Controlled Unclassified Information (CUI)
Controlled unclassified information (CUI) is information that is designated by law, regulation, or government-wide policy to require safeguarding and dissemination controls. Controlled unclassified information excludes information classified under Executive Order 13526 as Classified National Security Information.
The CMMC 2.0 (Cybersecurity Maturity Model Certification) protections are defined by the U.S. Department of Defense (DoD) to secure controlled unclassified information that resides on the Defense Industrial Base systems and networks.
The CMMC model has three levels of cybersecurity practices. Levels 2 and 3 focus on the protection of controlled unclassified information and include the security requirements that are specified in NIST SP 800-171 Rev. 2, along with additional proven cybersecurity standards.
Let’s jump in and learn:
What Is Controlled Unclassified Information (CUI)?
While not considered classified, controlled unclassified information requires special care and protection, including secure storage, destination controls, and access restrictions. This is information that does not meet the criteria of classified information, but needs a level of protection from unauthorized access and release.
| Controlled unclassified information (CUI) as Defined by Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002) --Is any information which the loss, misuse, or modification of, or unauthorized access to, could adversely affect the national interest or the conduct of Federal programs or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy --Is not available to the general public --May include: Government acquisition-sensitive information, including source selection information as defined in section 2.101 of the Federal Acquisition Regulation (48 CFR chapter 1), contractor bid or proposal information. Information contained in individual contracts that is not public information and such contract information contained in Government databases; proprietary economic, financial, or business information (e.g., salary information) provided to the government by other parties (e.g., other contractors) Personally identifiable information (PII) that includes, but is not limited to, social security numbers, names, dates of birth, places of birth, parents’ names, credit card numbers, applications for entitlements, and information relating to a person’s private financial, income, employment, and tax records --Other information that the contracting officer or other authorized employee explicitly identifies as controlled unclassified information --May exist in various physical media (e.g., paper, electronic file, audio or video disc) or be transmitted orally, may be developed under or pre-exist any related contract, and may be in its original form or a derivative form (i.e., where the information has been included in contractor-generated work, or where it is discernible from materials incorporating or based upon such information) The source for the information above is as follows: 32 CFR Part 2002 |
Historically, each Federal agency developed its own practices for sensitive unclassified information. The result was overwhelming and expensive for the DIB, with inconsistent systems, procedures, and terminology.
Controlled unclassified information created a uniform code for all Federal agencies along with their contractors and subcontractors to follow. This resolved several critical and cumbersome deficiencies by providing:
- Enhanced safeguarding
- Consistent marking
- Streamlined restrictions
Seven Examples of Controlled Unclassified Information
1. For Official Use Only (FOUO)
2. Law Enforcement Sensitive (LES)
3. Personally Identifiable Information (PII)
4. Proprietary Business Information (PBI)
5. Sensitive but Unclassified (SBU)
6. Sensitive Personally Identifiable Information (SPII)
7. Unclassified Controlled Technical Information (UCTI)
Controlled Unclassified Information Registry
The Registry is an online repository for information, guidance, policy, and requirements on handling controlled unclassified information. It includes:
- Explanation of the basis for controls
- A centralized repository that captures general descriptions for categories and subcategories
- Common definitions
- Standardized procedures for the use of controlled unclassified information—e.g., marking, safeguarding, transporting, dissemination, reuse, and disposal
| Organizational Index Grouping | CUI Categories |
| Critical Infrastructure | Ammonium NitrateChemical-terrorism Vulnerability InformationCritical Energy Infrastructure InformationEmergency ManagementGeneral Critical Infrastructure InformationInformation Systems Vulnerability InformationPhysical SecurityProtected Critical Infrastructure InformationSAFETY Act InformationToxic SubstancesWater Assessments |
| Defense | Controlled Technical InformationDoD Critical Infrastructure Security InformationNaval Nuclear Propulsion InformationUnclassified Controlled Nuclear Information—Defense |
| Export Control | Export ControlledExport Controlled Research |
| Financial | Bank SecrecyBudgetComptroller GeneralConsumer Complaint InformationElectronic Funds TransferFederal Housing Finance Non-Public InformationFinancial Supervision InformationGeneral Financial InformationInternational Financial InstitutionsMergersNet WorthRetirement |
| Immigration | AsyleeBattered Spouse or ChildPermanent Resident StatusStatus AdjustmentTemporary Protected StatusVictims of Human TraffickingVisas |
| Intelligence | AgricultureForeign Intelligence Surveillance ActForeign Intelligence Surveillance Act Business RecordsGeneral IntelligenceGeodetic Product InformationIntelligence Financial Records Internal DataOperations Security |
| International Agreement Information | International Agreement Information |
| Law Enforcement | Accident InvestigationCampaign FundsCommitted PersonCommunicationsControlled SubstancesCriminal History Records InformationDNAGeneral Law EnforcementInformantInvestigationJuvenileLaw Enforcement Financial RecordsNational Security LetterPen Register/Trap & TraceRewardSex Crime VictimTerrorist ScreeningWhistleblower Identity |
| Legal | Administrative ProceedingsChild PornographyChild Victim/WitnessCollective BargainingFederal Grand JuryLegal PrivilegeLegislative MaterialsPre-sentencing ReportPrior ArrestProtective Order VictimWitness Protection |
| Natural and Cultural Resources | Archaeological ResourcesHistoric PropertiesNational Park System Resources |
| North Atlantic Treaty Organization (NATO) | NATO RestrictedNATO Unclassified |
| Nuclear | General NuclearNuclear Recommendation MaterialNuclear Security-Related InformationSafeguards InformationUnclassified Controlled Nuclear Information—Energy |
| Patent | Patent ApplicationsInventionsSecrecy Orders |
| Privacy | Contract UseDeath RecordsGeneral PrivacyGenetic InformationHealth InformationInspector General ProtectedMilitary Personnel RecordsPersonnel RecordsStudent Records |
| Procurement and Acquisition | General Procurement and AcquisitionSmall Business Research and TechnologySource Selection |
| Proprietary Business Information | Entity Registration InformationGeneral Proprietary Business InformationOcean Common Carrier and Marine Terminal Operator AgreementsOcean Common Carrier Service ContractsProprietary ManufacturerProprietary Postal |
| Provisional | Homeland Security Agreement InformationHomeland Security Enforcement InformationInformation Systems Vulnerability Information—HomelandInternational Agreement Information—HomelandOperations Security InformationPersonnel Security InformationPhysical Security—Homeland Privacy InformationSensitive Personally Identifiable Information |
| Statistical | Investment SurveyPesticide Producer SurveyStatistical InformationUS Census |
| Tax | Federal Taxpayer InformationTax ConventionTaxpayer Advocate InformationWritten Determinations |
| Transportation | Railroad Safety Analysis RecordsSensitive Security Information |
Controlled Unclassified Information History
- 2004
The 9/11 Commission’s report recommended the horizontal sharing of intelligence information that transcended individual agencies. - 2009
A Presidential Task Force expanded the 9/11 Commission’s recommendation to include all information falling within the definition of controlled unclassified information. - 2010
Executive Order 13556, “Controlled Unclassified Information,” established the Controlled Unclassified Information Program with the National Archives and Records Administration (NARA) to serve as the Executive Agent (EA) to implement the program to ensure compliance. - 2015
Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002), “Controlled Unclassified Information,” was published in the Federal Register and entered the Office of Management and Budget (OMB)-managed Federal regulatory processes. - 2016
32 CFR Part 2002 was published as a final rule on September 14, 2016, and became effective on November 14, 2016.
CUI in NIST SP 800-171
The National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was published in June 2015.
The controlled unclassified information requirements that NIST calls out in NIST SP 800-171 come from three previous publications:
1. Federal Information Processing Standard (FIPS) Publication 200- Minimum Security Requirements for Federal Information and Information Systems.
2. The moderate security control baseline in NIST Special Publication 800-53
3. 32 CFR Part 2002, Controlled Unclassified Information, which was still a proposal when the standard was being developed
Extending the protection of controlled unclassified information resident in non-government information systems and organizations was a critical step in enhancing security.
Protecting such information was deemed to be “of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.”
Focused on government contractors, NIST SP 800-171 applies to those parts of a contractor’s network where controlled unclassified information is present.
Strengthening the security of the whole government supply chain was a key objective of NIST SP 800-171, meant to be achieved by defining the cybersecurity requirements for contractors who handle sensitive government information.
Controlled Unclassified Information Security Requirements in NIST 800-171
The controlled unclassified information security requirements set forth within NIST SP 800-171 must be used by all federal agencies in “contractual vehicles or other agreements” that are put in place by agencies with non-federal organizations.
That common set of requirements is meant to protect the confidentiality of controlled unclassified information. “The requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components,” including:
- When the controlled unclassified information is resident in non-federal information systems and organizations
- When the information systems where the controlled unclassified information resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
- Where there are no specific safeguarding requirements for protecting the confidentiality of controlled unclassified information prescribed by the authorizing law, regulation, or government-wide policy for the category or subcategory listed in the Registry
NIST SP 800-171 has a well-defined structure for the security requirements to be used to protect the confidentiality of controlled unclassified information in non-federal information systems and organizations. The two NIST SP 800-171 security requirements sections are split into:
1. A basic security requirements section
2. A derived security requirements section
14 Controlled Unclassified Information Security Requirement Families in NIST 800-171
Based on the minimum-security requirements for federal information and information systems described in FIPS Publication 200, NIST SP 800-171 organizes controlled unclassified information security requirements into 14 families.
Those families are based on general security topics. Absent from the security requirements list are contingency planning, system and services acquisition, and planning requirements.
1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity
Additional Controlled Unclassified Information Security Requirements
In addition to NIST SP 800-171, federal agencies using federal information systems to process, store, or transmit controlled unclassified information, must also comply with:
- FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality impact)
- FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems
- NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations
- NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
| Target Audiences for NIST SP 800-171 and Controlled Unclassified Information Requirements NIST SP 800-171 is intended to serve a diverse group of individuals and organizations in the public and private sectors including, but not limited to: Individuals with information system development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, information system/security engineers, systems integrators) Individuals with acquisition or procurement responsibilities (e.g., contracting officers) Individuals with information system, security, and/or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, information system owners, information security managers) Individuals with information security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts) The above roles and responsibilities can be viewed from two distinct perspectives: 1. The federal perspective, as the entity establishing and conveying the CUI security requirements in contractual vehicles or other types of inter-organizational agreements. 2. The non-federal perspective, as the entity responding to and complying with the CUI security requirements set forth in contracts or agreements. Source: NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |
CUI Handling Between Contractors & Sub-Contractors
Controlled unclassified information security requirements that apply to federal contractors also extend to contractors’ employees, subcontractors, and subcontractors’ employees. According to NIST SP 800-171, the expectation of federal agencies in working with non- federal entities include:
- Non-Federal organizations can implement a variety of potential security solutions either directly or using a managed services provider to satisfy controlled unclassified information security requirements.
- Non-Federal organizations have information technology infrastructures in place and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting controlled unclassified information.
- Non-Federal organizations have specific safeguarding measures in place to protect their information, which may also be sufficient to satisfy the CUI security requirements.
- Non-Federal organizations may not have the necessary organizational structure or resources to satisfy every controlled unclassified information security requirement and may implement alternative, but equally effective security measures to compensate for the inability to satisfy a particular requirement.
NIST SP 800-171 also has specific directives related to the handling of controlled unclassified information amongst contractors and subcontractors.
One of the main activities is the processing, storage, and transmission of sensitive federal information to deliver products and services to federal agencies. Among the activities where federal contractors or subcontractors work with controlled unclassified information are:
- Conducting background investigations for security clearances
- Delivering Web, email, cloud, and other online services
- Developing and maintaining communications, satellite, and weapons systems
- Processing healthcare data
- Providing credit cards and other financial services
Controlled Unclassified Information for Standardization and CMMC
The controlled unclassified information program represents one of the federal government’s most sweeping requirements. It provides standardization of practices that span federal government departments and agencies, state, local, and tribal organizations, as well as private sector entities, academia, and industry.
The implementation of the controlled unclassified information initiative has brought more timely and consistent information that has increased transparency and clarity throughout the federal government and associated organizations, including for government subcontractors.
In addition to these benefits, the controlled unclassified information program plays a crucial role in the nation’s security posture. CMMC’s controlled unclassified information practices provide safeguards to protect data that malicious actors can exploit. The adoption of CMMC controlled unclassified information practices has significantly mitigated risks to national security.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 22,000+ customers with millions of users worldwide.
Last Updated: 4th November, 2024
