Decoding CUI—a Highly Valued Data Type at Risk

Author: Uday Ali Pabrai, CISSP, CMMC PA, CMMC PI, CMMC RP, HITRUST CCSFP, Security+
Date Published: 25 April 2022

Governments often create or own information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and governmentwide policies. In the United States, this type of information is referred to as Controlled Unclassified Information (CUI). 1, 2 Although the concept of CUI originated in the United States, it is of relevance worldwide due to the global nature of the cyber supply chain.

Cybersecurity and compliance professionals are familiar with personal data (PD) and personally identifiable information (PII), but CUI continues to be a source of confusion. Why should CUI command more of the cybersecurity community’s attention? Because data defined as CUI are extremely sensitive, highly valuable to the United States, and desperately sought after by strategic competitors and adversaries. It should be noted that while such information is extremely valuable to the United States, it often resides in systems and on networks worldwide. The requirements to protect CUI provide best practices for securing additional sensitive or confidential information that a global organization may be processing.

To protect this valuable national asset, the US government has assigned legal safeguarding requirements. It is worth examining an overview of CUI and several of the aspects of handling this specific data type.

CUI and the DoD’s CMMC Standard

Since the US Defense Industrial Base (DIB) is the target of increasingly frequent and complex cyberattacks by adversaries and nonstate actors, dynamically enhancing cybersecurity to safeguard the information that supports and enables military service members is a top priority for the DoD.

The DoD’s Cybersecurity Maturity Model Certification (CMMC) program establishes cyberprotection standards for organizations in the DIB. The DoD developed the CMMC framework to mitigate the risk to CUI by providing a single source of direction for all data falling under the CUI umbrella. CMMC is a key component of the DOD’s expansive DIB cybersecurity effort. By incorporating cybersecurity standards into acquisition programs, CMMC provides the DoD assurance that contractors and subcontractors understand and can meet the expanding cybersecurity requirements.

So, why are CMMC and CUI also relevant to cybersecurity professionals and organizations? Enterprises across industries today use US National Institute of Standards and Technology (NIST) standards as key components of their cybersecurity programs. The CMMC framework is built on NIST principles and includes certification. Organizations should understand the requirements introduced by CMMC for CUI and consider its application to the sensitive information they process such as PII, PD or protected health information (PHI). The certification component of CMMC for CUI data is of relevance to cybersecurity professionals to understand and leverage for other valued data types that their organizations process, store or transmit.

When to Share (and Not Share) CUI

CUI is information that is highly valued and is not classified, but, if compromised, would provide attackers with information on assets that are government-created or -owned, introducing risk into critical systems and programs, including those in the US DoD. CUI may be shared if access promotes a common project or operation between agencies or under a contract or agreement with the designating agency. Accordingly, CUI may not be shared if access harms or inhibits a common project or operation between agencies or under a contract or agreement with the designating agency.

It is important to remember that CUI is not classified information, nor does it encompass everything that is considered confidential. For example, an enterprise’s intellectual property is not considered CUI unless it is created for or included in requirements of a US government contract.

The CUI Registry

The CUI Registry identifies all approved CUI categories and subcategories. It provides general descriptions of each category and subcategory. It further identifies the basis for controls, establishes markings and includes guidance on handling procedures. In other words, the CUI Registry is a catalog of what the US Executive branch of the government should be protecting.

The Organization of CUI

CUI is organized into 20 groups (figure 1).

Figure 1—CUI Organizational Index Groups

  1. Critical infrastructure
  2. Defense
  3. Export control
  4. Financial
  5. Immigration
  6. Intelligence
  7. International agreements
  8. Law enforcement
  9. Legal
  10. Natural and cultural resources

 

  1. North Atlantic Treaty Organization (NATO)
  2. Nuclear
  3. Patent
  4. Privacy
  5. Procurement and acquisition
  6. Proprietary business information
  7. Provisional
  8. Statistical
  9. Tax
  10. Transportation

 

Each CUI organizational index grouping includes CUI categories. The CUI program was founded on the prerequisite that only information requiring protection based on a US law, federal regulation or governmentwide policy can qualify as CUI. Each category and subcategory is based on at least 1 (and sometimes many) of such laws, regulations or governmentwide policies (also referred to as authorities) that require a certain type of information to be protected or restricted in dissemination.

The CUI program was founded on the prerequisite that only information requiring protection based on a US law, federal regulation or governmentwide policy can qualify as CUI.

There are 2 types of CUI categories and subcategories: CUI Basic and CUI Specified. CUI Basic is, as the name implies, the standard type of CUI. All rules of CUI apply to CUI Basic categories and subcategories, making the handling and marking of CUI Basic the simplest.

CUI Specified is different, since the requirements for how users must treat each type of information vary with each category or subcategory. This is because some authorities have highly specific requirements for how to handle the type of information they pertain to—requirements that simply would not make sense for the rest of the CUI. CUI Specified does not necessarily mean additional capabilities or controls may be required; however, it is different. And because the qualities that make it different are dictated by US laws, federal regulations and governmentwide policies, they are not factors that can legally be ignored or overlooked. For example, a document containing multiple CUI Specified categories and subcategories must include all of them in the CUI banner marking.

The Purpose of CUI Markings

CUI provides a uniform marking system across the US federal government. It standardizes markings across each government agency. CUI markings alert those in possession of the CUI to the presence of this sensitive data and, when portion markings are used, identify the exact information or portion that needs protection. Markings can alert owners to any CUI dissemination and safeguarding controls.

Marking is mandatory for all documents containing CUI.

Types of CUI Markings

The primary marking for all CUI is the CUI banner marking. This is the main marking that appears at the top of each page of any document that contains CUI. The content of the CUI banner marking must be inclusive of all CUI within the document and must be the same on each page. The banner marking should appear as bold, capitalized, black text and be centered when feasible.

The CUI banner marking may include up to 3 elements:

  1. The CUI Control Marking (mandatory for all CUI) may consist of either the word “CONTROLLED” or the acronym “CUI.”
  2. CUI category or subcategory markings (mandatory for CUI Specified) are separated from the CUI Control Marking by a double forward slash (//). When including multiple categories or subcategories in a banner marking, they must be alphabetized and are separated by a single forward slash (/).
  3. Limited Dissemination Control Markings are preceded by a double forward slash (//) to separate them from the rest of the CUI banner marking.

In summation, a CUI marking may be illustrated as CUI OR CONTROLLED//CATEGORY or CUI OR CONTROLLED//CATEGORY//DISSEMINATION. For example, CUI//SP-TAX would represent CUI in the form of federal taxpayer information.3

When a document contains CUI Specified, all CUI Specified category or subcategory markings must be included in the CUI banner marking. Agency heads may approve the use of CUI Basic category or subcategory markings through agency CUI policy. When such agency policy exists, all CUI Basic category or subcategory markings must be included in the CUI banner marking.

All documents containing CUI must indicate the designator’s agency. This may be accomplished through the use of letterhead, a signature block with agency or the use of a “Controlled by” line. Every effort should be made to identify a point of contact, branch or division within an organization, and to include contact information.

The CUI control marking is mandatory for all CUI and may consist of either the word “CONTROLLED” or the acronym “CUI.” As an optional best practice, the CUI banner marking may also be placed at the bottom of the document.

The Proper Handling of CUI

CUI must be stored or handled in controlled environments that prevent or detect unauthorized access. Media such as Universal Serial Bus (USB) sticks and hard drives must be marked to alert owners to the presence of CUI stored on the device. Equipment can be marked or labeled to indicate that CUI is stored on the device. Due to space limitations, it may not be possible to include the CUI category, subcategory or Limited Dissemination Control markings.

At a minimum, it is important to mark media with the CUI control marking (“CONTROLLED” or “CUI”) and the designating agency.

When an agency is storing CUI, authorized owners should mark the container to indicate that it contains CUI. Systems that provide access to CUI must show a notice alerting the user of such data that may be accessible, and access must be limited. Sealed envelopes must be used and physical access areas are required to have electronic locks. This includes doors, overhead bins, drawers and file cabinets.

When reproducing or faxing CUI, only agency-approved equipment may be used. Organizations must ensure that signs designate which equipment is approved (e.g., those designated with language such as “This printer is approved for CUI.”).

CUI must be destroyed to a degree that makes the information unreadable, indecipherable and irrecoverable.

Conclusion

When one thinks of CUI, one thinks of a data type that must be secured. It is highly valued. It is at risk. CUI applies to a supply chain that is global.

Cybersecurity and compliance professionals have long understood the risk to data types such as PD and PII. The standards associated with securing CUI provide insight to help further improve cybersecurity capabilities across assets that are highly valued.

One can review the requirements for securing CUI by studying key references from the DoD and the US National Archives and Records Administration (NARA). Equally relevant are published standards from NIST such as NIST Special Publication (SP) 800-171 R2 and NIST SP 800-172. CMMC takes the NIST standards further by adding a certification component to securing CUI. Organizations can enhance their current policies and associated capabilities by integrating the requirements of the CMMC standard to elevate their cyber posture. The CMMC maturity levels provide an excellent opportunity to address the advanced persistent threats (APTs) to highly valued information such as CUI.

Endnotes

1 Under Secretary of Defense for Intelligence Information Security Office, “Controlled Unclassified Information (CUI),” USA
2 The US National Archives and Records Administration, “Controlled Unclassified Information (CUI),” USA
3 National Archives, “CUI Category: Federal Taxpayer Information,” USA

Uday Ali Pabrai, CISSP, CMMC PA, CMMC PI, CMMC RP, HITRUST CCSFP, Security+

Is a global cyberdefense thought leader and chief executive of ecfirst, a CMMC Third-Party Assessor Organization (C3PAO) candidate and Licensed Partner Publisher (LPP), Licensed Training Provider (LTP) and Registered Provider Organization (RPO) firm. Pabrai has successfully delivered thousands of cyberdefense solutions globally. His career was launched with the Fermi National Accelerator Laboratory, the US Department of Energy’s nuclear research facility. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms and has been a keynote and featured speaker at cybersecurity conferences worldwide. He is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. He can be reached at Pabrai@ecfirst.com.