Introduction to Controlled Unclassified Information (CUI)

For small companies new to the ways of the U.S. Department of Defense (DoD), the challenge of landing a first-time contract may seem as daunting as an attempt to climb Mount Everest.

After all, the DoD is not only the largest employer in the United States, but it’s also the largest employer in the world.¹ And, naturally, it has all the procedures and requirements you would expect of a government bureaucracy of that size and complexity. One of those requirements for a DoD contractor is demonstrating information security expertise.

That includes expertise in protecting what is referred to as Controlled Unclassified Information (CUI). This is a category of government information that is not as well-known as its cousin, classified information, but is still very important in the eyes of the DoD. Even small firms new to defense work are required to learn how to protect it.

CUI is defined as the information the government owns or creates, or that a firm or organization possesses or creates for the government, that needs to be safeguarded and protected using the information security controls required under current government laws, regulations and policies.

In October 2009, a major data breach at the National Archives and Records Administration (NARA) put the records of millions of military veterans at risk. The response was Executive Order 13556, “Controlled Unclassified Information,” issued in November of 2010, which created a program to manage CUI for the first time.

Over the last decade, the department has made a sustained effort to publish improved standards on how to protect sensitive information. It has done this to inform contractors about what is required to safeguard CUI and in response to a dramatic increase in cybersecurity attacks and data breaches in recent years.

After several high-profile cyberattacks on government agencies over the last decade, the government responded with executive orders and legislation. These executive orders and legislation included the likes of NIST SP 800-171, the Cybersecurity and Infrastructure Security Agency Act, the Cybersecurity Maturity Model Certification (CMMC) program, NIST SP 800-172 and the official CMMC program rollout.

The government responses to cyberattacks and data breaches represent in large part a concerted effort to protect CUI. Although CUI isn’t classified information, the federal government has determined that it needs to be protected because its malicious release poses a threat to national security.

The government responded with executive orders and legislation, including NIST SP 800-171, Rev. 1, the Cybersecurity and Infrastructure Security Agency Act, the Cybersecurity Maturity Model Certification (CMMC) program, NIST SP 800-171, Rev. 2, NIST SP 800-172 and the official CMMC program rollout.

The government responses to cyberattacks and data breaches over the last ten years represent in large part a concerted effort to protect CUI. CUI isn’t classified information, but the federal government has determined that it needs to be protected, because its malicious release poses a threat to national security.

In late 2020, the DoD announced the Cybersecurity Maturity Model Certification (CMMC) program which mandates new information security requirements for all organizations within the Defense Industrial Base (DIB). One of the requirements is third-party certification by a CMMC Third-Party Assessment Organization (C3PAO) for CMMC Level 2 and Level 3 by the end of 2025.

The CMMC program was introduced in direct response to the sharp increase in cybersecurity attacks over the last few years, which the department considers a serious threat to the economic and national security of the country. Recent, high-profile cyberattacks including the attacks on SolarWinds, Kaseya and Accenture are some of the most recent examples.

“SolarWinds is a great example,” says Tony Giles, an information security expert with NSF-ISR. “In December of 2020, this large, publicly-traded firm was breached. You can walk through their incident response. There's so much involved with that. Information security seems to be top of mind for everyone these days.”

The losses due to cybercrime are staggering, with credible estimates running in excess of $600 billion a year, according to a report from the Center for Strategic and International Studies (CSIS) and information security firm McAfee. This reflects a sharp increase from a 2014 study which placed global losses at close to $445 billion annually.

Introduction of the CMMC program is an important part of the Defense Department’s response to rising cybersecurity threats. It’s intended as a verification mechanism to ensure that firms working with the DoD implement effective cybersecurity practices to protect CUI.

The DoD planned CMMC as a five-year, phased rollout with CMMC requirements appearing on all contracts with suppliers starting in fiscal year 2026. This means that all DoD contractors and their supply chain partners will need to comply in order to bid on future defense contracts.

The CMMC model includes three levels of cybersecurity practices with NIST SP 800-171 controls serving as the basis. Below is a quick overview of the three CMMC levels:

• Level 1 focuses on basic cyber hygiene and the protection of federal contract information (FCI).
• Level 2 focuses on the protection of CUI. It includes the controls specified in NIST SP 800-171.
• Level 3 targets information security measures a firm should take to detect and respond to threats. Compliance requirements include a portion of NIST 800-172 controls.

Securing CUI within the Defense Industrial Base (DIB) is one of the goals of the CMMC program. DoD contractors committed to implementing cybersecurity practices and fostering a strong culture of information security consistent with DoD requirements should understand the importance of safeguarding CUI and how it fits within the CMMC process.

Rhia Dancel is a CMMC Registered Practioner at NSF-ISR. She describes CUI as “information generated by or provided by the government and requires protection and safeguarding measures. CUI is a fundamental part of the initial CMMC assessment and is what drives the conversation.”

“The main CUI categories we see are controlled technical information (CTI) and Proprietary Manufacturer (MFC),” Dancel adds. “Blueprints or technical drawings would fall under the CUI category of controlled technical information (CTI). Also, manufacturing a part or component based on a technical drawing or spec would fall under the CUI category of MFC.”

Creating an entire information security protocol around CUI was a significant step for the DoD. The message to defense contractors was simple and direct: Certain types of unclassified information are sensitive, important to the country and wanted by adversaries. These need strong safeguards.

In contrast to classified information, the DoD across all levels of responsibility and mission areas receive, handle, create and share CUI. In order to protect CUI, the DoD has implemented a uniform system across the federal government departments with instructions on how CUI documents should be marked.

The government’s CUI Registry includes 18 organizational categories: critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, privacy, procurement and acquisition, proprietary business information, provisional, statistical and tax.

There are seven sub-categories within the CUI hierarchy, including:

1. Personally identifiable information (PII)
2. Sensitive personally identifiable information (SPII)
3. Proprietary business information (PBI)
4. Unclassified controlled technical information (UCTI)
5. Sensitive but unclassified (SBU)
6. For official use only (FOUO)
7. Law enforcement sensitive (LES)

DoD Instruction 5200.48 lays out mutual requirements for both the department and suppliers when handling CUI as part of contract work being done. The wording used within the instruction reflects what is required when handling CUI. Not “suggested,” not “recommended,” but “required.”

First, the DoD must inform the contractor of any CUI and ensure it is marked accordingly. When providing CUI, the DoD must communicate this clearly in all contract documentation. DoD contracts require suppliers to track CUI and report classifications to the department.

CUI will be classified at a “moderate” level of confidentiality and follow DoDI 8500.01 and 8510.01 instructions in all DoD systems. Non-DoD private sector systems need to provide effective security with requirements described in all legal documents with non-DoD entities consistent with DoDI 8582.01 instruction guidelines.

DoD representatives and contractors will then submit all unclassified DoD information for review and approval based on department instruction 5230.09 before release. All CUI records must follow approved mandatory disposition rules whenever the DoD provides CUI to, or whenever CUI is created by, anyone other than the DoD.

Our white paper, Identifying and Protecting Controlled Unclassified Information (CUI), specifies the six steps DoD contractors should follow to determine if contract documentation and information is considered CUI.

Information security experts recommend specific steps companies should take to identify their CUI exposure given the critical services they offer as part of their operations. The steps serve as a helpful guide for implementing a cost-effective information security plan and preparing for a future CMMC assessment.

The first step in the process is defining the four categories of company assets: people, information, technology and facilities. Defining these basic categories within the operation is part of the mapping-out process firms need to do in order to identify and protect CUI.

Let’s take a look at what’s included within each category:

• People includes all staff responsible for creating and delivering the products or services a firm offers to customers.
• Information is the data used to produce the firm’s products or services, how they are designed, customer data and order information.
• Technology is the hardware and software used to create the company’s products or services. This could include a managed service provider (MSP) or a cloud service provider (CSP).
• Facilities are the buildings, offices and warehouses where the firm’s staff use technology and information to create their products or services.

Mapping out essential services starts with asking relevant questions across these four key categories. This question and answer process requires staff time and resources, but it will yield a critical map showing how CUI and other information flows through the firm.

Under the people category, it’s important to know:

• Who supports the portal operation, including staff and third parties?
• Which people and departments have access to the portal?

Under the information category, a company needs to know:

• What information is stored where?
• Is it stored locally on the server, on a SAN/NAS device or hosted in the cloud?

Key information and technology questions include:

• Is the portal on a server, cloud-based or virtual?
• How does data flow within the enterprise network?

Some of the questions will span more than one category. For example:

• Is portal information backed up? If so, to where?
• Does the firm have a disaster recovery site for the portal?
• Who supports the operation of the portal and who has access?
• Where is portal staff located within the overall company?

This question and answer process has a very specific goal: to create the data flow diagram the company needs to identify and protect CUI within the firm.

Shrewd DoD contractors, large and small, have looked out over the defense landscape, seen the importance of CMMC compliance and made the moves to train their staff to protect CUI, both within their internal operations and those of supply chain partners.

They are motivated by two factors. First, they want to continue doing business with the DoD. Second, they understand that having effective information security plans in place to protect sensitive information allows their organization to ensure best practices to guard against cybersecurity attacks and data breaches.

Established DoD contractors will likely already have solid information security systems for identifying and protecting CUI. Knowing what the DoD requires and implementing effective data security measures in response is likely to be much more of a challenge for smaller organizations hoping to earn their own place in the DIB community.