Anyone familiar with the Cybersecurity Maturity Model Certification (CMMC) knows that one of the main goals of CMMC is to protect Controlled Unclassified Information. But what is CUI, exactly? In today’s post, we give you the inside scoop.
A Definition of Controlled Unclassified Information (CUI)
The United States government defines Controlled Unclassified Information as “Government-created or owned unclassified information that allows for, or requires, safeguarding and dissemination controls in accordance with laws, regulations, or Government-wide policies.”
In other words, CUI is information generated or owned by the U.S. government that doesn’t warrant classified status but still requires protection.
CUI is divided into two subsets, known as CUI Basic and CUI Specified:
- CUI Basic: Sensitive information that does not provide any specific guidance for additional or different requirements. Most CUI will be Basic.
- CUI Specified: Sensitive information whose underlying authority has specified that something different or extra is required for that type of information (for example, limited distribution or additional protections, etc.). Note that CUI Specified is not a higher level of CUI, just a different one.
Why Is CUI Important?
CUI is important because, while only a limited number of individuals generate and handle classified national security information, all DoD personnel produce and disseminate CUI regardless of their rank or mission area.
Make no mistake: the fact that CUI doesn’t qualify as classified information doesn’t mean that it’s unimportant. On the contrary, competitors and adversaries try to intercept CUI by all means possible because they see it as the path of least resistance, given that classified national security information is highly protected.
For all these reasons, safeguarding Controlled Unclassified Information is a priority.
CUI and Cybersecurity Maturity Model Certification
The Cybersecurity Maturity Model Certification (CMMC) is a three-level cybersecurity framework created by the Department of Defense with the stated goal of protecting CUI as well as Federal Contract Information (FCI).
We have talked about CMMC from different angles in previous posts, so suffice it to say that if you are a defense contractor at any level, you are required to comply with CMMC if you want to continue being awarded contracts.
For an overview of CMMC level 2, read this post. To understand the difference between CMMC and NIST SP 800-171, go here.
Some Examples of CUI
All the above makes sense in theory. But what are some actual examples of CUI? The National Archives contemplate 20 CUI organizational index groupings, as follows:
- Critical infrastructure
- Defense
- Export control
- Financial
- Immigration
- Intelligence
- International agreements
- Law enforcement
- Legal
- Natural and cultural resources
- NATO
- Nuclear
- Patent
- Privacy
- Procurement and acquisition
- Proprietary business information
- Provisional
- Statistical
- Tax
- Information
As you can see, there are many different types of Controlled Unclassified Information. However, here’s what you need to remember if you are a defense contractor: CUI includes information and material related to or associated with any of the following when created specifically for the DoD:
- A company’s products, business, or activities, (including but not limited to financial information)
- Data or statements
- Trade secrets
- Product research and development
- Existing and future product designs and performance specifications
- Marketing plans or techniques
- Schematics
- Client lists
- Computer programs
- Processes
Some concrete examples of CUI you may come across as a defense contractor include:
- Documents revealing/containing information controlled under EAR or ITAR
- Contractor bid or proposal information
- Solicitation number
- Technical data marked as proprietary by a contractor
- Among others
Contact our CMMC Registered Practitioners Today
Protecting CUI With Microsoft
Many defense contractors turn to Microsoft cloud products to protect CUI. It makes sense: After all, almost everyone is familiar with Microsoft software, and Microsoft is committed to supporting DoD compliance requirements across all its relevant products and environments.
Microsoft has four cloud offerings: Microsoft 365 “Commercial,” Microsoft 365 US Government (GCC), Microsoft 365 Government (GCC High), and Microsoft 365 Government (DoD).
Of these, Microsoft 365 isn’t built for CUI, while Microsoft 365 Government (DoD) is reserved for the Department of Defense.
That leaves only Microsoft 365 US Government (GCC) and Microsoft 365 Government (GCC High). However, Microsoft 365 US Government (GCC) isn’t suitable for CUI Specified.
That’s why Microsoft’s official recommendation is to use GCC High if what you need is to protect CUI in alignment with CMMC levels 2-3.
To learn more about GCC High, from a basic definition to a step-by-step description of the eligibility process, head over to our GCC High Buyers Guide.
Need To Achieve CMMC Compliance? We Are Here To Help
Brea Neworks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.
Whether it’s CMMC, NIST 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.
We offer unlimited compliance support: Choosing us means enjoying continued guidance throughout your CMMC journey, not only during the first phases of implementation.
Contact our CMMC Registered Practitioners today by clicking here.
Brea Networks, LLC /. CMMCCompliance.us
451 W. Lambert Rd Suite 214
Brea, CA 92821
Tel: (714) 592-0063
Photo source: https://www.army.mil/photos, link to license
Disclaimer: “The appearance of U.S. Department of Defense (DoD) visual information does not imply or constitute DoD endorsement.”
