CUI data can be difficult to label, especially when you are not sure what to look for. This ultimate guide will help you understand what CUI data is and how your organization can identify it!
Understanding CUI Data
Before you can learn how to properly identify CUI data, you must first have a thorough understanding of what it means.
CUI stands for Controlled Unclassified Information, and it is part of a government-wide program that aims to standardize the way unclassified information is safeguarded and distributed. This system replaces the For Official Use Only (FOUO) agency programs and addresses many of the inefficient and confusing policies that would often lead to inconsistent applications.
So, what kind of information falls into the CUI category?
Basically, any government information that is not secret or top secret, but is still sensitive, is considered CUI.
Even though it’s not the top-secret stuff you might think of from a James Bond movie, it still needs to be protected. This is because it could compromise the mission of the United States or reduce our competitive advantage if it fell into the wrong hands.
This data was most likely created by the government – or is owned by it – and as a result, must be protected. Just because it’s not classified doesn’t mean it’s not CUI!
What Makes Up CUI?
The CUI Registry provides a comprehensive guide to what type of unclassified information must be protected according to certain laws, regulations, or government policies.
For the most part, CUI is data that appears in a government contract or information that the DoD gives to a third party so that they can complete a project. It will be marked by the DoD to show that it has to be protected and distributed only according to specific guidelines.
Some examples of Controlled Unclassified Information include procurement and acquisition documents, data about critical infrastructure, law enforcement information, control technical information, and unclassified nuclear data.
You can get a better idea of everything that’s included by visiting the CUI registry.
Any information that falls under the Atomic Energy Act or Executive Order 13536 does not fall into the Controlled Unclassified Information category.
How Does Controlled Unclassified Information Relate to CDI and CTI?
You may be wondering how Controlled Unclassified Information relates to CDI and CTI. CDI Refers to covered defense information, while CTI stands for controlled technical information.
CUI Is an umbrella term that covers all covered defense information and controlled technical information. In other words, CDI and CTI are subsets of Controlled Unclassified Information.
We know this might seem confusing because CUI is a relatively new term, but think of it as a high-level classification that all other categories roll into.
The Purpose of Identifying CUI
In May of 2018, the Defense Security Cooperation Agency – or DCSA – was tasked with managing CUI. Their primary goal is to create data prioritization and assignment procedures that can scale across the government and other related organizations.
The program was created by Executive Order 13556, which also designated the National Archives and Records Administration (NARA) as the agency that will implement and oversee compliance. The NARA then delegated these enforcement responsibilities to the ISOO: The Information Security Oversight Office.
By developing common assessment standards, a CUI data repository, and relevant training, they aim to establish best practices for securing this type of information to strengthen national security in the process.
Although it doesn’t seem like this system is simple in any way, it is actually a significant improvement to what was used before. Before the CUI program, every agency used its own set of markings, classification rules, and management procedures – nothing was standardized!
As a result, there were fewer controls over CUI one compared to classified information. This lack of controls created an opening for adversaries to collect and misuse this data. As you can imagine, this poses a significant risk to our national security and military effectiveness.
Identifying CUI Data
Generally, the Department of Defense (DoD) is charged with labeling data as CDI or CTI before it is handed off to a contractor – but what happens when the contractor is the one who is developing the information while completing a project on their behalf?
In this scenario, the organization must work with the contracting officer to complete all required forms and ensure that the content is protected.
Here are some tips to help you identify CUI data:
- Does your site hold a government contract or supply a US Federal contract? If the answer to this question is yes, then you most likely have controlled unclassified information in your systems that need to be protected.
- Look for any of the following types of information: This list covers most of the data that a subcontractor would have access to when processing part of a DoD contract, but it is not all-inclusive!:
- Personally identifiable information (PII) or protected health information of constituents.
- Engineering drawings and specifications.
- Research data relating to a government contract.
- Studies and reports relating to government projects.
- Source code and executable code used for government software programs.
- Government contract information.
- Financial records.
- Take a close look at your contracts to see if you are a direct supplier – or have supplier status through a larger entity – to a government contract. You should be on the lookout for CUI if you are directly supplying or plan to bid on a US government contract. If you are obtaining supplier status through a larger company like Lockheed Martin or Boeing, you will also need to take steps to protect the CUI.
- Search for labels that identify information as CUI. Whenever you see terms like export control, for official use only, or other agency-specific terminology, you are likely dealing with Controlled Unclassified Information. This data will require you to take steps to safeguard it according to the CUI program!
- Ammonium Nitrate
- Chemical-terrorism Vulnerability Information
- Critical Energy Infrastructure Information
- Emergency Management
- General Critical Infrastructure Information
- Information Systems Vulnerability Information
- Physical Security
- Protected Critical Infrastructure Information
- SAFETY Act Information
- Toxic Substances
- Water Assessments
- Controlled Technical Information
- DoD Critical Infrastructure Security Information
- Naval Nuclear Propulsion Information
- Unclassified Controlled Nuclear Information – Defense
- Bank Secrecy
- Comptroller General
- Consumer Complaint Information
- Electronic Funds Transfer
- Federal Housing Finance Non-Public Information
- Financial Supervision Information
- General Financial Information
- International Financial Institutions
- Net Worth
- Battered Spouse or Child
- Permanent Resident Status
- Status Adjustment
- Temporary Protected Status
- Victims of Human Trafficking
- Foreign Intelligence Surveillance Act
- Foreign Intelligence Surveillance Act Business Records
- General Intelligence
- Geodetic Product Information
- Intelligence Financial Records
- Internal Data
- Operations Security
- Accident Investigation
- Campaign Funds
- Committed Person
- Controlled Substances
- Criminal History Records Information
- General Law Enforcement
- Law Enforcement Financial Records
- National Security Letter
- Pen Register/Trap & Trace
- Sex Crime Victim
- Terrorist Screening
- Whistleblower Identity
- Administrative Proceedings
- Child Pornography
- Child Victim/Witness
- Collective Bargaining
- Federal Grand Jury
- Legal Privilege
- Legislative Materials
- Presentence Report
- Prior Arrest
- Protective Order
- Witness Protection
Natural and Cultural Resources
North Atlantic Treaty Organization (NATO)
- General Nuclear
- Nuclear Recommendation Material
- Nuclear Security-Related Information
- Safeguards Information
- Unclassified Controlled Nuclear Information – Energy
- Contract Use
- Death Records
- General Privacy
- Genetic Information
- Health Information
- Inspector General Protected
- Military Personnel Records
- Personnel Records
- Student Records
Procurement and Acquisition
Proprietary Business Information
- Entity Registration Information
- General Proprietary Business Information
- Ocean Common Carrier and Marine Terminal Operator Agreements
- Ocean Common Carrier Service Contracts
- Proprietary Manufacturer
- Proprietary Postal
- Homeland Security Agreement Information
- Homeland Security Enforcement Information
- Information Systems Vulnerability Information – Homeland
- International Agreement Information – Homeland
- Operations Security Information
- Personnel Security Information
- Physical Security – Homeland
- Privacy Information
- Sensitive Personally Identifiable Information
BlueSteel Cybersecurity is one of the best cybersecurity companies in USA can help answer any CUI Data questions you might have. Reach out today to learn how your organization can best prepare to handle CUI.