Controlled Unclassified Information (CUI)
Controlled unclassified information (CUI) is information that is designated by law, regulation, or government-wide policy to require safeguarding and dissemination controls. Controlled unclassified information excludes information classified under Executive Order 13526 as Classified National Security Information.
The CMMC (Cybersecurity Maturity Model Certification) protections are defined by the Department of Defense (DoD) to secure controlled unclassified information that resides on the Defense Industrial Base systems and networks (DIBNet).
The CMMC model has three levels of cybersecurity practices. Level three focuses on the protection of controlled unclassified information and includes the security requirements that are specified in NIST SP 800-171, along with 20 additional practices to protect data.
What Is Controlled Unclassified Information (CUI)
While not considered classified, controlled unclassified information requires special care and protection, including secure storage, destination controls, and access restrictions. This is information that does not meet the criteria of classified information, but needs a level of protection from unauthorized access and release.
|Controlled unclassified information (CUI) as Defined by Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002)|
--Is any information which the loss, misuse, or modification of, or unauthorized access to, could adversely affect the national interest or the conduct of Federal programs or the privacy to which individuals are entitled under section 552a of title 5, United States Code (the Privacy Act), but which has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept secret in the interest of national defense or foreign policy
--Is not available to the general public
Government acquisition-sensitive information, including source selection information as defined in section 2.101 of the Federal Acquisition Regulation (48 CFR chapter 1), contractor bid or proposal information.
Information contained in individual contracts that is not public information and such contract information contained in Government databases; proprietary economic, financial, or business information (e.g., salary information) provided to the government by other parties (e.g., other contractors)
Personally identifiable information (PII) that includes, but is not limited to, social security numbers, names, dates of birth, places of birth, parents’ names, credit card numbers, applications for entitlements, and information relating to a person’s private financial, income, employment, and tax records
--Other information that the contracting officer or other authorized employee explicitly identifies as controlled unclassified information
--May exist in various physical media (e.g., paper, electronic file, audio or video disc) or be transmitted orally, may be developed under or pre-exist any related contract, and may be in its original form or a derivative form (i.e., where the information has been included in contractor-generated work, or where it is discernible from materials incorporating or based upon such information)Source: 32 CFR Part 2002
Historically, each Federal agency developed its own practices for sensitive unclassified information. The result was overwhelming and expensive for the DIB, with inconsistent systems, procedures, and terminology.
Controlled unclassified information created a uniform code for all Federal agencies along with their contractors and subcontractors to follow. This resolved several critical and cumbersome deficiencies by providing:
- Enhanced safeguarding
- Consistent markings
- Streamlined restrictions
Seven Examples of Controlled Unclassified Information
1. For Official Use Only (FOUO)
2. Law Enforcement Sensitive (LES)
3. Personally Identifiable Information (PII)
4. Proprietary Business Information (PBI)
5. Sensitive but Unclassified (SBU)
6. Sensitive Personally Identifiable Information (SPII)
7. Unclassified Controlled Technical Information (UCTI)
Controlled Unclassified Information Registry
The Registry is an online repository for information, guidance, policy, and requirements on handling controlled unclassified information. It includes:
- Explanation of the basis for controls
- Central repository that captures general descriptions for categories and subcategories
- Common definitions
- Standardized procedures for the use of controlled unclassified information—e.g., marking, safeguarding, transporting, disseminating, reuse, disposal
|Organizational Index Grouping||CUI Categories|
|Critical Infrastructure||Ammonium Nitrate|
Chemical-terrorism Vulnerability Information
Critical Energy Infrastructure Information
General Critical Infrastructure Information
Information Systems Vulnerability Information
Protected Critical Infrastructure Information
SAFETY Act InformationToxic Substances
|Defense||Controlled Technical Information|
DoD Critical Infrastructure Security Information
Naval Nuclear Propulsion Information
Unclassified Controlled Nuclear Information—Defense
|Export Control||Export Controlled|
Export Controlled Research
Consumer Complaint Information
Electronic Funds Transfer
Federal Housing Finance Non-Public Information
Financial Supervision Information
General Financial Information
International Financial Institutions
Battered Spouse or Child
Permanent Resident Status
Temporary Protected Status
Victims of Human Trafficking
Foreign Intelligence Surveillance Act
Foreign Intelligence Surveillance Act Business Records
Geodetic Product Information
Intelligence Financial RecordsInternal Data
|International Agreement Information||International Agreement Information|
|Law Enforcement||Accident Investigation|
Criminal History Records Information
General Law Enforcement
Law Enforcement Financial Records
National Security Letter
Pen Register/Trap & Trace
Sex Crime Victim
Federal Grand Jury
Protective Order Victim
|Natural and Cultural Resources||Archaeological Resources|
National Park System Resources
|North Atlantic Treaty Organization (NATO)||NATO Restricted|
Nuclear Recommendation Material
Nuclear Security-Related Information
Unclassified Controlled Nuclear Information—Energy
Inspector General Protected
Military Personnel Records
|Procurement and Acquisition||General Procurement and Acquisition|
Small Business Research and Technology
|Proprietary Business Information||Entity Registration Information|
General Proprietary Business Information
Ocean Common Carrier and Marine Terminal Operator Agreements
Ocean Common Carrier Service Contracts
|Provisional||Homeland Security Agreement Information|
Homeland Security Enforcement Information
Information Systems Vulnerability Information—Homeland
International Agreement Information—Homeland
Operations Security Information
Personnel Security Information
Physical Security—HomelandPrivacy Information
Sensitive Personally Identifiable Information
Pesticide Producer Survey
|Tax||Federal Taxpayer Information|
Taxpayer Advocate Information
|Transportation||Railroad Safety Analysis Records|
Sensitive Security Information
Controlled Unclassified Information History
The 9/11 Commission’s report recommended the horizontal sharing of intelligence information that transcends individual agencies.
A Presidential Task Force expanded the 9/11 Commission’s recommendation to include all information falling within the definition of controlled unclassified information.
Executive Order 13556, “Controlled Unclassified Information,” established the Controlled Unclassified Information Program with the National Archives and Records Administration (NARA) to serve as the Executive Agent (EA) to implement the program to ensure compliance.
Rule 32 Code of Federal Regulations Part 2002 (32 CFR Part 2002), “Controlled Unclassified Information,” was published in the Federal Register and entered the Office of Management and Budget (OMB)-managed Federal regulatory process.
32 CFR Part 2002 was published as a final rule on September 14, 2016, and became effective on November 14, 2016.
CUI in NIST SP 800-171
The National Institute of Standards and Technology (NIST) Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations, was published in June 2015.
The controlled unclassified information requirements that NIST calls out in NIST 800-171 come from three previous publications:
1. Federal Information Processing Standard (FIPS) Publication 200
2. The moderate security control baseline in NIST Special Publication 800-53
3. 32 CFR Part 2002, Controlled Unclassified Information, which was still a proposal at that time
Extending the protection of controlled unclassified information resident in non-government information systems and organizations was a critical step in enhancing security.
Protecting this information was deemed to be “of paramount importance to federal agencies and can directly impact the ability of the federal government to successfully carry out its designated missions and business operations.”
Focused on government contractors, NIST 800-171 applies to those parts of a contractor’s network where controlled unclassified information is present.
Strengthening the security of the whole government supply chain was a key objective of NIST 800-171, meant to be achieved by defining the cybersecurity requirements for contractors who handle sensitive government information.
Controlled Unclassified Information Security Requirements in NIST 800-171
The controlled unclassified information security requirements set forth with NIST 800-171 must be used by all federal agencies in “contractual vehicles or other agreements” that are put in place by agencies with non federal organizations.
That common set of requirements is meant to protect the confidentiality of controlled unclassified information. “The requirements apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components,” including:
- When the controlled unclassified information is resident in nonfederal information systems and organizations
- When the information systems where the controlled unclassified information resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
- Where there are no specific safeguarding requirements for protecting the confidentiality of controlled unclassified information prescribed by the authorizing law, regulation, or government-wide policy for the category or subcategory listed in the Registry
NIST 800-171 has a well-defined structure for the security requirements to be used to protect the confidentiality of controlled unclassified information in nonfederal information systems and organizations. The two NIST 800-171 security requirements sections are split into:
1. A basic security requirements section
2. A derived security requirements section
14 Controlled Unclassified Information Security Requirement Families in NIST 800-171
Based on the minimum-security requirements for federal information and information systems described in FIPS Publication 200, NIST 800-171 organizes the controlled unclassified information security requirements into 14 families.
Those families are based on general security topics. Absent from the security requirements list are contingency planning, system and services acquisition, and planning requirements.
1. Access Control
2. Audit and Accountability
3. Awareness and Training
4. Configuration Management
5. Identification and Authentication
6. Incident Response
8. Media Protection
9. Personnel Security
10. Physical Protection
11. Risk Assessment
12. Security Assessment
13. System and Communications Protection
14. System and Information Integrity
Additional Controlled Unclassified Information Security Requirements
In addition to NIST 800-171, federal agencies using federal information systems to process, store, or transmit controlled unclassified information, must also comply with:
- FIPS Publication 199, Standards for Security Categorization of Federal Information and Information Systems (moderate confidentiality impact)
- FIPS Publication 200, Minimum Security Requirements for Federal Information and Information Systems
- NIST Special Publication 800-53, Security and Privacy Controls for Federal Information Systems and Organizations
- NIST Special Publication 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories
|Target Audiences for NIST 800-171 and Controlled Unclassified Information Requirements|
NIST 800-171 is intended to serve a diverse group of individuals and organizations in the public and private sectors including, but not limited to: Individuals with information system development lifecycle responsibilities (e.g., program managers, mission/business owners, information owners/stewards, system designers and developers, information system/security engineers, systems integrators)
Individuals with acquisition or procurement responsibilities (e.g., contracting officers)
Individuals with information system, security, and/or risk management and oversight responsibilities (e.g., authorizing officials, chief information officers, chief information security officers, information system owners, information security managers)
Individuals with information security assessment and monitoring responsibilities (e.g., auditors, system evaluators, assessors, independent verifiers/validators, analysts)
The above roles and responsibilities can be viewed from two distinct perspectives:
1. The federal perspective, as the entity establishing and conveying the CUI security requirements in contractual vehicles or other types of inter-organizational agreements
2. The nonfederal perspective, as the entity responding to and complying with the CUI security requirements set forth in contracts or agreements.
Source: NIST 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
CUI Handling Between Contractors & Sub-Contractors
Controlled unclassified information security requirements that apply to federal contractors also extend to contractors’ employees, subcontractors, and subcontractors’ employees. According to NIST 800-171, the expectation of federal agencies in working with non federal entities include:
- Non Federal organizations can implement a variety of potential security solutions either directly or using managed services to satisfy controlled unclassified information security requirements.
- Non Federal organizations have information technology infrastructures in place and are not necessarily developing or acquiring information systems specifically for the purpose of processing, storing, or transmitting controlled unclassified information.
- Non Federal organizations have specific safeguarding measures in place to protect their information which may also be sufficient to satisfy the CUI security requirements.
- Non Federal organizations may not have the necessary organizational structure or resources to satisfy every controlled unclassified information security requirement and may implement alternative, but equally effective security measures to compensate for the inability to satisfy a particular requirement.
NIST 800-171 also has specific directives related to the handling of controlled unclassified information between federal contractors and subcontractors.
One of the main activities is the processing, storing, and transmitting of sensitive federal information to deliver products and services to federal agencies. Among the activities where federal contractors or subcontractors work with controlled unclassified information are:
- Conducting background investigations for security clearances
- Delivering Web, email, cloud, and other online services
- Developing and maintaining communications, satellite, and weapons systems
- Processing healthcare data
- Providing credit cards and other financial services
Controlled Unclassified Information for Standardization and CMMC
The controlled unclassified information program represents one of the federal government’s most sweeping requirements. It provides standardization of practices that span federal government departments and agencies, state, local, and tribal organizations, as well as private sector entities, academia, and industry.
The implementation of the controlled unclassified information initiative has brought more timely and consistent information that has increased transparency throughout the federal government and associated organizations, including subcontractors.
In addition to these benefits, the controlled unclassified information program plays a crucial role in the nation’s security posture. CMMC’s controlled unclassified information practices provide safeguards to protect data that malicious actors can exploit. The adoption of CMMC controlled unclassified information practices has significantly mitigated risks to national security.
Egnyte has experts ready to answer your questions. For more than a decade, Egnyte has helped more than 16,000 customers with millions of customers worldwide.
Last Updated: 25th July, 2022