oversight.house.gov/report/opm-data-breach-government-jeopardized-national-security-generation
10 Chappell, B. (2015, July 10). OPM Director Archuleta Resigns In Wake Of Data Breaches. NPR. www.npr.org/sections/thetwo-way/2015/07/10/421783403/opm-director-archuleta-resigns-in-wake-of-data-breaches
11 NIST Releases Cybersecurity Framework Version 1.0. (2018, January 8). NIST. www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framework-version-10
12 Chappell, B. (2018, September 27). Uber Pays $148 Million Over Yearlong Cover-Up Of Data Breach. NPR. www.npr.org/2018/09/27/652119109/uber-pays-148-million-over-year-long-cover-up-of-data-breach
13 Nakashima, E., & Harris, S. (2018, July 13). How the Russians hacked the DNC and passed its emails to WikiLeaks. Washington Post. www.washingtonpost.com/world/national-security/how-the-russians-hacked-the-dnc-and-passed-its-emails-to-wikileaks/2018/07/13/af19a828-86c3-11e8-8553-a3ce89036c78_story.html
14 Newman, L. H. (2017, September 14). The Equifax Breach Was Entirely Preventable. Wired. www.wired.com/story/equifax-breach-no-excuse/
15 Barrett, B. (2020, March 31). Marriott Got Hacked. Yes, Again. Wired. www.wired.com/story/marriott-hacked-yes-again-2020/
16 Harwell, D., & Fowler, G. A. (2019, June 11). U.S. Customs and Border Protection says photos of travelers were taken in a data breach. Washington Post. www.washingtonpost.com/technology/2019/06/10/us-customs-border-protection-says-photos-travelers-into-out-country-were-recently-taken-data-breach/
17 Barrett, B. (2020b, December 19). Russia’s SolarWinds Hack Is a Historic Mess. Wired. www.wired.com/story/russia-solarwinds-hack-roundup/
18 Turton, W., & Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Bloomberg. www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password
19 Lewis, J. A. (2018, February 21). Economic Impact of Cybercrime. Center for Strategic and International Studies. www.csis.org/analysis/economic-impact-cybercrime
20 National Archives Issues Regulation on Controlled Unclassified. (2016, November 1). National Archives. www.archives.gov/press/press-releases/2016/nr16-90