What is Controlled Unclassified Information (CUI) and the CUI Program?
The ever-increasing ability to share information is a double-edged sword. On the one hand, communicating and working more efficiently is much easier, but it also means less control over shared information and more people looking at data. This trend, along with ad-hoc and agency-specific markings, policies, and procedures, led to the need for the U.S. government to develop a standardized classification framework that would protect Controlled Unclassified Information (CUI) without impeding the authorized sharing of it. The federal government's CUI program, implemented in 2010, standardizes the way all U.S. government agencies and military entities handle unclassified information that requires safeguarding. It clarifies and limits what kinds of information to protect, reinforces existing legislation and regulations, and promotes authorized information-sharing.
Before diving into the minutiae of the CUI program and what steps organizations can take to ensure that CUI is properly secured, however, we first need to understand what CUI is. The National Archives and Records Administration (NARA), which oversees the U.S. Government’s CUI Program, defines CUI as “information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies." Simply put, CUI is data that is created, or possessed by, on behalf of the US federal government which is not classified but is either required or allowed to be protected by law, regulation, or policy. This can include, but is not limited to, the following:
- Personally Identifiable Information (PII)
- Sensitive Personally Identifiable Information (SPII)
- Proprietary Business Information (PBI), or currently known within the U.S.
- Environmental Protection Agency (EPA) as Confidential Business
- Information (CBI)
- Unclassified Controlled Technical Information (UCTI)
- Sensitive but Unclassified (SBU)
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES)
Who does the CUI Program apply to?
CUI markings must be implemented not only by federal agencies but also by contractors and subcontractors who may be handling government information. For all contractors and subcontractors with the US Department of Defense, the Department of Defense (DoD) has published prescriptive steps to ensure compliance with the requirements safeguarding CUI. Through the DoD Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, implementation of the controls identified in the National Institute of Standards and Technology Special Publication 800-171 (NIST SP 800-171), “Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations” must be in place as of the December 31st, 2017.
Other executive branch agencies may also require nonfederal entities, including contractors, to follow NIST SP 800-171 when sharing CUI through contracts, memorandums of understanding, or acquisition rules. NIST SP 800-171 provides a standardized set of requirements for all CUI security needs, tailored to nonfederal systems. The main difference between the CUI Program and NIST SP 800-171 is that the CUI Program established a standardized CUI framework for the military and government only, while NIST SP 800-171 was implemented later, and is specific to contractors and other nonfederal entities.
Find out how we can help you meet compliance needs under NIST SP 800-71.
VIEW THE DATASHEET
CUI markings, categories, and policies
The heart of the CUI program was expressed in Executive Order (EO) 13556 calling for “An open and uniform program to manage all unclassified information…” with a key component being that all CUI is labeled with appropriate visual markings that indicate how downstream parties should treat the regulated data. The framework uses markings to alert holders to the presence of CUI and, when portion markings are used, identify the exact information or portion that needs protection. In addition, these markings also alert holders to any CUI dissemination and safeguarding controls that need to be taken.
How CUI markings work
The CUI Marking Handbook, published by NARA, outlines how CUI markings should visually appear in documents and emails. There are currently 125 categories of CUI, and each has its own markings. In addition to the sheer number of markings that organizations must understand and use, NARA has published detailed guidelines on how the markings should be formatted. Banner markings must include CUI markings for every category of information contained in the document, as well as markings that dictate dissemination and release protocols. Markings must also appear in a certain order, and some have corresponding information that must be included as a footer to the document with additional legalese, contact information, and other details. Similar rules exist for emails as well.
CUI categories and subcategories
While markings show what type of information is in the document or email, it’s the CUI categories that determine how the information should be handled and provide instructions regarding dissemination. The use of three CUI categories is recommended, which should be clearly visible in the header and footer of relevant documents:
Requires standard safeguarding measures that reduce the risks of unauthorized or inadvertent disclosure. Dissemination is permitted to the extent that it is reasonably believed that it would further the execution of a lawful or official purpose.
Requires safeguarding measures with specific protections, such as markings, enhanced physical safeguards, and limiting who can access the information, that reduce the risk of unauthorized or inadvertent disclosure. The material should contain additional instructions on what dissemination is permitted.
Requires safeguarding measures more stringent than CUI Basic and CUI Specified, as the inadvertent or unauthorized disclosure of the CUI would create the risk of substantial harm. This material will contain additional instructions on it or what dissemination is permitted.
Consequences for non-compliance
Organizations that do not take steps to comply with the CUI framework risk losing existing contracts or missing out on future opportunities. Failing to adequately protect CUI also has its implications – a data leak that exposes a client or breaches a regulation could lead to reputational damage, monetary fines, additional penalties, lawsuits, and loss of business/earnings. While these markings and policies set uniform standardized controls for the way CUI is handled, the process of implementing these CUI markings across agency data is complex, time-consuming, and sometimes unclear.
In addition, with so many categories and such complex guidelines to keep track of, human error can be an issue. It’s easy for a user to miss sensitive content within a document and fail to label that information correctly. By not marking the Dissemination portion of the document correctly, the document could accidentally be shared with unauthorized parties.
How Data Classification keeps CUI secure
Preconfigured data classification designed specifically for handling CUI streamlines the process for both email and documents, making it easy for users to implement the CUI framework accurately and consistently. When a document is saved, or an email is sent, content is scanned for any sensitive data and the appropriate CUI markings are automatically applied. In addition to the visual markings required by the CUI framework, labels are embedded into the file properties as metadata. This metadata steers the actions of downstream enterprise security and data management solutions, such as DLP and Secure Collaboration, allowing CUI to be accessed or used only in accordance with the rules that correspond to its classification. In order to ensure that CUI is being appropriately handled, organizations must be able to track unlawful, unauthorized, or inappropriate CUI activity. Using monitoring and reporting tools helps you track how CUI is being accessed, used, and classified in your organization. This not only helps with CUI compliance, but can show opportunities where user training may be needed, and awareness of CUI can be improved.
As the CUI framework continues to change, using monitoring and reporting tools will provide the intelligence needed to evolve the approach in line with changes. Ultimately, it is the responsibility of the CUI holder to honor CUI markings and ensure adequate protection. Implementing a software solution that automatically applies CUI markings ensures that CUI stays within the approved domain and is viewed only by the appropriate audience, while empowering users to engage with and share information confidently for increased collaboration and greater productivity. In today’s digital world of shared information, a preconfigured solution to identify, detect, and respond to CUI within everyday business processes, documents, and emails is critical for any organization that may encounter CUI within their industry.
Why choose Fortra's DCS for CUI Config?
Organizations can position themselves for compliance by taking steps to master the principles of data classification and implement the processes, tools, and training that will enable consistent and accurate labeling as defined in their data governance policy and required by NIST SP 800-171. Through this capability, organizations can readily demonstrate that have the capacity in place to recognize and manage CUI with appropriate metadata and visual markings as defined in the NARA registry. By adopting the framework, organizations will not only demonstrate their ability to protect regulated data but will also enhance their ability to compete for new opportunities that store, process, or transmit CUI. Fortra's suite of leading data classification products supports compliance with NIST regulations by:
Discover how we make it easy for your agency to accurately and securely apply CUI markings that comply with all regulations to appropriately safeguard sensitive government information.