With the new Cybersecurity Maturity Model Certification (CMMC) coming right around the corner, understanding whether or not you work with Controlled Unclassified Information (CUI) is critical to determine which level of CMMC you must comply with.  Not meeting this standard can render you ineligible to bid on or be awarded contracts from the Department of Defense (DoD) and could cripple your business if those contracts make up a significant piece of your annual revenue.  CUI is a term that might sound technical and niche, but it plays a crucial role in the way information is managed and safeguarded within the United States Government. If you’re handling information that is sensitive but not classified, it’s important to determine whether it falls under the category of CUI. Here’s a comprehensive guide to help you understand whether you’re dealing with CUI and what to do if you are.

Understanding CUI

CUI is unclassified information that requires safeguarding or dissemination controls according to laws, regulations, or government-wide policies. The purpose of CUI is to protect information that, while not classified, still requires some level of control to prevent unauthorized access or distribution. This includes information that could potentially harm national security or other critical interests if disclosed.

Key Characteristics of CUI

  1. Unclassified but Controlled: CUI is not classified information. However, it still requires control to prevent unauthorized access.
  2. Government-Created or Possessed: This information is created or owned by the U.S. Government.
  3. Requires Safeguarding: It necessitates safeguarding or dissemination controls limiting its distribution to those with a lawful government purpose.

Identifying CUI

To determine if the information you have is CUI, consider the following steps:

  1. Check for Markings: CUI is typically marked to indicate that it requires special handling. Look for labels or markings on documents that state “CUI” or “Controlled Unclassified Information.”
  2. Understand the Categories: CUI covers various categories, such as Privacy Act information, attorney-client privileged information, and controlled technical information. Familiarize yourself with the specific categories of CUI by visiting the DoD CUI Registry at DoD CUI Registry.
  3. Lawful Government Purpose: Determine if the information serves a lawful government purpose. This includes any activity, mission, function, operation, or endeavor authorized by the U.S. Government or recognized within the scope of its legal authorities.

Who Can Access CUI?

Access to CUI is restricted to individuals with a lawful government purpose. This broad category can include:

  • Members of Congress and their staff
  • State, Local, Tribal, and Territorial Governments
  • Appropriate industrial partners
  • Other Federal Agencies
  • Allies and partner nations
  • Members of academia

Handling CUI

If you determine that you are handling CUI, it’s essential to follow proper procedures to safeguard this information:

  1. Limit Distribution: Ensure that CUI is only shared with individuals or entities with a lawful government purpose.
  2. Prevent Public Release: CUI should not be released to the public without proper review and authorization.
  3. Follow Marking Guidelines: Adhere to the specific marking guidelines to ensure the information is properly labeled and controlled.
  4. Implement CMMC Level 2 Controls: Assess your current posture as it relates to CMMC L2 and ensure that all required controls are in place.

Training and Resources

The Department of Defense (DoD) mandates annual CUI training for its personnel. Over 2.3 million military, civilian, and contractor personnel have been trained to date. Resources and training materials are available at the DoD CUI website.

Final Thoughts

Controlled Unclassified Information is an essential component of safeguarding sensitive government information. By understanding the characteristics, categories, and proper handling procedures of CUI, you can ensure that you are compliant with federal regulations and contribute to the protection of critical information. Always refer to official guidelines and resources to stay updated on best practices for managing CUI. If you are still unsure about whether or not you handle CUI, consider consulting a professional partner such as Kyber Security to help you on your CMMC journey.