Ignyte CMMC Specialist

Apr 176 min

What is Controlled Unclassified Information (CUI) and Why Should You Care?

Updated: Jun 10

Background Information

Federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release.

Historically, each agency developed its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch in which similar information might be defined and labeled differently, or where dissimilar information might share a definition and/or label, depending on the agency which originally created the information.

A recommendation was expanded by the Presidential Task Force in May 2009 to include all information falling within the definition of CUI in the possession or under the control of the Executive Branch of the Federal Government. Executive Order 13556 Controlled Unclassified Information (the Order) established such a comprehensive Controlled Unclassified Information Program in November 2010.

Today, companies supporting the defense industry are quickly moving to understand how to classify and protect its information. To answer the key question – “Does CUI apply to you?” – we will investigate the following areas in this blog article:

  1. What is CUI/CDI/CTI Data?

  2. Why am I required to protect CUI/CDI/CTI as a defense contractor?

  3. Do I have CUI/CDI/CTI data in my IT System?

  4. How do I protect CUI/CDI/CTI data?

What is CUI/CDI/CTI?

These three terms - Controlled Unclassified Information (CUI), Covered Defense Information (CDI), and Controlled Technical Information (CTI) – have been mixed into many discussions and articles, but they are connected

Think of it like this: A Family consisting of single parent and two children. The single parent is the head of the family, but the family also has 2 children.

Here, CUI is the parent, and CDI and CTI are the “children.”

These three markings are given to unclassified content that must be protected in a very specific manner both within and outside a government information system. In the past, the government used many different markings to identify this kind of information, but now these are now all rolled up into the classification of CUI content

Controlled Unclassified Information (CUI)

  • CUI is information that requires safeguarding or dissemination of controls pursuant to and consistent with applicable laws, regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
     

  • More specifically, CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information.

Controlled technical information (CTI)

  • This includes military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
     

  • The term does not include information that is lawfully publicly available without restrictions. Thus, “technical information” means technical data or computer software, as those terms are defined in the clause at DFARS 252.227-7013, Rights in Technical Data-Non-Commercial Items.
     

  • Research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Covered Defense Information (CDI)

  • CDI means unclassified controlled technical information or other information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government wide policies.
     

  • Marked or otherwise identified in the contract, task order, or delivery order and provided to the contractor by or on behalf of DoD in support of the performance of the contract.
     

  • Collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the contract.

The full list of CUI categories can be found in the CUI Registry. Each category is defined as either CUI Basic or CUI Specified.

1. CUI Basic

  • Baseline handling and dissemination controls as identified in the Final Rule issued by NARA (the National Archives and Records Administration) on November 14, 2016
     

  • The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level and can be marked as either CUI or Controlled.

2. CUI Specified

  • Subset of CUI where the authorizing law, policy, or regulation puts more restrictive controls on the handling and control of the CUI Specified content.
     

  • The underlying authority maintains the handling controls on CUI Specified content and ONLY a designating agency may apply the limited dissemination controls to CUI content.

Why am I required to protect CUI/CDI/CTI as a defense contractor?

  1. Threat actors, like hostile states, individuals, and corporations are continually attempting to attack and steal information that can drastically damage individuals, organizations, and/or National Security.

  2. In the realms of Corporate and State Espionage, newly created and innovative hacking developments occur when corporations lose sensitive data because of the lack of data classification and protection.
     

CUI and CTI data exists across the entire defense industrial base spread across thousands of companies with widely varied IT infrastructures. The entire defense industrial companies house infrastructures that are simply not up to the task of properly managing the CUI/CDI/CTI information that they were entrusted with by the government.

Consequently, the CUI and DFARS 7012 programs were established to begin standardizing the security controls across the defense industrial base to better protect our important information in both government and commercial environments.

Failure to protect CUI/CDI/CTI data can result in a rapid loss of a contract and/or costly fines as well. The new DoD is establishing a Cybersecurity Maturity Model Certification (CMMC), and it will score contractors on the protection of CUI. If your company receives a low CMMC level, it will not be able to maintain its existing contracts and/or obtain new bids.

Do I have CUI/CDI/CTI data in my IT System?

Technical Information includes:

What you really need to know is that technical work that is executed for the government, which results in information or data being created or transmitted, is potentially covered by the CTI designation.

Ensure that you have properly identified and classified the data in your information system to provide adequate security controls.

Read the article on: How much CMMC Certfication Cost?
 

How do I protect CUI/CDI/CTI data?

The government provided lane markers as part of the DFARS 7012 rule that stipulates exactly what type of controls must be in place to protect CUI/CDI content in your information system.

You have three (3) options:

1. An on-premises data center(s) that includes all of your internal IT systems.
 
a. The physical presence of the servers in the facility may have provide a false
 
sense of, “I know where my data is.” The reality of the cyber environment
 
today requires multiple layers of physical and cyber security with frequent
 
administrative responsibilities to maintain patches and firewalls.

b. Many large enterprises have sufficient staff and training to maintain on-
 
premises networks to serve their government contracts and controlled
 
data; however, the capital expenditure of replacing hardware and the
 
operational expenditure of the maintenance costs should be reviewed with
 
each round of data center updates.
 

2. A Cloud Service Provider (CSP) like Azure, Office 365, or Amazon Web Services (AWS)

a. Alternatively, CSPs are a great option for businesses of all sizes, because it
 
helps the organization offload large portions of physical security,
 
administrative management, and risk to the CSP.

b. CUI/CDI/CTI compliance in a CSP may be a more affordable option since
 
there is no requirement for a large data center capital investment for
 
servers and physical security.

c. Be aware that businesses using a CSP still have a responsibility to ensure
 
that the environment is certified at a FedRAMP Moderate level, AND that
 
you are protecting the environment with the 110 Security controls in NIST
 
SP 800-171. For more details refer to the NIST SP 800-171 blog post.

3. A Hybrid Solution that uses both on-premises systems and CSP solutions to meet NIST 800-171.

With any of these three solutions, you must also ensure that the solution addresses the 110 Security controls in NIST SP 800-171 along with a Systems Security Plan (SSP) and a Program of Actions and Milestones (POAM).

Now that we have discussed what CUI/CDI/CTI is and how they are related, if it has to be protected being a Defense contractor, determine if your organization has it in the environment, and how to protect CUI data, you can now take hopefully take a look at your own organization to see if you have CUI and what needs to be done to stay compliant with the Government.