What Is CUI Data?

CUI data can be difficult to label, especially when you are not sure what to look for. This ultimate guide will help you understand what CUI data is and how your organization can identify it!

Understanding CUI Data

Before you can learn how to properly identify CUI data, you must first have a thorough understanding of what it means.

CUI stands for Controlled Unclassified Information, and it is part of a government-wide program that aims to standardize the way unclassified information is safeguarded and distributed. This system replaces the For Official Use Only (FOUO) agency programs and addresses many of the inefficient and confusing policies that would often lead to inconsistent applications.

So, what kind of information falls into the CUI category?

Basically, any government information that is not secret or top secret, but is still sensitive, is considered CUI.

Even though it’s not the top-secret stuff you might think of from a James Bond movie, it still needs to be protected. This is because it could compromise the mission of the United States or reduce our competitive advantage if it fell into the wrong hands.

This data was most likely created by the government – or is owned by it – and as a result, must be protected. Just because it’s not classified doesn’t mean it’s not CUI!

What Makes Up CUI?

The CUI Registry provides a comprehensive guide to what type of unclassified information must be protected according to certain laws, regulations, or government policies.

For the most part, CUI is data that appears in a government contract or information that the DoD gives to a third party so that they can complete a project. It will be marked by the DoD to show that it has to be protected and distributed only according to specific guidelines.

Some examples of Controlled Unclassified Information include procurement and acquisition documents, data about critical infrastructure, law enforcement information, control technical information, and unclassified nuclear data.

You can get a better idea of everything that’s included by visiting the CUI registry.

Any information that falls under the Atomic Energy Act or Executive Order 13536 does not fall into the Controlled Unclassified Information category.

CUI Classification Guide

How Does Controlled Unclassified Information Relate to CDI and CTI?

You may be wondering how Controlled Unclassified Information relates to CDI and CTI. CDI Refers to covered defense information, while CTI stands for controlled technical information.

CUI Is an umbrella term that covers all covered defense information and controlled technical information. In other words, CDI and CTI are subsets of Controlled Unclassified Information.

We know this might seem confusing because CUI is a relatively new term, but think of it as a high-level classification that all other categories roll into.

The Purpose of Identifying CUI

In May of 2018, the Defense Security Cooperation Agency – or DCSA – was tasked with managing CUI. Their primary goal is to create data prioritization and assignment procedures that can scale across the government and other related organizations.

The program was created by Executive Order 13556, which also designated the National Archives and Records Administration (NARA) as the agency that will implement and oversee compliance. The NARA then delegated these enforcement responsibilities to the ISOO: The Information Security Oversight Office.

By developing common assessment standards, a CUI data repository, and relevant training, they aim to establish best practices for securing this type of information to strengthen national security in the process.

Although it doesn’t seem like this system is simple in any way, it is actually a significant improvement to what was used before. Before the CUI program, every agency used its own set of markings, classification rules, and management procedures – nothing was standardized!

As a result, there were fewer controls over CUI one compared to classified information. This lack of controls created an opening for adversaries to collect and misuse this data. As you can imagine, this poses a significant risk to our national security and military effectiveness.

Identifying CUI Data

Generally, the Department of Defense (DoD) is charged with labeling data as CDI or CTI before it is handed off to a contractor – but what happens when the contractor is the one who is developing the information while completing a project on their behalf?

In this scenario, the organization must work with the contracting officer to complete all required forms and ensure that the content is protected.

Here are some tips to help you identify CUI data:

1. Does your site hold a government contract or supply a US Federal contract? If the answer to this question is yes, then you most likely have controlled unclassified information in your systems that need to be protected.
2. Look for any of the following types of information: This list covers most of the data that a subcontractor would have access to when processing part of a DoD contract, but it is not all-inclusive!:
3. Personally identifiable information (PII) or protected health information of constituents.
4. Engineering drawings and specifications.
5. Research data relating to a government contract.
6. Studies and reports relating to government projects.
7. Source code and executable code used for government software programs.
8. Government contract information.
9. Financial records.
10. Take a close look at your contracts to see if you are a direct supplier – or have supplier status through a larger entity – to a government contract. You should be on the lookout for CUI if you are directly supplying or plan to bid on a US government contract. If you are obtaining supplier status through a larger company like Lockheed Martin or Boeing, you will also need to take steps to protect the CUI.
11. Search for labels that identify information as CUI. Whenever you see terms like export control, for official use only, or other agency-specific terminology, you are likely dealing with Controlled Unclassified Information. This data will require you to take steps to safeguard it according to the CUI program!

CUI Categories

Critical Infrastructure

• Ammonium Nitrate
• Chemical-terrorism Vulnerability Information
• Critical Energy Infrastructure Information
• Emergency Management
• General Critical Infrastructure Information
• Information Systems Vulnerability Information
• Physical Security
• Protected Critical Infrastructure Information
• SAFETY Act Information
• Toxic Substances
• Water Assessments

Defense

• Controlled Technical Information
• DoD Critical Infrastructure Security Information
• Naval Nuclear Propulsion Information
• Unclassified Controlled Nuclear Information – Defense

Export Control

• Export Controlled
• Export Controlled Research

Financial

• Bank Secrecy
• Budget
• Comptroller General
• Consumer Complaint Information
• Electronic Funds Transfer
• Federal Housing Finance Non-Public Information
• Financial Supervision Information
• General Financial Information
• International Financial Institutions
• Mergers
• Net Worth
• Retirement

Immigration

• Asylee
• Battered Spouse or Child
• Permanent Resident Status
• Status Adjustment
• Temporary Protected Status
• Victims of Human Trafficking
• Visas

Intelligence

• Agriculture
• Foreign Intelligence Surveillance Act
• Foreign Intelligence Surveillance Act Business Records
• General Intelligence
• Geodetic Product Information
• Intelligence Financial Records
• Internal Data
• Operations Security

International Agreements

• International Agreement Information

Law Enforcement

• Accident Investigation
• Campaign Funds
• Committed Person
• Communications
• Controlled Substances
• Criminal History Records Information
• DNA
• General Law Enforcement
• Informant
• Investigation
• Juvenile
• Law Enforcement Financial Records
• National Security Letter
• Pen Register/Trap & Trace
• Reward
• Sex Crime Victim
• Terrorist Screening
• Whistleblower Identity

Legal

• Administrative Proceedings
• Child Pornography
• Child Victim/Witness
• Collective Bargaining
• Federal Grand Jury
• Legal Privilege
• Legislative Materials
• Presentence Report
• Prior Arrest
• Protective Order
• Victim
• Witness Protection

Natural and Cultural Resources

• Archaeological Resources
• Historic Properties
• National Park System Resources

North Atlantic Treaty Organization (NATO)

• NATO Restricted
• NATO Unclassified

Nuclear

• General Nuclear
• Nuclear Recommendation Material
• Nuclear Security-Related Information
• Safeguards Information
• Unclassified Controlled Nuclear Information – Energy

Patent

• Patent Applications
• Inventions
• Secrecy Orders

Privacy

• Contract Use
• Death Records
• General Privacy
• Genetic Information
• Health Information
• Inspector General Protected
• Military Personnel Records
• Personnel Records
• Student Records

Procurement and Acquisition

• General Procurement and Acquisition
• Small Business Research and Technology
• Source Selection

Proprietary Business Information

• Entity Registration Information
• General Proprietary Business Information
• Ocean Common Carrier and Marine Terminal Operator Agreements
• Ocean Common Carrier Service Contracts
• Proprietary Manufacturer
• Proprietary Postal

Provisional

• Homeland Security Agreement Information
• Homeland Security Enforcement Information
• Information Systems Vulnerability Information – Homeland
• International Agreement Information – Homeland
• Operations Security Information
• Personnel Security Information
• Physical Security – Homeland
• Privacy Information
• Sensitive Personally Identifiable Information

Statistical

• Investment Survey
• Pesticide Producer Survey
• Statistical Information
• US Census

Tax

• Federal Taxpayer Information
• Tax Convention
• Taxpayer Advocate Information
• Written Determinations

Transportation

• Railroad Safety Analysis Records
• Sensitive Security Information

BlueSteel Cybersecurity is one of the best cybersecurity company in USA can help answer any CUI Data questions you might have. Reach out today to learn how your organization can best prepare to handle CUI.