What is CUI Classification? (Basic & Specified Data Examples)
In the past, CUI was protected largely by requiring defense contractors to self-certify as compliant with NIST 800-171. Widespread leaks of CUI within the DIB inspired the Department of Defense (DoD) to create the CMMC to best determine what level of system is required for CUI.
And yet, what is CUI?
The CUI acronym stands for “Controlled Unclassified Information” and the CUI meaning is information that is sensitive but does not meet the criteria for classification at the Confidential level or above.
What is CUI classification and why is it important?
CUI contains information that the government (or an entity such as a contractor) creates or processes on behalf of the government.
The Cybersecurity Maturity Model Certification (CMMC) is designed to improve the cybersecurity posture of the Defense Industrial Base (DIB). It does so by requiring a third-party assessment of compliance.
A primary goal of the CMMC is the protection of CUI and the prevention of unauthorized disclosure of sensitive information.
What is considered CUI? 8 Controlled unclassified information examples
While CUI is a government classification system, many organizations have similar types of information for their clients, customers, or stakeholders.
What is considered controlled unclassified information for one sector may differ from another.
Examples of controlled unclassified information include:
- Company intellectual property (IP)
- Sensitive Employee or Customer Data
- Health Records
- Law Enforcement Records
CUI examples in the federal government sector include:
- Critical Infrastructure Information
- Export Control
- National Security Information
- International Agreements
Who can control CUI data?
The National Archives and Records Administration (NARA) is the Executive Agent (EA) for CUI and has precedence to manage information security and government-wide policies across federal government areas.
Many different types of personnel work with classified information as well as critical unclassified information systems, but NARA is the authority for federal agencies.
CUI can also be labeled with dissemination controls. These include:
- NOFORN: No Foreign Dissemination
- FED ONLY: Federal Employees Only
- FEDCON: Federal Employees and Contractors Only
- NOCO: No dissemination to contractors
- DL ONLY: Dissemination list controlled
- REL TO: Authorized for release to certain nationals only (Ex: REL TO USA)
- DISPLAY ONLY: Disclosure allowed to a foreign recipient by providing a copy
- Attorney Client: Protected by attorney-client privilege
- Attorney Work Product: Dissemination prohibited unless specifically permitted by overseeing attorney
These dissemination controls are listed as part of the classification and are separated by a forward slash.
What is CUI Basic?
The CUI basic definition represents laws, regulations, or government policies that do not require specific protections.
When determining what is basic CUI, the controls apply to those aspects of CUI where the authorizing laws, regulations, and Government-wide policies do not provide any specific guidance.
What is CUI Specified?
CUI Specified are laws, regulations, or government-wide policies that require specific protections such as unique markings, enhanced physical safeguards, and limits on who can access the information.
CUI Specified is a subset where the law, regulation, or government policy contains specific control requirements or permits to use.
Need help with CUI compliance readiness?
Between now and 2026, the DoD plans to require CMMC compliance for all new contracts. This means that every contractor listed on a contract bid – both prime and sub-prime – will be needed to achieve a minimum level of CMMC compliance before the contract is awarded.
The CMMC requires third-party auditors to certify that a defense contractor is compliant with the requirements outlined at one of CMMC’s three levels.
With mandatory CMMC compliance comes the need for CUI training, safeguarding CUI guidance, CUI certification, and implementing security requirements. Depending on an organization’s current level of NIST 800-171 compliance and intended future roles on defense contracts, achieving this could be an extended process.
Companies looking to participate in defense and DOD contracts should begin their CMMC compliance journey today.
Reach out for a readiness inspection to learn how your organization can better protect its CUI.
FAQs
CUI vs CDI information: what’s the difference?
Is there a difference between CDI vs CUI? The DoD uses Covered Defense Information (CDI) interchangeably with CUI to be consistent with the National Archives’ definition. DFARS CUI requires contractors and subcontractors to Safeguard CDI data, Report cyber incidents, Submit malicious software, and Facilitate damage assessment.
Which document contains the DoD cyber regulations for CUI and CTI?
DoD Instruction 5200.48 establishes the definition for Controlled Unclassified Information. DFARS 252.204-7012 promotes Safeguarding Covered Defense Information and Cyber Incident Reporting. The Contractor “shall include the clause in subcontracts for which performance will involve covered defense information or operationally critical support.” Both detail protection against unauthorized disclosure of protected files.
What marking acronym is required on a DoD document containing controlled unclassified information?
As detailed in DOD INSTRUCTION 5200.48, CUI policy dictates that "CUI" markings appear at the top of each printed page and are optional at the bottom of each page. The banner marking must include all CUI within the document and be consistent on every page.
Is press release data CUI?
Occasionally, government press releases may be temporarily marked as CUI to prevent premature or unauthorized disclosure. However, government, university, and research organizations that rely on information-sharing across public and private sectors do not constitute CUI as it is not proprietary or protected under CUI markings.
Is financial information CUI?
According to the National Archives, CUI does include certain financial information related “to the duties, transactions, or otherwise falling under the purview of financial institutions or United States Government fiscal functions. Uses may include, but are not limited to, customer information held by a financial institution.”
Is PII considered CUI?
Personally Identifiable Information (PII) is marked and protected as CUI and is secured under The Privacy Act. PII can include Social Security Numbers (SSN), driver's license or state IDs, financial account numbers, citizenship or immigration status, gender identity, medical information, even voiceprints, iris scans, or fingerprints.
What is the purpose of the ISOO CUI registry?
According to the National Archives, the ISOO CUI registry purpose (Information Security Oversight Office) is to identify “all approved CUI categories and subcategories, provides general descriptions for each, [identify] the basis for controls, [establish] markings, and [include] guidance on handling procedures.”
Several types of CUI also detail what is considered controlled unclassified information. For example, the Defense OIG includes four categories of CUI data types:
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Unclassified Controlled Nuclear Information – Defense
What level of system and network configuration is required for CUI?
To understand what level of system and network configuration is required for CUI, DIB contractors must be CMMC Certified Level 3 by a C3PAO. This requirement was issued by the DoD in DFARS Clause 252.204-7012, 252.204-7019, 252.204-7020, and 252.204-7021.
CUI is classified at a moderate level of confidentiality and adheres to DoDI 8500.01 and 8510.01 instructions in all DoD systems.
What DoD instruction implements the DoD CUI program?
DoDI 5200.48 implements the DOD CUI program as required by EO 13556.
According to a document released by the Office of the Under Secretary of Defense for Intelligence and Security back in March 2020, DODI 5200.48 “establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with...”
- Executive Order (E.O.) 13556
- Title 32 CFR Part 2002
- Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012
What is FOUO vs CUI?
CUI is a classification that replaces several previous classifications, including For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES). FOUO and CUI are therefore very similar, though not quite the same. All of these refer to information that does not require a security clearance but has some level of restrictions on access. For example, information may be restricted to federal employees without requiring a clearance.
What is a CUI Example Scenario?
As part of their contractual duties, an organization in the DIB may have access to sensitive government information about the nation’s critical infrastructure. Information that reveals vulnerabilities in critical infrastructure may be classified as CUI/DCRIT.
This information-sharing is part of a contract to modernize critical infrastructure and transition to a “smart grid” or to develop mitigations for these vulnerabilities. A contractor would likely be required to control access to this information and protect it using security controls such as encryption.
Need more help with your CUI questions?
Reach out to us!
