What Is CUI Data?
CUI data can be difficult to label, especially when you are not sure what to look for. This ultimate guide will help you understand what CUI data is and how your organization can identify it!
Understanding CUI Data
Before you can learn how to properly identify CUI data, you must first have a thorough understanding of what it means.
CUI stands for Controlled Unclassified Information, and it is part of a government-wide program that aims to standardize the way unclassified information is safeguarded and distributed. This system replaces the For Official Use Only (FOUO) agency programs and addresses many of the inefficient and confusing policies that would often lead to inconsistent applications.
So, what kind of information falls into the CUI category?
Basically, any government information that is not secret or top secret, but is still sensitive, is considered CUI.
Even though it's not the top-secret stuff you might think of from a James Bond movie, it still needs to be protected. This is because it could compromise the mission of the United States or reduce our competitive advantage if it fell into the wrong hands.
This data was most likely created by the government - or is owned by it - and as a result, must be protected. Just because it's not classified doesn't mean it's not CUI!
What Makes Up CUI?
The CUI Registry provides a comprehensive guide to what type of unclassified information must be protected according to certain laws, regulations, or government policies.
For the most part, CUI is data that appears in a government contract or information that the DoD gives to a third party so that they can complete a project. It will be marked by the DoD to show that it has to be protected and distributed only according to specific guidelines.
Some examples of Controlled Unclassified Information include procurement and acquisition documents, data about critical infrastructure, law enforcement information, control technical information, and unclassified nuclear data.
You can get a better idea of everything that's included by visiting the CUI registry.
Any information that falls under the Atomic Energy Act or Executive Order 13536 does not fall into the Controlled Unclassified Information category.
How Does Controlled Unclassified Information Relate to CDI and CTI?
You may be wondering how Controlled Unclassified Information relates to CDI and CTI. CDI Refers to covered defense information, while CTI stands for controlled technical information.
CUI Is an umbrella term that covers all covered defense information and controlled technical information. In other words, CDI and CTI are subsets of Controlled Unclassified Information.
We know this might seem confusing because CUI is a relatively new term, but think of it as a high-level classification that all other categories roll into.
The Purpose of Identifying CUI
In May of 2018, the Defense Security Cooperation Agency – or DCSA – was tasked with managing CUI. Their primary goal is to create data prioritization and assignment procedures that can scale across the government and other related organizations.
The program was created by Executive Order 13556, which also designated the National Archives and Records Administration (NARA) as the agency that will implement and oversee compliance. The NARA then delegated these enforcement responsibilities to the ISOO: The Information Security Oversight Office.
By developing common assessment standards, a CUI data repository, and relevant training, they aim to establish best practices for securing this type of information to strengthen national security in the process.
Although it doesn't seem like this system is simple in any way, it is actually a significant improvement to what was used before. Before the CUI program, every agency used its own set of markings, classification rules, and management procedures - nothing was standardized!
As a result, there were fewer controls over CUI one compared to classified information. This lack of controls created an opening for adversaries to collect and misuse this data. As you can imagine, this poses a significant risk to our national security and military effectiveness.
Identifying CUI Data
Generally, the Department of Defense (DoD) is charged with labeling data as CDI or CTI before it is handed off to a contractor - but what happens when the contractor is the one who is developing the information while completing a project on their behalf?
In this scenario, the organization must work with the contracting officer to complete all required forms and ensure that the content is protected.
Here are some tips to help you identify CUI data:
Does your site hold a government contract or supply a US Federal contract? If the answer to this question is yes, then you most likely have controlled unclassified information in your systems that need to be protected.
Look for any of the following types of information: This list covers most of the data that a subcontractor would have access to when processing part of a DoD contract, but it is not all-inclusive!:
Personally identifiable information (PII) or protected health information of constituents.
Engineering drawings and specifications.
Research data relating to a government contract.
Studies and reports relating to government projects.
Source code and executable code used for government software programs.
Government contract information.
Take a close look at your contracts to see if you are a direct supplier - or have supplier status through a larger entity - to a government contract. You should be on the lookout for CUI if you are directly supplying or plan to bid on a US government contract. If you are obtaining supplier status through a larger company like Lockheed Martin or Boeing, you will also need to take steps to protect the CUI.
Search for labels that identify information as CUI. Whenever you see terms like export control, for official use only, or other agency-specific terminology, you are likely dealing with Controlled Unclassified Information. This data will require you to take steps to safeguard it according to the CUI program!
Natural and Cultural Resources
North Atlantic Treaty Organization (NATO)
Procurement and Acquisition
Proprietary Business Information