“Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” Basically, what this means, is that controlled unclassified information is data that must be specifically protected within an information system. This controlled unclassified information can be found in government contracts or provided to a contractor by the Department of Defense, as well as passed to any vendors that these contractors are working with. There are many regulations in place that specify how each of the CUI Specified information types must be controlled.
CUI is a broad category of information and includes many different types of sensitive information.
Examples of CUI would include:
- any personally identifiable information such as legal material or health documents
- technical drawings and blueprints
- intellectual property
- many other types of data.
The purpose of the rule is to make sure that all organizations are handling the information in a uniform way. Documents that are labeled: “Proprietary” or “Official Use Only” should be labeled: “CUI.” The NIST SP 800-171 focuses on standardizing the way that things are done.
Classified information, on the other hand, is much more serious and can also be identified as “Top Secret” or “Secret.” Classified information is considered sensitive information that has to be protected as outlined under NIST SP 800-53, no matter what. This type of information is only to be handled by professionals with specific security clearances, and if this information is mishandled, there will be criminal charges imposed.
How Do I Know If I Have CUI?
If your organization holds a Department of Defense contract, does work for the Department of Defense, or is a vendor/supplier to a DoD Contractor or supplier, then you likely maintain, process or store CUI. It is important that your organization understands how to classify and protect this information. If you are unsure about whether or not CUI is present in your organization, please visit the CUI Registry: https://www.archives.gov/cui/registry/category-list, to find out what is considered CUI.
Even If You Think You Don’t Have CUI, You Probably Do
The concept of Controlled Unclassified Information (CUI) is so broad, then it is very likely that your organization contains something that can be considered CUI. It is extremely important that you identify CUI within your organization, and be sure that you are taking the proper steps to secure it properly. If you do not, this could lead to extreme legal consequences, as well as resulting in the loss of contracts. Please do your research and find out what is and what isn’t considered CUI before assuming that it does not apply to you. If you need assistance in figuring out whether or not you have it, please contact [email protected] and one of our NIST experts will be happy to help.