Businesses working with the Defense Industrial Base (DIB) sector are often tasked with handling important information. However, there may be confusion as to if a company is handling CUI, and if they are, will they then need to be compliant with specific protective measures.  This post summarizes the what, why, and how when it comes to protecting CUI.

What is CUI?

Controlled Unclassified Information (CUI) refers to an umbrella of information the government protects that is not considered classified. The government can create or already hold this information; other times, a contractor can generate or handle this information on behalf of the government. The main attribute that differentiates CUI from other types of data is that under a law, regulation, or policy, it’s marked or required to safeguard this information.

On November 4, 2010, Executive Order 13556 “Controlled Unclassified Information” initiated a program to set the foundation for managing unclassified information. It seeks to troubleshoot ineffective safeguarding methods by implementing simple standards that can be used across the Executive branch. The Information Security Oversight Office (ISOO) receives authority from this order and has a CUI staff that develops procedures to protect sensitive information.

Federal Contract Information (FCI) should also not be disclosed to the public, but it is not considered CUI. FCI is any information a contractor creates under a contract for the government. This information is not marked as public or for public release. Conversely, CUI is marked or identified as needing protection under the CUI program. All CUI that a government contractor possesses is considered FCI, but not all FCI can be considered CUI.

How do you know what is considered CUI?

Information that an entity creates or collects as directed by the government in accordance with a contract, agreement, or law is considered CUI. If a business works for the Department of Defense (DoD), it is highly likely that they are handling CUI. Government access is a big distinguishing factor when it comes to deciding if something is CUI or not. There are two types:

CUI Basic: A subset of CUI that does not require specific handling controls. Categories of CUI Basic information may include visas, information system vulnerabilities information, etc.

CUI Specified: A subset of CUI that does require specific handling controls. These controls can be implementing unique markings or limiting access to the information. Categories of CUI Specified information may include financial, law enforcement, nuclear, tax, etc.

What can become confusing is when an entity may need to provide their proprietary information as a part of the contracting process. If the government receives proprietary information from the entity, it is the government’s responsibility to protect it under several guidelines. This result does not mean the entity did something wrong and needs to safeguard all their proprietary information under CUI regulations; in their own hands, the information has no governmental ties, and therefore is not considered CUI. Information only becomes CUI when it passes into the government’s hands or is created/handled on behalf of the government.

NIST 800-171, CMMC, and CUI

The Defense Federal Acquisition Regulation Supplement (DFARS) encourages DoD contractors to follow specific frameworks that will strengthen the U.S.’s protection of their defense databases. Under DFARS 7012, contractors need to satisfy the requirements of The National Institute of Standards and Technology Special Publication 800-171 (NIST 800-171).

NIST 800-171 protects CUI on non-federal information systems. It was created to improve cybersecurity and make sure unclassified information not part of federal information systems is properly protected. With these standards in place, the government can carry out operations without worrying about information breaches.

The Cybersecurity Maturity Model Certification (CMMC) is the newest security implementation that works to enhance protection of CUI within the supply chain. CMMC will review and combine various cybersecurity standards, like NIST 800-171, and map out processes according to five levels of cyber hygiene (basic to advanced). The certification will not be required for all contractors immediately and will be phased in over a five-year rollout. All contracts, task orders, solicitations, etc. will have CMMC requirements included by October 1, 2025.

How to Obtain CUI Protection

 NIST SP 800-171 Rev. 2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides federal agencies with fourteen families of recommended security requirements for protecting the confidentiality of CUI in nonfederal systems. Some of these requirements include access control measures, awareness and training about security risks, retaining audit logs for monitoring purposes, and so on. NIST SP 800-171A, Assessing Security Requirements for Controlled Unclassified Information, provides assessment procedures and a methodology to conduct assessments of the CUI security requirements.

Newly released clauses in the DFARS 70 series, specifically 7019 and 7020, announce the notice and implementation of revamped NIST 800-171 DoD assessment requirements. These clauses require contractors to maintain completed assessments at least every three years and report them properly in the Supplier Performance Risk System (SPRS). DFARS 7021 was also released in response to the CMMC rollout and outlines the framework for Third Party Assessment Organization (C3PAO) assessments. Following these standards/clauses is key to protecting CUI.

SecurityCompliance.io helps businesses obtain, manage, and maintain security protocols at the CMMC level. Assessments are performed for commercial, state, and federal sector clients and remediation advice is provided and tailored to unique needs. Try out the platform’s free self-assessment or guided assessment tools to gauge and obtain CUI security proficiency.