Submitted by on
Home> Guides> Governance> CMMC Controlled Unclassified Information (CUI)

Home > Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI)

Share this Page

Controlled unclassified information (CUI) is information that is designated by law, regulation, or government-wide policy to require safeguarding and dissemination controls. Controlled unclassified information excludes information classified under Executive Order 13526 as Classified National Security Information.

The controlled unclassified information program represents one of the federal government’s most sweeping requirements.

The CMMC 2.0 (Cybersecurity Maturity Model Certification) protections are defined by the Department of Defense (DoD) to secure controlled unclassified information that resides on the Defense Industrial Base systems and networks. The CMMC model has three levels of cybersecurity practices. Levels 2 and 3 focus on the protection of controlled unclassified information and include the security requirements that are specified in NIST SP 800-171, along with additional  proven cybersecurity standards.

What Is Controlled Unclassified Information (CUI)

While not considered classified, controlled unclassified information requires special care and protection, including secure storage, destination controls, and access restrictions. This is information that does not meet the criteria of classified information, but needs a level of protection from unauthorized access and release.

Controlled unclassified information (CUI) as Defined by Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002)

--Is any information which the loss, misuse, or modification of, or unauthorized access to, could adversely affect the national interest or the conduct of Federal programs or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy

--Is not available to the general public

--May include:
Government acquisition-sensitive information, including source selection information as defined in section 2.101 of the Federal Acquisition Regulation (48 CFR chapter 1), contractor bid or proposal information.

Information contained in individual contracts that is not public information and such contract information contained in Government databases; proprietary economic, financial, or business information (e.g., salary information) provided to the government by other parties (e.g., other contractors)

Personally identifiable information (PII) that includes, but is not limited to, social security numbers, names, dates of birth, places of birth, parents’ names, credit card numbers, applications for entitlements, and information relating to a person’s private financial, income, employment, and tax records

--Other information that the contracting officer or other authorized employee explicitly identifies as controlled unclassified information

--May exist in various physical media (e.g., paper, electronic file, audio or video disc) or be transmitted orally, may be developed under or pre-exist any related contract, and may be in its original form or a derivative form (i.e., where the information has been included in contractor-generated work, or where it is discernible from materials incorporating or based upon such information) The source for this information is as follows: 32 CFR Part 2002

Historically, each Federal agency developed its own practices for sensitive unclassified information. The result was overwhelming and expensive for the DIB, with inconsistent systems, procedures, and terminologies.

Controlled unclassified information created a uniform code for all Federal agencies along with their contractors and subcontractors to follow. This resolved several critical and cumbersome deficiencies by providing:

  • Enhanced safeguarding
  • Consistent markings
  • Streamlined restrictions

Seven Examples of Controlled Unclassified Information

1. For Official Use Only (FOUO) 

2. Law Enforcement Sensitive (LES)

3. Personally Identifiable Information (PII) 

4. Proprietary Business Information (PBI)  

5. Sensitive but Unclassified (SBU) 

6. Sensitive Personally Identifiable Information (SPII) 

7. Unclassified Controlled Technical Information (UCTI)

Controlled Unclassified Information Registry

The Registry is an online repository for information, guidance, policy, and requirements on handling controlled unclassified information. It includes:  

  • Explanation of the basis for controls
  • A centralized repository that captures general descriptions for categories and subcategories
  • Common definitions   
  • Standardized procedures for the use of controlled unclassified information—e.g., marking, safeguarding, transporting, dissemination, reuse, and disposal
Organizational Index GroupingCUI Categories
Critical InfrastructureAmmonium Nitrate
Chemical-terrorism Vulnerability Information
Critical Energy Infrastructure Information
Emergency Management
General Critical Infrastructure Information
Information Systems Vulnerability Information
Physical Security
Protected Critical Infrastructure Information
SAFETY Act Information
Toxic Substances
Water Assessments
DefenseControlled Technical Information
DoD Critical Infrastructure Security Information
Naval Nuclear Propulsion Information
Unclassified Controlled Nuclear Information—Defense
Export ControlExport Controlled
Export Controlled Research
FinancialBank Secrecy
Budget
Comptroller General
Consumer Complaint Information
Electronic Funds Transfer
Federal Housing Finance Non-Public Information
Financial Supervision Information
General Financial Information
International Financial Institutions
Mergers
Net Worth
Retirement
ImmigrationAsylee
Battered Spouse or Child
Permanent Resident Status
Status Adjustment
Temporary Protected Status
Victims of Human Trafficking
Visas
IntelligenceAgriculture
Foreign Intelligence Surveillance Act
Foreign Intelligence Surveillance Act
Business Records
General Intelligence
Geodetic Product Information
Intelligence Financial Records Internal Data
Operations Security
International Agreement InformationInternational Agreement Information
Law EnforcementAccident Investigation
Campaign Funds
Committed Person
Communications
Controlled Substances
Criminal History Records Information
DNA
General Law Enforcement
Informant
Investigation
Juvenile
Law Enforcement Financial Records
National Security Letter
Pen Register/Trap & Trace
Reward
Sex Crime Victim
Terrorist Screening
Whistleblower Identity
LegalAdministrative Proceedings
Child Pornography
Child Victim/Witness
Collective Bargaining
Federal Grand Jury
Legal Privilege
Legislative Materials
Pre-sentencing Report
Prior Arrest
Protective Order Victim
Witness Protection
Natural and Cultural ResourcesArchaeological Resources
Historic Properties
National Park System Resources
North Atlantic Treaty Organization (NATO)NATO Restricted
NATO Unclassified
NuclearGeneral Nuclear
Nuclear Recommendation Material
Nuclear Security-Related Information
Safeguards Information
Unclassified Controlled Nuclear Information—Energy
PatentPatent Applications
Inventions
Secrecy Orders
PrivacyContract Use
Death Records
General Privacy
Genetic Information
Health Information
Inspector General Protected
Military Personnel Records
Personnel Records
Student Records
Procurement and AcquisitionGeneral Procurement and Acquisition
Small Business Research and Technology
Source Selection
Proprietary Business InformationEntity Registration Information
General Proprietary Business Information
Ocean Common Carrier and Marine Terminal Operator Agreements
Ocean Common Carrier Service Contracts
Proprietary Manufacturer
Proprietary Postal
ProvisionalHomeland Security Agreement Information
Homeland Security Enforcement Information
Information Systems Vulnerability Information—Homeland
International Agreement Information—Homeland
Operations Security Information
Personnel Security Information
Physical Security—Homeland
Privacy Information
Sensitive Personally Identifiable Information
StatisticalInvestment Survey
Pesticide Producer Survey
Statistical Information
US Census
TaxFederal Taxpayer Information
Tax Convention
Taxpayer Advocate Information
Written Determinations
TransportationRailroad Safety Analysis Records
Sensitive Security Information

Controlled Unclassified Information History

  • 2004
    The 9/11 Commission’s report recommended the horizontal sharing of intelligence information that transcended individual agencies.
  • 2009
    A Presidential Task Force expanded the 9/11 Commission’s recommendation to include all information falling within the definition of controlled unclassified information.
  • 2010
    Executive Order 13556, “Controlled Unclassified Information,” established the Controlled Unclassified Information Program with the National Archives and Records Administration (NARA) to serve as the Executive Agent (EA) to implement the program to ensure compliance.  
  • 2015
    Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002), “Controlled Unclassified Information,” was published in the Federal Register and entered the Office of Management and Budget (OMB)-managed Federal regulatory processes.
  • 2016
    32 CFR Part 2002 was published as a final rule on September 14, 2016, and became effective on November 14, 2016.

CUI in NIST SP 800-171

The National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was published in June 2015.

The controlled unclassified information requirements that NIST calls out in NIST 800-171 come from three previous publications:

1. Federal Information Processing Standard (FIPS) Publication 200- Minimum Security Requirements for Federal Information and Information Systems.

2. The moderate security control baseline in NIST Special Publication 800-53 

3. 32 CFR Part 2002, Controlled Unclassified Information, which was still a proposal at that time

Extending the protection of controlled unclassified information resident in non-government information systems and organizations was a critical step in enhancing security.

Protecting such  information was deemed to be “of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.”Focused on government contractors, NIST 800-171 applies to those parts of a contractor’s network where controlled unclassified information is present.

Strengthening the security of the whole government supply chain was a key objective of NIST 800-171, meant to be achieved by defining the cybersecurity requirements for contractors who handle sensitive government information.

Controlled Unclassified Information Security Requirements in NIST 800-171

The controlled unclassified information security requirements set forth within NIST SP 800-171 must be used by all federal agencies in “contractual vehicles or other agreements” that are put in place by agencies with non-federal organizations.

That common set of requirements is meant to protect the confidentiality of controlled unclassified information. “The requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components,” including:

  • When the controlled unclassified information is resident in non-federal information systems and organizations
  • When the information systems where the controlled unclassified information resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
  • Where there are no specific safeguarding requirements for protecting the confidentiality of controlled unclassified information prescribed by the authorizing law, regulation, or government-wide policy for the category or subcategory listed in the Registry

NIST SP 800-171 has a well-defined structure for the security requirements to be used to protect the confidentiality of controlled unclassified information in non-federal information systems and organizations. The two NIST SP 800-171 security requirements sections are split into:

1. A basic security requirements section 

2. A derived security requirements section

14 Controlled Unclassified Information Security Requirement Families in NIST 800-171

Based on the minimum-security requirements for federal information and information systems described in FIPS Publication 200, NIST 800-171 organizes the controlled unclassified information security requirements into 14 families.

Those families are based on general security topics. Absent from the security requirements list are contingency planning, system and services acquisition, and planning requirements. 

Based on the minimum-security requirements for federal information and information systems described in FIPS Publication 200, NIST SP 800-171 organizes controlled unclassified information security requirements into 14 families.

Those families are based on general security topics. Absent from the security requirements list are contingency planning, system and services acquisition, and planning requirements. 

1. Access Control 

2. Audit and Accountability 

3. Awareness and Training 

4. Configuration Management 

5. Identification and Authentication 

6. Incident Response 

7. Maintenance 

8. Media Protection

9. Personnel Security

10. Physical Protection

11. Risk Assessment

12. Security Assessment

13. System and Communications Protection

14. System and Information Integrity

Additional Controlled Unclassified Information Security Requirements

In addition to NIST SP 800-171, federal agencies using federal information systems to process, store, or transmit controlled unclassified information, must also comply with:

  • FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality impact) 
  • FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems 
  • NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations 
  • NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
Target Audiences for NIST 800-171 and Controlled Unclassified Information Requirements

NIST SP 800-171 is intended to serve a diverse group of individuals and organizations in the public and private sectors including, but not limited to: Individuals with information system development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, information system/security engineers, systems integrators)

Individuals with acquisition or procurement responsibilities (e.g., contracting officers)

Individuals with information system, security, and/or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, information system owners, information security managers)

Individuals with information security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts)
The above roles and responsibilities can be viewed from two distinct perspectives:

1. The federal perspective, as the entity establishing and conveying the CUI security requirements in contractual vehicles or other types of inter-organizational agreements.

2. The non-federal perspective, as the entity responding to and complying with the CUI security requirements set forth in contracts or agreements.

Source: NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations

CUI Handling Between Contractors & Sub-Contractors

Controlled unclassified information security requirements that apply to federal contractors also extend to contractors’ employees, subcontractors, and subcontractors’ employees. According to NIST SP 800-171, the expectation of federal agencies in working with non- federal entities include:

  • Non Federal organizations can implement a variety of potential security solutions either directly or using a managed services provider to satisfy controlled unclassified information security requirements.
  • Non-Federal organizations have information technology infrastructures in place and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting controlled unclassified information.
  • Non-Federal organizations have specific safeguarding measures in place to protect their information, which may also be sufficient to satisfy the CUI security requirements.
  • Non-Federal organizations may not have the necessary organizational structure or resources to satisfy every controlled unclassified information security requirement and may implement alternative, but equally effective security measures to compensate for the inability to satisfy a particular requirement.

NIST SP 800-171 also has specific directives related to the handling of controlled unclassified information between amongst contractors and subcontractors.

One of the main activities is the processing, storage, and transmission of sensitive federal information to deliver products and services to federal agencies. Among the activities where federal contractors or subcontractors work with controlled unclassified information are:

  • Conducting background investigations for security clearances
  • Delivering Web, email, cloud, and other online services
  • Developing and maintaining communications, satellite, and weapons systems
  • Processing healthcare data
  • Providing credit cards and other financial services

Controlled Unclassified Information for Standardization and CMMC

The controlled unclassified information program represents one of the federal government’s most sweeping requirements. It provides standardization of practices that span federal government departments and agencies, state, local, and tribal organizations, as well as private sector entities, academia, and industry.

The implementation of the controlled unclassified information initiative has brought more timely and consistent information that has increased transparency and clarity throughout the federal government and associated organizations, including for government subcontractors.  

In addition to these benefits, the controlled unclassified information program plays a crucial role in the nation’s security posture. CMMC’s controlled unclassified information practices provide safeguards to protect data that malicious actors can exploit. The adoption of CMMC controlled unclassified information practices has significantly mitigated risks to national security.

Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.

Last Updated: 28th June, 2024

Share this Page