CUI Protection

What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is a category of unclassified information that, by Executive Order, is required to have safeguards or dissemination controls around it.

CUI is data that is created, or possessed, on behalf of the US federal government. It’s not classified but is required or allowed to be protected. Following are just some of the types of information that fall under CUI regulations:

Personally Identifiable Information (PII)
Sensitive Personally Identifiable Information (SPII)
Proprietary Business Information (PBI), or currently known within the U.S. Environmental Protection Agency (EPA) as Confidential Business Information (CBI)
Unclassified Controlled Technical Information (UCTI)
Sensitive but Unclassified (SBU)
For Official Use Only (FOUO)
Law Enforcement Sensitive (LES)

CUI Standardizes Information Sharing

According to the National Archives and Records Administration (NARA), the CUI initiative was put in place to help standardize how information is shared and protected across separate departments and agencies as well as private sector entities doing business with governmental agencies.

Safeguarding Government Data

The program is designed to safeguard government data that is not designated as classified, confidential, or secret, but is instead information that should not be made public as it is shared. CUI is information that should be controlled. As part of this framework, there is a requirement for all CUI to be labeled with appropriate visual markings that indicate how it should be treated.

EO 13556

Executive Order 13556 standardizes how the Executive Branch handles CUI. It defines the security requirements for protecting CUI in non-federal information systems and organizations and standardizes how information that does not meet the criteria for classification under E.O. 13526 pertaining to “Classified National Security Information,” or the Atomic Energy Act, is handled.

Working with CUI

Working with information that falls under CUI requires appropriate access control measures to be taken to ensure only the right people have access to data that falls under CUI labeling categories.

Under the CUI requirements, incorporating a labeling and tagging tool or data identification software tool can help guide how to handle materials being exchanged.

Learn More About CUI Compliance and Metadata Labeling

How Data Classification Helps

Who is Responsible for Protecting CUI?

The CUI regulation’s policies for designating, handling, and controlling CUI information applies to federal departments, agencies, and contractors who may develop products containing CUI or systems that process, store, or handle CUI.

CUI Standardizes Data Sharing

Prior to the executive order establishing the CUI program, various government agencies used a variety of agency-specific policies, ad-hoc policies and procedures, and inconsistent markings to help control and safeguard information deemed sensitive. EO 13556 established a uniform program with only the categories of information listed in the CUI Registry to be identified and handled as CUI.

As such, the government oversees the designation of what level of protection information falls under. This information on markings, the CUI Marking Handbook, is listed in the CUI Registry. In addition, all CUI must have a designation indicator that identifies who has deemed the information as CUI.

Who Oversees the CUI Program?

Overall oversight for the CUI program is the Information Security Oversite Office. This office acts as the Executive Agent of the National Archives and Records Administration and monitors the implementation and compliance of the CUI Program by executive branch agencies.

A CUI Advisory Council, with representatives from each executive branch agency, also works with the EA on matters related to CUI.

Control Your CUI

CUI-Related Programs for Non-Governmental Agencies

Non-federal organizations are not obligated to comply with the CUI guidelines, although their government contracts may specify compliance. It is in a commercial organization’s best interest to comply and demonstrate that they are prepared to apply the required controls on any CUI they may be handling.

Related to the Executive Order, but applicable only to commercial entities or non-government organizations doing business with the U.S. government, are several other programs, such as:

National Institute of Standards Technology (NIST) SP800-171 Rev 2

NIST SP800-171 Rev 2 covers how CUI within non-federal systems and organizations should be protected

The Cybersecurity Maturity Mode Certification (CMMC)

CMMC details what protections non-government entities need to take to achieve higher levels of control around data shared with government contractors and subcontractors

International Traffic in Arms Regulations (ITAR)

ITAR controls the manufacture, sale, and distribution of defense and space-related articles and services and requires compliance. Any non-governmental entity that manages ITAR-regulated materials or data should follow security standards per NIST SP 800-53.

Need guidance on FISMA compliance? Get details on how to meet the requirements of the security controls outlined in the Federal Information Security Management Act.

FISMA Guidance

CUI and Regulatory Compliance

Classify Data & Standardize Metadata Labeling

One of the steps towards achieving compliance is to incorporate a data classification solution. With robust data classification technology in place, consistent and accurate labeling is applied to data according to the data governance policy and as required by NIST SP 800-171.

Standardized labeling of CUI helps ensure appropriate protections around that data are used and enforced consistently. This labeling helps make complying with CUI data guidelines easier for those who handle CUI in their workday. Having this capacity in place is also proof that CUI is managed with the appropriate metadata and visual markings of information specified in the NARA CUI registry.

14 Security Control Areas for CUI Compliance

To comply with CUI rules, government and non-government entities working with governmental agencies need to have a strong security plan in place that covers 14 security control areas, including:

1. Access control

2. Awareness and training

3. Audit and accountability

4. Configuration management

5. Identification and authentication

6. Incident response

7. Maintenance

8. Media protection

9. Physical protection

10. Personnel security

11. Risk assessment

12. Security assessment

13. System and communications protection

14. System and information integrity

CUI Categories

These controls work in conjunction with the task of labeling or tagging material that falls under CUI into three categories to help users determine how it should be accessed and handled:

CUI Basic

This is information that is to be subject to standard safeguarding measures to reduce the risks of unauthorized or inadvertent disclosure. Information in this category can be shared to the extent that it is reasonably believed it would further the execution of a lawful or official purpose.

CUI Specified

This is information that requires safeguard measures designed to reduce the risk of unauthorized or inadvertent disclosure. The material identified at this level should contain additional instructions on what dissemination is permitted.

Limited Dissemination

This content requires more stringent safeguard measures, as the inadvertent or unauthorized disclosure of it would create the risk of substantial harm. The material in this category should also contain additional instructions for handling.

DFARS and NIST CUI Compliance

Contractors and subcontractors with the US Department of Defense (DoD) need to follow the compliance steps published by the DoD in the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012 clause, regarding how they are to safeguard CUI. The DFARS clause outlines the implementation of the controls identified by NIST publication 800-171, and is required in all contracts except for contracts used only to purchase commercial, off-the-shelf items. It also applies to subcontracts involving covered defense information or operationally critical support.

To comply, contractors and subcontractors must:

Safeguard covered defense information

Report cyber incidents

Submit malicious software

Facilitate damage assessment

NIST 800-53, 800-171, and CUI compliance also go hand-in-hand with CUI rules and are supported with a robust data classification solution and policies to help streamline compliance and provide consistent labeling practices to relevant data. NIST SP 800-171 specifically addresses the confidentiality of CUI to help ensure CUI is not inappropriately shared. 

To comply with NIST, organizations and governmental entities need to:

Ensure

Ensure confidential and sensitive information is controlled.

Identify

Identify or label data with both visual and metadata labels to address, identify, and highlight any special handling requirements.

Alert

Alert users when their personal data is leaving the organization to help prevent sending any potentially sensitive messages.

Educate

Educate users about data sensitivity and reinforce adherence to corporate policies.

Protecting CUI: How Fortra Helps

At the heart of the CUI program is data classification to ensure appropriate control and consistent handling of sensitive information, as well as enforcement of control across all branches of government and its contractors.

By tagging or labeling data with visual as well as metadata labels to highlight special handling requirements as specified by the CUI program, users can more easily comply with CUI rules. With robust data classification technology in place, users would receive an alert when personal data is leaving the organization or as a warning to prevent them from sending messages that contain sensitive information, as defined by the CUI Registry.

The automation and streamlined functionality of data classification solutions, such as that from Fortra Data Classification, helps both secure the information deemed sensitive as well as educate users about the sensitive of data they are handling, while adhering to the policies established.

Watch the Demo

Resources

Blog

What does CUI mean for government agencies?

Your 5-Minute CUI Training Study Guide

Data Classification and Data Loss Prevention (DLP): A Comprehensive Data Protection Strategy

Request a Personalized

If you handle or may be handling CUI in the future, talk to a Data Classification expert today. A personalized demo can show you how easy it is to comply with the CUI Program with data classification technology.

I’d Like a Demo

Discover Fortra's Data Classification Suite