Directives for Controlled Unclassified Information (CUI) have left numerous organizations confused about classifying their information. An executive order 13556 by President Obama on 4th November 2010 established the CUI program.
Laws and regulations binding CUI was issued so that policies that dictate how CUI could be used, safeguarded, designated, disseminated, marked, decontrolled, disposed of, or used for requirements of self-inspection and oversight can be established.
However, organizations have had a hard time identifying the categories of CUI and whether the information they contain falls under CUI. The following guide can help organizations decipher whether the information they contain falls under CUI directives to take the necessary steps according to laws and regulations about them.
CUI is any information created or possessed by either the government or government agency itself or by a separate entity that has created or possesses said information for the government or federal agency.
The entity or the federal agency will be liable to government-wide laws, regulations, and policies for handling, safeguarding, disseminating, or disposing said information. However, information defined under Executive Order 13526 Classified National Security Information, or which comes under the Atomic Energy Act is not classified as CUI.
Why Is It Necessary For Organizations To Identify CUI?
Whether the organization falls under a federal or nonfederal category, if it contains information classified as CUI, the information must be utilized and protected according to the established laws and regulations of NIST 800-171 and Cybersecurity Maturity Model Certification.
The information must be identified and marked according to the provided guidelines and policies. Failure to do so may result in sanctions for liable organizations according to the type of CUI and the relevant law found in violation. The National Archives and Records Administration (NARA) is responsible for managing the program established for CUI across the Federal government and is the official Controlled Unclassified Information Executive Agent. NARA has delegated the responsibilities of a CUI executive agent to the director of ISOO.
Furthermore, ISOO has released guidelines for federal agencies and executive branch departments for handling (marking and safeguarding) CUI. CUI information is of great concern regarding national security, use, and management of important yet unclassified information. If used inappropriately, this information can reveal critical vulnerabilities, expose important details and jeopardize various state functions.
Therefore, national agencies have carefully classified all information that could be of potential concern under the CUI and have set out detailed guidelines on classifying and marking such information.
How Can Organizations Identify If They Have CUI Information?
Although the classification of information is a lengthy and cumbersome process for organizations, it is critical to safeguard important information.
CUI can be in any document or media form and must be categorized and marked according to guidelines. Determination of whether certain information is applicable for CUI status falls under the CUI categories and applying relevant security markings is the responsibility of an authorized holder. This can be an organization, agency, an individual, or a group that has been permitted to handle or to designate Controlled Unclassified Information according to the 32 CFR Part 2002.
As the Executive Agent for CUI, NARA has released detailed guidelines for handling CUI. There is also a detailed CUI registry maintained by NARA for organizations and individuals to go through and see if the information they contain falls under the CUI category and is according to government laws.
This online government-wide repository has guidance at the federal level for policies and practices about CUI. But it is still incumbent for both contractors and personnel from relevant agencies to consult the relevant CUI policy guidelines, contract documents, the contractors themselves, or the CUI program’s government management office for detailed guidance. This includes guidance on how to classify the information according to CUI categories and how to mark the relevant media with the necessary markings.
There are numerous determinants of whether the information is classified as CUI. These pertain to regulations, laws, and policies for how the information is utilized, obtained, or processed and whether it is associated with federal agencies such as the Department of Defense (DoD).
Although numerous different types of information fall under the umbrella term Controlled Unclassified Information, the details of which are mentioned below, here are a few examples of some common types of CUI information. This type of information must be kept protected even though it is not classified.
- Sensitive Personally Identifiable Information (SPII)
- Unclassified Controlled Technical Information (UCTI)
- Personally Identifiable Information (PII)
- Sensitive but Unclassified (SBU)
- Proprietary Business Information (PBI) or currently known within EPA as Confidential Business Information (CBI)
- Law Enforcement Sensitive (LES), and others.
- For Official Use Only (FOUO)
Categories Of CUI
According to the CUI Registry, all Controlled Unclassified Information falls under 20 broad categories or “Organizational Index Groupings.” These categories are further subdivided into a total of 124 subcategories. In addition, the CUI Registry provides detailed guidelines on the laws and regulations in place for how this information must be handled according to each category and what sanctions are in place if the organization is found in violation of them.
CUI can also be differentiated into CUI Specified or CUI Basic. Suppose there are any regulations, policies, or laws for a CUI type that contain specific guidelines on how the information is to be handled or disseminated, and there are sanctions in place for not following the detailed safety guidelines. In that case, that type of information is classified as CUI Specified.
However, If there are no government-wide regulations, or laws, or any authorizing policy or sanction for that particular CUI, then it will be referred to as CUI Basic. The main difference between CUI Specified and CUI Basic is that CUI Specified categories have more laws, regulations, and policies than the average requirement and common practice for protecting this type of information. However, the information is not classified as a higher CUI. Instead, it is termed CUI specified.
The categories and subcategories of CUI as stated by the DoD CUI registry are listed below:
- Critical Infrastructure
- Ammonium Nitrate
- Chemical-terrorism Vulnerability Information
- Critical Energy Infrastructure Information
- Emergency Management
- General Critical Infrastructure Information
- Information Systems Vulnerability Information
- Physical Security (PHYSEC)
- Protected Critical Infrastructure Information
- SAFETY Act Information
- Toxic Substances
- Water Assessments
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Unclassified Controlled Nuclear Information – Defense (UCN)
- Export Control
- Export Controlled
- Export Controlled Research
- Bank Secrecy
- Comptroller General
- Electronics Funds Transfer (EFT)
- Financial Supervision Information
- General Financial Information
- International Financial Institutions
- Net Worth
- Foreign Intelligence Surveillance Act (FISA)
- FISA Business Records
- General Intelligence
- Geodetic Product Information
- Intelligence Financial Records
- Internal Data
- Operations Security
- International Agreements
- International Agreement Information
- Law Enforcement
- Accident Investigation
- Campaign Funds
- Committed Person
- Controlled Substances
- Criminal History Records Information
- General Law Enforcement
- Law Enforcement Financial Records
- National Security Letter
- Pen Register/Trap & Trace
- Sex Crime Victim
- Terrorist Screening
- Whistleblower Identity
- Administrative Proceedings
- Child Pornography
- Child Victim/Witness
- Collective Bargaining
- Federal Grand Jury
- Legal Privilege
- Legislative Materials
- Presentence Report
- Prior Arrest
- Protective Order
- Witness Protection
- Natural and Cultural Resources
- Archaeological Resources
- Historic Properties
- North Atlantic Treaty Organization (NATO)
- NATO Restricted
- NATO Unclassified
- General Nuclear
- Nuclear Recommendation Material
- Nuclear Security-Related SRI Information
- Safeguards Information
- Unclassified Controlled Nuclear Information – Defense
- Patent Applications
- Secrecy Orders
- Contract Use
- Death Records
- General Privacy
- Genetic Information
- Health Information
- Inspector General Protected
- Military Personnel Records
- Personnel Records
- Student Records
- Procurement and Acquisition
- General Procurement and Acquisition
- Small Business Research and Technology
- Source Selection
- Proprietary Business Information
- Entity Registration Information
- General Proprietary Business Information
- Ocean Common Carrier and Marine Terminal Operator Agreements
- Ocean Common Carrier Service Contracts
- Proprietary Manufacturer
- Proprietary Postal
- Operations Security Information (OPSEC)
- Personnel Security Information (PERSEC)
- Privacy Information
- Sensitive Personally Identifiable Information (PII)
- Statistical Information
- Federal Taxpayer Information
- Tax Convention
- Written Determinations
- Railroad Safety Analysis Records
- Sensitive Security Information
Appropriate usage, handling, and dissemination of information are crucial for state security and the general management of information. This holds especially true for Controlled Unclassified Information. According to regulations underlined by NIST 800-171 and the Cybersecurity Maturity Model Certification information, no matter what document or media the information is on, it must be classified and marked according to CUI guidelines at the time of origination by appropriate individuals.
Guidelines for classification, marking, and handling of CUI data have been set by The National Archives and Records Administration (NARA), which acts as the Executive Agent (EA) for Controlled Unclassified Information. Organizations must follow said guidelines to ensure the information they are handling is classified appropriately.
To ensure that they have the correct classifications and markings, organizations must refer to the CUI registry with detailed categories and subcategories defining which type of information corresponds to which category and what laws and sanctions apply to it. The CUI registry has numerous resources and a CUI program management office as well for additional assistance.
Need Help Getting Started? Reach Out Today to Learn More About Our CyberSecurity Assessment Services