Steps to Identify Controlled Unclassified Information and Protect It

What is Controlled Unclassified Information?

CUI stands for Controlled Unclassified Information. CUI is defined as government-related information that needs to be protected and transmitted using controls compatible with government laws, regulations, and policies. A document marked with CUI markings

indicates that it requires protection of the information contained in it.

The CUI Program was established to standardize the way the government and its contracted companies handle information that requires protection and is not classified. The program was introduced with Obama’s Executive Order 13556 in 2010 to create a streamlined process for information sharing and safeguarding of controlled unclassified information.

Before the DoD’s concerted effort to standardize policies related to information security in 2010, CUI was loosely termed as information that was “for official use only” (FOUO) or “sensitive but unclassified” (SBU). With no standardized guidelines for CUI, the onus of determining the level of protection needed and implementing secure practices to protect this broad category of information fell on each individual firm.  As cyber security moved up in rank due to its direct impact on national security, ambiguous security standards became a thing of the past. More recently, the DoD, in addressing a dramatic and continuous upward trend in cyber attacks on government agencies and contracted firms, has regulated the categorization and handling of controlled unclassified information in the mandated CMMC certification.

Steps to Identify Controlled Unclassified Information and Protect It

The Importance of Controlled Unclassified Information

For the DoD, creating an entire information security protocol around CUI indicated clearly to all firms in the defense industrial base (DIB) that unclassified information can be very sensitive and valuable to the country. It has the potential to be pursued by adversaries and needs strong protection.

Aggregated CUI poses a substantial risk to national security because it’s not regulated with strict controls like classified information. Because it’s easier for foreign powers to access than strictly confidential information, malicious actors sometimes choose to breach a system that contains CUI and put the pieces of information together to form a picture that gives them important information.  

The main risk for companies that handle CUI is the possibility of security vulnerabilities or breaches that could allow controlled unclassified information to fall into the hands of malicious actors. To counter that possibility, companies need to identify all CUI that they receive, and handle it according to the classification and protection mandated by CUI regulations.  

Unclassified Versus Classified Information

Classified information refers to types of information that could cause serious damage if they were to fall into the hands of adversaries. Classified information controls are designed to protect a wide variety of government-owned information in a wide range of categories including military, weapons systems, intelligence on foreign regimes, domestic intelligence gathering, and valuable scientific or economic research. 

Given the imperative importance of classified information, it’s no surprise CUI takes backstage in discussions about national security. Nevertheless, the government has regulated CUI policies to protect this sensitive class of information and to ensure it is disseminated according to explicit guidelines to prevent unwanted leaks.

How to Identify CUI Material

You can easily identify CUI based on markings. Physical documents received from a government agency will be marked with the “CUI” acronym at the top and bottom of every page. If you receive CUI in an email, the subject line will spell out “CUI” or “controlled”, and the body of the email will mark the beginning and end of the controlled data.

The second portion of the control marking will be the CUI category that covers the information. The CUI category that determines the type of protection it requires is separated from CUI with two forward slashes.  

An example of all of this would be:

 CUI//CUI Category B/CUI Category C.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Learn more about your CUI

Four Methods to Protect CUI

Protecting CUI on Non-Digital Media

The confidentiality of CUI stored on non-digital media is provided using physical security controls. This includes limiting access to or locking the facility or storage area where the media is located and limiting access to it. In general, CUI that is printed or available in another form on non-digital media should be in a controlled environment where unauthorized people are prevented from accessing it or observing it. 

Protecting CUI on Digital Media

To protect the confidentiality of CUI on digital media, FIPS-validated cryptography is used along with physical security protections. The Federal Information Processing Standard Publication is a U.S. government computer security standard that approves cryptographic modules. If you are transporting CUI on digital media outside of a “controlled environment”, you need to encrypt the digital media device. CUI protocols require that a cryptographic mechanism is implemented on digital media unless it is otherwise protected by physical safeguards. 

Bitlocker can be used to encrypt the Windows hard drives on workstations, servers, and removable storage devices that store CUI. FileVault is a popular encryption tool for Mac workstations. Both of these tools use FIPS-validated encryption.

Protecting CUI in Transit

CUI in transit refers to controlled information that is communicated or moved through computer networks. Sending an email, uploading a file, or typing CUI into an online form are all examples of CUI in transit. S/MIME encryption can be used to protect email data in transit. To protect CUI in digital documents during transit, SFTP can be used instead of  FTP. SFTP is inherently secure and fully encrypted, while FTPS adds a layer of external encryption using SSL tunnels or TLS. When filling out online forms or entering data into a web-based database, TLS should be used to encrypt the entered data.  

Protecting CUI When Speaking

In the digital age, it’s often overlooked that CUI can also be transmitted with your voice. Only authorized personnel should take part in or overhear discussions involving CUI. Encrypted voice technology and keeping conversations within the confines of a “controlled area” will ensure that CUI remains protected during the discussion of sensitive topics.

CUI and Cybersecurity Maturity Model Certification (CMMC)

Announced in November 2020, the CMMC program mandates new cybersecurity requirements for the huge scope of organizations that comprise the defense industrial base (DIB). The CMMC is essentially a verification mechanism to ensure that companies within the DIB implement proven cybersecurity practices to protect CUI. CMMC is based on the NIST 800-171, the main distinction being that CMMC is a mandated certification whereas NIST 800-171 relies on voluntary self-attestation.

To contract work with the department of defense or to continue doing business with the DoD, contractors need to be certified by a CMMC Third-Party Assessment Organization for Level 2 and Level 3 by the end of 2025.

Similar to the impetus for Executive Order 13556 initiated by Obama in 2010 to categorize and regulate CUI security, the DoD introduced the CMMC program in response to the sharp increase in cybersecurity attacks over the last few years. The defense department considers these a serious threat to the country’s security. SolarWinds, Kaseya, Accenture, and Colonial Pipeline are just some recent examples of attacks that had a serious impact on a national level. 

Centraleyes Can Help You Comply with CUI Protocols and CMMC Mandates

The implementation of an enterprise information security program, strong information security controls, and organizational change management practices necessary to implement the CUI program will require an investment of time and effort on the part of a federally contracted organization. Centraleyes is committed to supporting the implementation of the CUI program to ensure a resilient organization, as well as adherence to CMMC requirements.

Start Getting Value With
Centraleyes for Free

See for yourself how the Centraleyes platform exceeds anything an old GRC
system does and eliminates the need for manual processes and spreadsheets
to give you immediate value and run a full risk assessment in less than 30 days

Do you want to learn how Centraleyes helps with CUI?
Skip to content