The Basics of CUI: Everything You Need To Know

April 12, 2023
In this article:

An estimated 50 million documents are classified by the U.S. government each year. 

But what’s in these classified documents that makes them so important in the first place?

These documents typically contain information that’s top secret and needs to be classified as a matter of national security. However, there are plenty of other documents that the government needs to safeguard—even if they aren't top secret.

Cases where documents contain sensitive but unclassified information require a different measure for controlling who can access the documents. 

This is where CUI comes into play. 

To help you understand CUI and its impact on your organization's regulatory compliance, we'll go through everything you need to know about CUI and why it's essential for compliance.

What is CUI?

CUI stands for "controlled unclassified information" and is a category of information controlled by the U.S. government that is sensitive but not classified. 

For example, personally identifiable information (PII) collected by the government would be considered CUI. Documents containing PII are not necessarily classified if their information doesn't impact national security—but they're still sensitive and need to be protected. 

For example, a local taxpayer list that includes names and addresses is not a threat to national security, so it wouldn’t be classified. But because it contains PII, it would likely be considered CUI.

To establish a streamlined method for sharing and safeguarding such information, President Obama created the CUI program in 2010 by signing Executive Order 13556. This program standardized the way the federal government handles sensitive unclassified information and established dissertation controls regarding how controlled unclassified information is shared.

Unclassified vs. classified information

Classified information is any information that would constitute a national security risk if it was released to the public. This includes, but isn't limited to, documents containing the following types of information: 

  • Military plans, operations, or weapons systems 
  • Covert intelligence activities
  • Developing, producing, or using weapons of mass destruction 

Most unclassified documents, meanwhile, are made available to the public via the National Archives and Records Administration. However, beyond classified and unclassified there is a third category of information: CUI. This category of information is not classified but is still considered sensitive, and the CUI program dictates how this information should be stored and shared.

Examples of CUI

There are a lot of examples of federal information commonly categorized as CUI. According to the EPA, this includes information like:

  • Personally Identifiable Information (PII)
  • Sensitive Personally Identifiable Information (SPII)
  • Proprietary Business Information (PBI) or Confidential Business Information (CBI)
  • Unclassified Controlled Technical Information (UCTI)
  • Sensitive but Unclassified (SBU)
  • For Official Use Only (FOUO)
  • Law Enforcement Sensitive (LES)

CUI markings

Any document deemed CUI will be marked with the acronym "CUI" on the header and footer of each of its pages. CUI documents will also contain a cover letter that includes:

  • Line 1: The name of the DoD Component (not required if identified in the letterhead)
  • Line 2: Identification of the office creating the document
  • Line 3: Identification of the categories contained in the document
  • Line 4: Applicable distribution statement or limited dissemination control (LDC)
  • Line 5: Name and phone number or email of POC

Why protecting CUI is important

Unlike classified information (which can be viewed only by select government officials), CUI can be shared with private organizations and individuals—as long as you follow the proper protocols. 

For example, the government may wish to share documents containing PII with a university that plans to use them for research. In this instance, CUI policy dictates that the documents be disseminated in a way that keeps the sensitive information they contain confidential, with controls in place for who can access it.

If your organization receives and uses CUI from the federal government, you must properly protect it. CUI is deemed sensitive for a reason, and if it falls into the wrong hands, it could spell bad news for your organization—even if it doesn't constitute an issue of national security. 

You can run into regulatory and compliance issues if you don't handle CUI properly. Unauthorized disclosure of CUI can lead to administrative, civil, or criminal sanctions brought against your organization.

Understanding the two subsets of CUI

CUI has two subsets: CUI Basic and CUI Specified. The difference between these two CUI categories is in how the data is handled. 

CUI Basic

CUI Basic is a subcategory of CUI where authorizing law, regulation, or Government-wide policy does not apply specific handling or dissemination controls. Organizations handling CUI Basic information are simply required to abide by the uniform set of controls established in the CUI Registry.

CUI Specified

CUI Specified is a subcategory of CUI where authorizing law, regulation, or Government-wide does establish specific handling or dissemination controls. These controls are often more stringent than those outlined by CUI Basic, but they can also differ in other ways. 

The key distinction between CUI Basic and CUI Specified is that the underlying authority dictates the controls for CUI Specified information. In contrast, the controls for CUI Basic information are set and pre-determined.

How organizations can secure CUI

On July 17, 2021, the U.S. Department of Defense (DoD) announced the release of the Cybersecurity Maturity Model Certification (CMMC) 2.0. 

This framework was designed to help DoD contractors establish the cybersecurity practices and procedures needed for protecting CUI and Federal Contract Information (FCI). Following its guidelines is the most effective way for organizations to secure the CUI they handle.

CMMC 2.0 has three certification levels, with CMMC assessment requirements varying based on the level of certification required. 

Level 1: Foundational

This level of CMMC certification requires organizations to establish basic cybersecurity control. However, organizations are free to choose and implement these controls as needed and aren't required to document them as part of their certification. 

CMMC level 1 certification can be achieved via an annual self-assessment and only applies to organizations handling FCI. Organizations handling CUI will need to achieve level 2 or level 3 certification.

Level 2: Advanced

Level 2 CMMC certification requires organizations to implement more advanced cybersecurity practices and to document those practices. Depending on whether the CUI data the organization is handling is deemed critical or non-critical to national security, organizations can achieve level 2 certification via a third-party assessment every three years or an annual self-assessment. Any organization that handles CUI must meet level 2 compliance.

Level 3: Expert

This is the highest level of CMMC certification and requires organizations to reduce their vulnerability to advanced persistent threats (APTs) via advanced cybersecurity practices specifically designed to protect CUI. 

Along with CUI-specific security requirements, CMMC level 3 certification also requires organizations to comply with security requirements such as those specified by NIST 800-171, DFARS clause 252.204-7012, and other security frameworks

CMMC level 3 certification is only required for organizations that handle CUI for high-priority DoD programs.

Best practices for protecting CUI

Following the practices and standards specified by CMMC 2.0 is the best way for organizations to protect CUI. However, there are other best practices you can also employ to streamline the process of achieving CMMC 2.0 certification and protecting CUI.

1. Develop and implement a CUI security policy: Your organization should have a comprehensive policy in place detailing how CUI should be stored, secured, and shared. This policy can be based on the level of CMMC 2.0 compliance that you are trying to achieve but can also include any additional safeguards you deem necessary.

2. Train employees: Improper employee practices constitute one of the biggest sources of cybersecurity risk that organizations face, which holds true when it comes to securing CUI. Thoroughly training your employees and ensuring they understand and follow your organization's CUI security policy will help eliminate preventable mistakes that could otherwise put your data at risk.

3. Limit access: Access to CUI should be limited to only authorized users within your organization and should be protected from unauthorized access via strong access controls.

4. Use encryption: Encryption is the process of encoding information from plaintext into cybertext so that it cannot be deciphered without the right encryption key. By encrypting the CUI your organization handles, you can keep it confidential and secure even in the event of unauthorized access.

5. Implement security controls: Along with encryption and access controls, there is a wide range of other security controls you can implement to secure CUI. This includes controls that are specified based on the level of CMMC 2.0 compliance you are trying to attain.

6. Conduct regular security assessments: Regular security assessments will ensure that all the controls you put in place for protecting CUI are functioning properly. In addition to conducting self-assessments, you should also conduct security assessments of any third-party vendors that your organization shares CUI with.

Maintain a high standard of compliance with HyperComply

Protecting CUI is a key priority, but it's yet another information security hurdle for your organization to overcome. If you want to maintain a high standard of compliance regarding CUI data handling (or any other information security requirements), it's critical to actively manage your third party risk.

With HyperComply, organizations can automatically send out comprehensive security assessments to third-party vendors to verify compliance, and share their own security posture in security questionnaires or a public Trust Page. To see how HyperComply streamlines and optimizes third-party security assessments, get a HyperComply demo today.