Understanding Controlled Unclassified Information

The National Archives states, “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” CUI ranges from a wide variety of information and is protected by government regulations, markings, and designations.

An official program for CUI was established because there were challenges with unclassified information being accessed, shared, or often restricted with policies across both government agencies and the public. Oftentimes the policies did not match the needs for agencies or organizations that required access to this information, and therefore they inhibited necessary communication. The CUI program was finally formulated with Executive Order 13556. With this program new procedures were given to assign necessary information as CUI, and new policies and laws were incorporated. By creating the CUI program an open channel of communication was included, DoD personnel were able to access CUI, and proper markings with clear agency indication were added to all assets pertaining to CUI. You can find additional training and resources on the CUI program on the National Archives website.

How does CUI play into CMMC?

Both CMMC and CUI procedures share the same goal of safeguarding valuable information. The CUI program and CMMC require that all parties handling CUI must be able to demonstrate proper procedures and practices that safeguard the information.

In CMMC many organizations will only need to certify for Level 1, Basic Cyber Hygiene. Level 1 however only allows for Defense Industrial Base contractors to handle FCI and does not allow for a contractor to handle CUI. CMMC Levels 2-3 are part of the maturity process where a contractor prepares for or handles CUI, with 5 being the most advanced. The certification level you pursue in CMMC depends on the nature of your work with the Department of Defense (DoD). You will find that necessary CMMC level requirements are noted in (Request for Information) RFI and (Request for Proposals) RFP documents.

The 3 levels of CMMC progress in maturity with a range of different and overlapping practices, and have the same thing in common, protect Federal Contract Information (FCI) and Controlled Unclassified Information (CUI). Although CMMC is focused on protecting CUI from threats in all aspects, there are a couple of domains that are particularly catered to the protection of CUI. Asset Management (AM) is found in both levels 2 and 3 in CMMC and Personnel Security (PS) is found in level 2, the level that first introduces you to CUI safeguarding in CMMC. Access Management encompasses all channels of CUI and contains two capabilities: Identify and document assets and manage asset inventory. Personnel Security also has two capabilities: Screen personnel, and protect CUI during personnel actions.

Additionally, you will find that levels 2 and 3 in CMMC are the most advanced and specifically focus on the protection of CUI and Advanced Persistent Threats (APT). With the proactive capabilities in place of monitoring active threats, a level 5 organization will best be able to defend CUI against security threats.

Current Challenges with CUI Handling

One common challenge around CUI includes improper tagging and marking by government agencies. DIB sector organizations receive information from the DoD and/or their primes, and out of abundant caution, unnecessary artifacts are marked CUI. That makes handling and management more cumbersome for a contractor.

Another related issue is identification and labeling of CUI. Organizations carry hundreds of thousands, if not millions of files and related materials that could be CUI. In addition, companies are advised to restrict CUI within a narrow network of operations, thus limiting its exposure. Exposure limitation is also an effective way to save money on technology costs.

What’s Next?

Navigating your physical and cyber environment can be a challenge. Many organizations are not fully aware of where CUI exists in their ecosystem or who handles CUI. In order to protect all your assets a thorough assessment must take place to prepare for your anticipated CMMC audit.