It has been said that data are the new oil, and personally identifiable information (PII), personal data (PD) and protected health information (PHI) are being drilled for in the new data-based economy. Another highly valued data type worth examining is Controlled Unclassified Information (CUI).1 CUI is sensitive information that must be appropriately protected.
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and governmentwide policies. It encompasses highly valued, unclassified information that, if compromised, provides attackers with information about assets that are government-created or owned, including those in the US Department of Defense (DoD) and other agencies.2 Standardizing the rules around sensitive but nonclassified information and creating the CUI classification to encompass them was a watershed moment for the DoD information security program. It formally acknowledged that certain types of unclassified information are extremely sensitive, valuable to the United States, sought after by strategic competitors and adversaries, and often have legal safeguarding requirements.
About CUI
CUI is an overarching term used to represent many different categories, each authorized by 1 or more laws, regulations or governmentwide policies. The CMMC brings all nonclassified information that requires specific security measures under a single system spanning the US federal government.
Unlike classified national security information, DoD personnel at all levels of responsibility across all mission areas receive, handle, create and disseminate CUI. Because there are fewer controls over CUI compared to classified information, CUI is the path of least resistance for adversaries.
Cybersecurity and compliance professionals must understand the risk to CUI to better assist organizations in securing this valued asset. According to the US Defense Counterintelligence and Security Agency, the loss of aggregated CUI represents “One of the most significant risks to national security,” directly affecting the lethality of military service members.3
Cybersecurity and compliance professionals must understand the risk to CUI to better assist organizations in securing this valued asset.
It is important to note that CUI is not classified information, nor does it encompass everything that is not classified. It is not corporate intellectual property unless created for or included in requirements related to a US government contract.
Categories of CUI
CUI is a category of unclassified information within the US federal government and replaces the following labels:
- For Official Use Only (FOUO)
- Sensitive But Unclassified (SBU)
- Law Enforcement Sensitive (LES)
CUI includes but is not limited to the following information categories:
- Privacy
- Tax
- Law enforcement
- Critical infrastructure
- Export control
- Financial
- Intelligence
- Privilege
- Unclassified nuclear information
- Procurement/acquisition information
CUI provides a uniform categorizing system that standardizes categories across various agencies throughout the US federal government. This information about CUI and its categories provides insight that can help cybersecurity professionals treat different types of sensitive information consistently. The information related to CUI categories should be studied to enhance organizational cybersecurity policies and practices to protect sensitive information such as PII or PD.
Using the DoD’s CMMC Framework to Protect CUI
The DoD’s Cybersecurity Maturity Model Certification (CMMC) program includes cyber protection standards for organizations in the defense industrial base (DIB). The DoD established the CMMC framework to mitigate the risk to CUI and US federal contract information (FCI) by providing a single source of direction for all data falling under the newly created CUI umbrella.
By incorporating cybersecurity standards into acquisition programs, the CMMC provides the DoD assurance that contractors and subcontractors understand and can meet the expanding cybersecurity requirements.
Since the DIB is the target of increasingly frequent and complex cyberattacks by adversaries and nonstate actors, dynamically enhancing cybersecurity to safeguard the information that supports and enables military service members is a top priority for the DoD. The CMMC is a key component of the DOD’s expansive DIB cybersecurity effort.
Conclusion
So why are the CMMC and CUI so relevant to cybersecurity professionals and organizations? Enterprises across a range of industries use US National Institute of Standards and Technology (NIST) standards as key components of their cybersecurity programs. The CMMC framework is built on NIST principles and offers CMMC certification. Organizations should understand the requirements introduced by CMMC for CUI and consider how those requirements apply to the sensitive information they process such as PD, PII or PHI. In addition to CUI, the CMMC certification may help cyberprofessionals understand and leverage other valued data types that their organizations process, store or transmit.
CUI as a data type is at risk within the DIB because adversaries are searching for weak links every day. Professionals who understand the risk to CUI and the impact of the CMMC framework help ensure resilience across the cybersecurity supply chain globally. Management must endeavor to implement CMMC requirements, especially as they pertain to CUI, to establish cyberresilience across the enterprise.
Endnotes
1 Department of Defense, CUI Program, USA
2 OUSD(I&S) INFOSEC Office, “Controlled Unclassified Information (CUI),” USA
3 Defense Counterintelligence and Security Agency, USA http://www.dcsa.mil
Uday Ali Pabrai, CISSP, CMMC PA, CMMC PI, CMMC RP, HITRUST CCSFP, MSEE, Security+
Is the chief executive of ecfirst, a CMMC Third-Party Assessor Organization (C3PAO) candidate and Licensed Partner Publisher (LPP), Licensed Training Provider (LTP) and Registered Provider Organization (RPO). Pabrai has successfully delivered thousands of cyberdefense solutions globally. His career was launched with the Fermi National Accelerator Laboratory, the US Department of Energy’s nuclear research facility. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms and has been a keynote and featured speaker at cybersecurity conferences worldwide. He is also a member of InfraGard, a partnership between the US Federal Bureau of Investigation (FBI) and members of the private sector. He can be reached at Pabrai@ecfirst.com.