How to Identify Controlled Unclassified Information (CUI) & Where It Lives in Your Organization
If you’ve heard of NIST SP 800-171, or operate within the Department of Defense ecosystem, you’re probably familiar with the term CUI, or Controlled Unclassified Information. Often used interchangeably with Covered Defense Information (CDI), CUI is, technically, “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified.”
Now that that’s out of the way, let’s get down to business.
Commonly Misunderstood
For something that is so important to understand, CUI is not easy to wrap your brain around. The official definition is unclear. The method by which CUI is designated is inconsistent or nonexistent. And the ability to identify actual CUI in a supplier setting is questionable at best.
You, or someone on your team has probably said, “we don’t have any CUI” or “none of our data is marked as CUI so it doesn’t apply to our business”.
So how should a company in the DoD ecosystem even go about addressing CUI: how can it be identified and how should it be secured?
On your journey to understand CUI, It’s important to remember two things
- The term “CUI” was first seen in government documents only in 2010. Prior to that, the information that hence falls into that category was not specifically designated as a special type of information. That means that the majority of the CUI that you handle in the course of daily business predates the CUI designation. Which leads us to the second point…
- The CUI that you are responsible for will likely not be marked CUI. There will not be a big flashing sign that shows up on information that qualifies as CUI. This does NOT mean you don’t have CUI. When it comes down to it, 85% of companies within the defense supply chain deal with CUI in some form or another, and you probably do, too.
CUI: The Forms It May Take
The most common source of CUI is technical drawings or CAD models, or product documentation created for or on behalf of a defense Prime.
More obscure:
-
-
- Data in contracts, listing specific deliverables
- Purchase Orders
- Shipping documents & manifests
- Part numbers, serial numbers
- Custom Software
- CNC programs
- Quality control & inspection data
- Printed circuit board designs
- Personal identifiable information
- Trainings — and the people who take trainings
-
Whether electronic or printed, you are mandated to protect this information.
Talk to our experts about your next steps, or download our Business Case Template to map your own path toward compliance.