Controlled Unclassified Information (CUI)
Controlled unclassified information (CUI) is information that is designated by law, regulation, or government-wide policy to require safeguarding and dissemination controls. Controlled unclassified information excludes information classified under Executive Order 13526 as Classified National Security Information.
The CMMC 2.0 (Cybersecurity Maturity Model Certification) protections are defined by the Department of Defense (DoD) to secure controlled unclassified information that resides on the Defense Industrial Base systems and networks. The CMMC model has three levels of cybersecurity practices. Levels 2 and 3 focus on the protection of controlled unclassified information and include the security requirements that are specified in NIST SP 800-171, along with additional proven cybersecurity standards.
Let’s jump in and learn:
What Is Controlled Unclassified Information (CUI)
While not considered classified, controlled unclassified information requires special care and protection, including secure storage, destination controls, and access restrictions. This is information that does not meet the criteria of classified information, but needs a level of protection from unauthorized access and release.
Controlled unclassified information (CUI) as Defined by Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002) --Is any information which the loss, misuse, or modification of, or unauthorized access to, could adversely affect the national interest or the conduct of Federal programs or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy --Is not available to the general public --May include: Government acquisition-sensitive information, including source selection information as defined in section 2.101 of the Federal Acquisition Regulation (48 CFR chapter 1), contractor bid or proposal information. Information contained in individual contracts that is not public information and such contract information contained in Government databases; proprietary economic, financial, or business information (e.g., salary information) provided to the government by other parties (e.g., other contractors) Personally identifiable information (PII) that includes, but is not limited to, social security numbers, names, dates of birth, places of birth, parents’ names, credit card numbers, applications for entitlements, and information relating to a person’s private financial, income, employment, and tax records --Other information that the contracting officer or other authorized employee explicitly identifies as controlled unclassified information --May exist in various physical media (e.g., paper, electronic file, audio or video disc) or be transmitted orally, may be developed under or pre-exist any related contract, and may be in its original form or a derivative form (i.e., where the information has been included in contractor-generated work, or where it is discernible from materials incorporating or based upon such information) The source for this information is as follows: 32 CFR Part 2002 |
Historically, each Federal agency developed its own practices for sensitive unclassified information. The result was overwhelming and expensive for the DIB, with inconsistent systems, procedures, and terminologies.
Controlled unclassified information created a uniform code for all Federal agencies along with their contractors and subcontractors to follow. This resolved several critical and cumbersome deficiencies by providing:
- Enhanced safeguarding
- Consistent markings
- Streamlined restrictions
Seven Examples of Controlled Unclassified Information
1. For Official Use Only (FOUO)
2. Law Enforcement Sensitive (LES)
3. Personally Identifiable Information (PII)
4. Proprietary Business Information (PBI)
5. Sensitive but Unclassified (SBU)
6. Sensitive Personally Identifiable Information (SPII)
7. Unclassified Controlled Technical Information (UCTI)
Controlled Unclassified Information Registry
The Registry is an online repository for information, guidance, policy, and requirements on handling controlled unclassified information. It includes:
- Explanation of the basis for controls
- A centralized repository that captures general descriptions for categories and subcategories
- Common definitions
- Standardized procedures for the use of controlled unclassified information—e.g., marking, safeguarding, transporting, dissemination, reuse, and disposal
Organizational Index Grouping | CUI Categories |
Critical Infrastructure | Ammonium Nitrate Chemical-terrorism Vulnerability Information Critical Energy Infrastructure Information Emergency Management General Critical Infrastructure Information Information Systems Vulnerability Information Physical Security Protected Critical Infrastructure Information SAFETY Act Information Toxic Substances Water Assessments |
Defense | Controlled Technical Information DoD Critical Infrastructure Security Information Naval Nuclear Propulsion Information Unclassified Controlled Nuclear Information—Defense |
Export Control | Export Controlled Export Controlled Research |
Financial | Bank Secrecy Budget Comptroller General Consumer Complaint Information Electronic Funds Transfer Federal Housing Finance Non-Public Information Financial Supervision Information General Financial Information International Financial Institutions Mergers Net Worth Retirement |
Immigration | Asylee Battered Spouse or Child Permanent Resident Status Status Adjustment Temporary Protected Status Victims of Human Trafficking Visas |
Intelligence | Agriculture Foreign Intelligence Surveillance Act Foreign Intelligence Surveillance Act Business Records General Intelligence Geodetic Product Information Intelligence Financial Records Internal Data Operations Security |
International Agreement Information | International Agreement Information |
Law Enforcement | Accident Investigation Campaign Funds Committed Person Communications Controlled Substances Criminal History Records Information DNA General Law Enforcement Informant Investigation Juvenile Law Enforcement Financial Records National Security Letter Pen Register/Trap & Trace Reward Sex Crime Victim Terrorist Screening Whistleblower Identity |
Legal | Administrative Proceedings Child Pornography Child Victim/Witness Collective Bargaining Federal Grand Jury Legal Privilege Legislative Materials Pre-sentencing Report Prior Arrest Protective Order Victim Witness Protection |
Natural and Cultural Resources | Archaeological Resources Historic Properties National Park System Resources |
North Atlantic Treaty Organization (NATO) | NATO Restricted NATO Unclassified |
Nuclear | General Nuclear Nuclear Recommendation Material Nuclear Security-Related Information Safeguards Information Unclassified Controlled Nuclear Information—Energy |
Patent | Patent Applications Inventions Secrecy Orders |
Privacy | Contract Use Death Records General Privacy Genetic Information Health Information Inspector General Protected Military Personnel Records Personnel Records Student Records |
Procurement and Acquisition | General Procurement and Acquisition Small Business Research and Technology Source Selection |
Proprietary Business Information | Entity Registration Information General Proprietary Business Information Ocean Common Carrier and Marine Terminal Operator Agreements Ocean Common Carrier Service Contracts Proprietary Manufacturer Proprietary Postal |
Provisional | Homeland Security Agreement Information Homeland Security Enforcement Information Information Systems Vulnerability Information—Homeland International Agreement Information—Homeland Operations Security Information Personnel Security Information Physical Security—Homeland Privacy Information Sensitive Personally Identifiable Information |
Statistical | Investment Survey Pesticide Producer Survey Statistical Information US Census |
Tax | Federal Taxpayer Information Tax Convention Taxpayer Advocate Information Written Determinations |
Transportation | Railroad Safety Analysis Records Sensitive Security Information |
Controlled Unclassified Information History
- 2004
The 9/11 Commission’s report recommended the horizontal sharing of intelligence information that transcended individual agencies. - 2009
A Presidential Task Force expanded the 9/11 Commission’s recommendation to include all information falling within the definition of controlled unclassified information. - 2010
Executive Order 13556, “Controlled Unclassified Information,” established the Controlled Unclassified Information Program with the National Archives and Records Administration (NARA) to serve as the Executive Agent (EA) to implement the program to ensure compliance. - 2015
Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002), “Controlled Unclassified Information,” was published in the Federal Register and entered the Office of Management and Budget (OMB)-managed Federal regulatory processes. - 2016
32 CFR Part 2002 was published as a final rule on September 14, 2016, and became effective on November 14, 2016.
CUI in NIST SP 800-171
The National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was published in June 2015.
The controlled unclassified information requirements that NIST calls out in NIST 800-171 come from three previous publications:
1. Federal Information Processing Standard (FIPS) Publication 200- Minimum Security Requirements for Federal Information and Information Systems.
2. The moderate security control baseline in NIST Special Publication 800-53
3. 32 CFR Part 2002, Controlled Unclassified Information, which was still a proposal at that time
Extending the protection of controlled unclassified information resident in non-government information systems and organizations was a critical step in enhancing security.
Protecting such information was deemed to be “of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.”Focused on government contractors, NIST 800-171 applies to those parts of a contractor’s network where controlled unclassified information is present.
Strengthening the security of the whole government supply chain was a key objective of NIST 800-171, meant to be achieved by defining the cybersecurity requirements for contractors who handle sensitive government information.
Controlled Unclassified Information Security Requirements in NIST 800-171
The controlled unclassified information security requirements set forth within NIST SP 800-171 must be used by all federal agencies in “contractual vehicles or other agreements” that are put in place by agencies with non-federal organizations.
That common set of requirements is meant to protect the confidentiality of controlled unclassified information. “The requirements apply to all components of non-federal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components,” including:
- When the controlled unclassified information is resident in non-federal information systems and organizations
- When the information systems where the controlled unclassified information resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
- Where there are no specific safeguarding requirements for protecting the confidentiality of controlled unclassified information prescribed by the authorizing law, regulation, or government-wide policy for the category or subcategory listed in the Registry
NIST SP 800-171 has a well-defined structure for the security requirements to be used to protect the confidentiality of controlled unclassified information in non-federal information systems and organizations. The two NIST SP 800-171 security requirements sections are split into:
1. A basic security requirements section
2. A derived security requirements section
14 Controlled Unclassified Information Security Requirement Families in NIST 800-171
Based on the minimum-security requirements for federal information and information systems described in FIPS Publication 200, NIST 800-171 organizes the controlled unclassified information security requirements into 14 families.
Those families are based on general security topics. Absent from the security requirements list are contingency planning, system and services acquisition, and planning requirements.
Based on the minimum-security requirements for federal information and information systems described in FIPS Publication 200, NIST SP 800-171 organizes controlled unclassified information security requirements into 14 families.
Those families are based on general security topics. Absent from the security requirements list are contingency planning, system and services acquisition, and planning requirements.
1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
7. Maintenance
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity
Additional Controlled Unclassified Information Security Requirements
In addition to NIST SP 800-171, federal agencies using federal information systems to process, store, or transmit controlled unclassified information, must also comply with:
- FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality impact)
- FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems
- NIST Special Publication 800-53, Security and Privacy Controls for Information Systems and Organizations
- NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
Target Audiences for NIST 800-171 and Controlled Unclassified Information Requirements NIST SP 800-171 is intended to serve a diverse group of individuals and organizations in the public and private sectors including, but not limited to: Individuals with information system development life cycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, information system/security engineers, systems integrators) Individuals with acquisition or procurement responsibilities (e.g., contracting officers) Individuals with information system, security, and/or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, information system owners, information security managers) Individuals with information security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts) The above roles and responsibilities can be viewed from two distinct perspectives: 1. The federal perspective, as the entity establishing and conveying the CUI security requirements in contractual vehicles or other types of inter-organizational agreements. 2. The non-federal perspective, as the entity responding to and complying with the CUI security requirements set forth in contracts or agreements. Source: NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations |
CUI Handling Between Contractors & Sub-Contractors
Controlled unclassified information security requirements that apply to federal contractors also extend to contractors’ employees, subcontractors, and subcontractors’ employees. According to NIST SP 800-171, the expectation of federal agencies in working with non- federal entities include:
- Non Federal organizations can implement a variety of potential security solutions either directly or using a managed services provider to satisfy controlled unclassified information security requirements.
- Non-Federal organizations have information technology infrastructures in place and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting controlled unclassified information.
- Non-Federal organizations have specific safeguarding measures in place to protect their information, which may also be sufficient to satisfy the CUI security requirements.
- Non-Federal organizations may not have the necessary organizational structure or resources to satisfy every controlled unclassified information security requirement and may implement alternative, but equally effective security measures to compensate for the inability to satisfy a particular requirement.
NIST SP 800-171 also has specific directives related to the handling of controlled unclassified information between amongst contractors and subcontractors.
One of the main activities is the processing, storage, and transmission of sensitive federal information to deliver products and services to federal agencies. Among the activities where federal contractors or subcontractors work with controlled unclassified information are:
- Conducting background investigations for security clearances
- Delivering Web, email, cloud, and other online services
- Developing and maintaining communications, satellite, and weapons systems
- Processing healthcare data
- Providing credit cards and other financial services
Controlled Unclassified Information for Standardization and CMMC
The controlled unclassified information program represents one of the federal government’s most sweeping requirements. It provides standardization of practices that span federal government departments and agencies, state, local, and tribal organizations, as well as private sector entities, academia, and industry.
The implementation of the controlled unclassified information initiative has brought more timely and consistent information that has increased transparency and clarity throughout the federal government and associated organizations, including for government subcontractors.
In addition to these benefits, the controlled unclassified information program plays a crucial role in the nation’s security posture. CMMC’s controlled unclassified information practices provide safeguards to protect data that malicious actors can exploit. The adoption of CMMC controlled unclassified information practices has significantly mitigated risks to national security.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 28th June, 2024