Controlled Unclassified Information (CUI): An Introduction and Overview
Manufacturers and Suppliers to the Department of Defense (DoD) and the US Government receive specially marked data from DoD. This data is often used in support of a contract that the organization enters when working with the government. As such, the organization must adhere to securing, storing, and reporting Controlled Unclassified Information (CUI) data, as a measure of their cybersecurity posture and cybersecurity risk management of the data received from the government. CUI that a company either receives or may generates when working with a government contract is information that must be controlled and stored in a consistent manner to adhere to federal requirements. These federal requirements are embodied in various NIST (National Institute of Standards and Technology) publications that serve as a guide to companies to support their necessary cybersecurity posture when working with government contracts.
CUI is often considered sensitive data and information that should not be shared in the public domain. However, CUI is not classified information. Classified information requires more stringent cybersecurity standards. Yet, CUI does necessitate a significant amount of cybersecurity risk management and control. In summary, as it pertains to the cybersecurity of CUI, CUI Information should be controlled and stored in a consistent manner with federal requirements and guidance from the National Institute for Standards and Technology (NIST). The storage (data at rest) and transmission (data in transit) of CUI must be secured by the organization to meet both governmental compliance and regulations.
Federal Regulations
When we are working with CUI, we are working with the US Government and must adhere to the associated federal regulations relevant to the contract that we have. As defined by the Code of Federal Regulations — 32 CFR Section 2002.4(h), CUI is information that the government creates or possesses — or that an entity creates or possesses on behalf of the government. That law, regulation or government-wide policy requires and permits an agency (organization) to handle using safeguarding or dissemination controls. For manufacturing and the supply chain, CUI is often defined/described in the contract or by the contracting officer.
Good Faith and CUI
Sometimes, as manufacturers and suppliers, we receive data and information that is marked in the contract as CUI. Since we are authorized holders of CUI, upon receiving contract data, we may believe that a designation of CUI information is improper or incorrect. If this is the case, organizations should notify their contracting officer about the possible improper or incorrect use of CUI. But, until the challenge about CUI is resolved by the contracting officer, including challenges to both marked and unmarked CUI, the CUI must be protected, safeguarded, and disseminated at the appropriate control level indicated by the markings provided by the contracting agent or through the presumed category of the CUI.
OPSec and CUI
CUI is handled within the organization under the premise of OPSEC (Operations Security). In general, OPSEC is a process that identifies and mitigates adversarial risk to the organizational operations by reviewing the origination’s operations through the eyes of adversaries. By using the OPSEC methodology applied to the organization’s information systems and network, we can better identify critical information, analyze threats and vulnerabilities, analyze and asses adversarial risk, and implement good cybersecurity measures that reduce the risk of bad actors. In general, OPSEC and the protection of CUI in the organization go together.
CUI Categories
In general, there are three major CUI categories including (a) Defense CUI, (b) Export Controlled CUI, and © Proprietary Business Information CUI. When an organization works with CUI, the category of CUI and the identification of CUI is typically (but not always) identified by the contract or contract administrator.
Defense CUI
Defense CUI is referred to as Controlled Technical Information (CTI). This category relates to technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information must be controlled for the following: (1) an authorized audience (who has access to the relevant CUI), (2) reason for control (the ‘need to know’ of the CUI), (3) date of determination (dates that CUI is ‘visible’), and/or (4) controlling office. These specifications for access are typically handled by the DoD and contracting officer.
Export Controlled CUI
Export Controlled Information is often noted as Export Controlled Research (EXPT) are information that is subject to additional dissimulation regulations. Many manufacturers and suppliers are under export controls, due to the sensitivity of information that they manage and use. Unclassified information concerning certain items, commodities, technology, software, or other information whose export are expected to adversely affect the United States national security and nonproliferation objectives, should that data be released to our nation’s adversaries. Export-controlled information includes dual use items; items identified in export administration regulations, international traffic in arms regulations, and the munitions list; license applications; and sensitive nuclear technology information. This category relates to the systematic investigation into and study of materials and sources to establish facts and reach new conclusions.
Proprietary Business Information CUI
Proprietary Business Information CUI is also noted as General Proprietary Business Information (PROPIN). This type of information is material and information associated with a company’s products, business, or activities, including financial information, trade secrets, product research and development, product designs, and performance specifications.
The Freedom of Information Act (FOIA) Exempt Information
CUI is exempt from release based on the FOIA exemptions. The Freedom of Information Act (FOIA), 5 U.S.C. § 552, is a federal law that describes which agency records are subject to public disclosure and outlines mandatory disclosure procedures that agencies must follow. Also, FOIA lists nine exemptions that prohibit certain types of information from being released to the public. In accordance with 5 U.S.C. § 552(a)(8), DoD will appropriately and legally withhold records or information exempt from disclosure that can cause harm to an “interest”. CUI data falls under these protections as trade secrets or commercial or financial information that is confidential or privileged and sensitive data that may cause harm to the nation at large.
CUI Protection and Breaches
The organization (manufacturer or supplier) that works with CUI data, which is received via a contract solicitation or request, is obligated to protect the CUI from disclosure to an unauthorized person or group. The organization (manufacturer or supplier) that works with CUI data, which is received via a contract solicitation or request, is obligated to protect the CUI from disclosure to an unauthorized person or group. Many organizations will manage their CUI by using the NIST Special Publication (SP) 800–171r2 as the basis of their cybersecurity compliance and risk management. Further, the organization that works with CUI data is required to report data breaches (within 72 hours) to the Defense Industrial Base (DIB).
Best Practices
While CUI falls under specific regulations for the DoD supplier and manufacturer, the cybersecurity measures and risk management taken for CUI must be more broadly considered for the entire organization. This should include the use of (a) layered network architecture, (b) the use of Roles Based Access Control (RBAC) or a similar IAM process, © the use of Multifactor Authentication (MFA) for secure data stores (that include CUI), and other specific cybersecurity controls identified in compliance standards as embodied in the NIST Special Publication (SP) 800–171r2.
Summary
This article just scratched the surface. Organizations that use governmental controlled CUI must first understand what type of CUI they are contractually obligated to secure, what the organization’s cybersecurity posture is, and how to best address their management and use of CUI in a sufficient and robust manner to not only comply with the CUI regulations, but to secure their organizational information systems in a sound and effective manner.
For Further Review
While there are many, here are a few essential references to get you started on a deeper understanding of CUI and how it may apply to your organization:
- DoD Mandatory CUI Training: https://www.dodcui.mil/Home/Training/
2. Department of Defense Instruction — Distribution Statements on Technical Documents: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/523024p.pdf
3. Controlled Unclassified Information Guide: file:///Users/rmac/Downloads/HR001122S0050_Attachment_3_General_MTO_Controlled_Unclassified_Information_Guide__CUIG_.pdf
4. NIST SP 800–171r2: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
Video Presentation on YouTube is located here:
https://youtu.be/hNgJl_qj_hw
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, MSc, PhD, CDNA, CISSP
CMTC Email: rmcfarland@cmtc.com
Email: highervista@gmail.com
LinkedIn: https://www.linkedin.com/in/highervista/
Website: https://www.highervista.com
YouTube Channel: https://www.youtube.com/channel/UCJ57_1OgZ5H1nMVdGElcvrw
