Can CUI Be Shared With Foreign Nationals? 

As we have seen in previous posts, ITAR data cannot be shared with foreign nationals. But what about Controlled Unclassified Information (CUI), the main object of the Cybersecurity Maturity Model Certification (CMMC)? In today’s post, we discuss everything you need to know about CUI and foreign nationals. Keep reading to learn more.  

What Is Controlled Unclassified Information?

Controlled Unclassified Information, or CUI, is information created or owned by the U.S. government that doesn’t warrant classified status but still requires protection. 

There are different types of CUI (you can check the full CUI Registry here). Some examples include: 

1. Critical Energy Infrastructure Information 
2. General Critical Infrastructure Information 
3. Export Controlled Research 
4. General Intelligence 
5. Foreign Intelligence Surveillance Act 
6. International Agreement Information 
7. Terrorist Screening 

Regardless of the type, all CUI falls within one of two basic subsets: CUI basic and CUI specified. 

CUI Basic is handled according to the controls set forth in the CUI Registry. CUI Specified, on the other hand, differs from CUI Basic in that the authorizing law, regulation, or Government-wide policy contains specific handling controls in addition to those for CUI Basic. 

 The Cybersecurity Maturity Model Certification (CMMC) was created with the specific aim to ensure that defense contractors take the right technical and practical provisions to safeguard CUI and Federal Contract Information (FCI) 

 CUI and Foreign Nationals

So, can you share CUI with foreign nationals? The answer will depend on a variety of factors. 

Some CUI is marked as NOFORN, which stands for “No foreign dissemination.” This marking means that the CUI in question “may not be disseminated in any form to foreign governments, foreign nationals, foreign or international organizations, or non-US citizens.” 

The Department of Defense allows the following types of non-intelligence information (classified and unclassified) to be marked as NOFORN:  

1. Naval Nuclear Propulsion Information (NNPI) 
2. Unclassified Controlled Nuclear Information (UCNI) 
3. National Disclosure Policy (NDP-1) 
4. Cover and cover support information
5. Unclassified information properly categorized as CUI having a licensing or export control requirement

However, while the NOFORN marking exists, that doesn’t give a definitive answer to the question of whether foreign nationals are allowed to access CUI. 

A more comprehensive response comes from DoD Instruction 5200.48, according to which “CUI designated information may be disseminated to a foreign recipient in order to conduct official business for the DoD, provided the dissemination has been approved by a disclosure authority in accordance with Paragraph 3.4.c. and the CUI is appropriately marked as releasable to the intended foreign recipient.” 

The instruction further states that CUI not controlled as NOFORN may be released or disclosed to non-U.S. citizens employed by the DoD if:  

1. Access to such information is within the scope of their assigned duties.  
2. Access to such information would help accomplish a lawful and authorized DoD mission or purpose and would not be detrimental to the interests of the DoD or the U.S. Government.  
3. There are no contract restrictions prohibiting access to such information.  
4. Access to such information is in accordance with DoDIs 8500.01 and 5200.02 and export control regulations, as applicable. 

Naturally, any CUI that falls within the scope of ITAR cannot be shared with foreign nationals. 

In general, remember to always exercise caution when dealing with CUI or ITAR data. If you have questions or need help navigating the CMMC/ITAR compliance landscape, don’t hesitate to contact our experts today.  

Need To Achieve CMMC Compliance? We Are Here To Help

Whether it’s CMMC, NIST SP 800-171, DFARS, or ITAR, we help organizations achieve compliance with all applicable cybersecurity regulations at any level so that they can win and maintain Department of Defense (DoD) contracts.  

Brea Networks, LLC is a fully Registered Provider Organization (RPO) and is a Microsoft partner with full Microsoft GCC High licensing and migration solutions.  

Contact our CMMC Registered Practitioners today by clicking here.  

Brea Networks, LLC / CMMCCompliance.us  

451 W. Lambert Rd Suite 214  

Brea, CA 92821  

Tel: (714) 592-0063