What is Controlled Unclassified Information (CUI): A Primer
Introduction
I work with manufacturers who support the Defense Industrial Base (DIB). Essentially, the manufacturers that I work with provide parts and materials to either (a) the Primes (larger manufacturers) that provide items to the Department of Defense (DoD) or (b) directly provide parts and materials directly to the DoD. All the work that the manufacturers that I work with is completed through the specifications in a government contract. In general, some of the specifications for parts/materials, etc. are typically provided by sharing what is termed as Controlled Unclassified Information or CUI.
CUI is not classified information, but it is ‘sensitive’ information that requires a certain amount of protection when the manufacturer receives CUI from either the prime or from the DoD directly. Quite frankly, there is often a lot of confusion about what CUI is and how to properly store and transmit it. This article presents a primer to what CUI is and some of the measures that should be taken by a manufacturer to protect and transmit CUI.
As a preamble, please note that this is not a comprehensive look at CUI. It is a primer or a starter for those who may not be too familiar with what CUI is. We’ll look at several aspects of CUI in this article to ‘get the conversation started.’ After this article, the manufacturer should consider contacting their contracting officer about what is ‘marked’ as CUI, best practices of protecting CUI, and other limitations of CUI that the particular contract may have pertaining to CUI. Further, I’ve provided in the references section below a few links to some additional information and training about CUI that may be useful for a further exploration of CUI in the manufacturing environment.
A general understanding of what Controlled Unclassified Information (CUI)
CUI is Information that should be controlled and stored in a consistent manner with federal requirements and guidance from the National Institute for Standards and Technology (NIST). In particular, many manufacturers fall under the DFARS (Defense Federal Acquisition Regulation) which is the principal set of rules regarding Government procurement in the United States, and is codified at Chapter 1 of Title 48 of the Code of Federal Regulations (48 CFR 1). The manufacturer will use the National Institute of Science and Technology (NIST) Special Publication 800–171r2 to address the NIST listed 110 controls to comply with the DFARS regulations. I’ve provided a link to the NIST SP 800–171r2 in the reference section below for further information about the DFARS compliance.
CUI information is noted as “Sensitive” information, such as CUI, does not include information the public domain, meaning that CUI should not be publicly shared nor distributed in any form. Again, CUI is not classified information. Classified information follows a more stringent set of security and compliance requirements than does CUI. However, the storage and transmission of CUI must be secure!
As a formal definition, 32 CFR Section 2002.4(h) notes that CUI is information that the government creates or possesses — or that an entity creates or possesses on behalf of the government — that law, regulation or governmentwide policy requires or permits an agency to handle using safeguarding or dissemination controls. Again, for manufacturing and the supply chain, CUI is often defined/described in the contract or by the contracting officer.
CUI and Operational Security (OPSEC)
In general, OPSEC is a process that identifies and mitigates adversarial risk to the organizational operations by reviewing the origination’s operations through the eyes of adversaries. By using the OPSEC methodology applied to the organization’s information systems and network, we can better identify critical information, analyze threats and vulnerabilities, analyze and asses adversarial risk, and implement good cybersecurity measures that reduce the risk of bad actors.
CUI Categories
CUI is Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure. CUI is an overarching term representing many difference categories, each authorized by one or more law, regulation, or Government-wide policy, like DFARS, as noted earlier in this article. Information requiring specific security measures for CUI is indexed under one system across the Federal Government.
The establishment of CUI was a watershed moment in the DoD’s information security program, which acknowledged that certain types of UNCLASSIFIED information are extremely sensitive, valuable to the US, sought after by strategic competitors and adversaries, and, by contract, often have legal safeguarding requirements.
Controlled Technical Information
Controlled Technical Information (CTI) is technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet that criterion, if disseminated, for distribution statements which express the following order:
· Authorized Audience
· Reason for Control
· Date of Determination
· Controlling Office
Export Controlled CUI: Export Controlled Research (EXPT)
Many manufacturers and suppliers are under export controls, due to the sensitivity of information that they manage and use. Unclassified information concerning certain items, commodities, technology, software, or other information whose export are expected to adversely affect the United States national security and nonproliferation objectives, should that data be released to our nation’s adversaries. Export-controlled information includes dual use items; items identified in export administration regulations, international traffic in arms regulations, and the munitions list; license applications; and sensitive nuclear technology information. This category relates to the systematic investigation into and study of materials and sources to establish facts and reach new conclusions.
Proprietary Business Information CUI: General Proprietary Business Information (PROPIN)
Material and information associated with a company’s products, business, or activities, including financial information, trade secrets, product research and development, product designs, and performance specifications.
Freedom of Information Act (FOIA) Exempt Information
The Freedom of Information Act (FOIA), 5 U.S.C. § 552, is a federal law that defines agency records subject to public disclosure, outlines mandatory disclosure procedures, and defines nine exemptions that prohibit certain types of information from being released to the public.
In addition to the FOIA, the Code of Federal Regulations (October 2016), 45 CFR § 5.31 specifies the type of information that falls under each of the nine exemptions that preclude release of information to the public under the FOIA.
CUI is exempt from release based on the FOIA exemptions. The Freedom of Information Act (FOIA), 5 U.S.C. § 552, is a federal law that describes which agency records are subject to public disclosure and outlines mandatory disclosure procedures that agencies must follow. Also, FOIA lists nine exemptions that prohibit certain types of information from being released to the public. In accordance with 5 U.S.C. § 552(a)(8), DoD will appropriately and legally withhold records or information exempt from disclosure that can cause harm to an “interest”. CUI data falls under these protections as trade secrets or commercial or financial information that is confidential or privileged and sensitive data that may cause harm to the nation at large.
General CUI Protection
The organization (manufacturer or supplier) that works with CUI data which is received via a contract solicitation or request, is obligated to protect the CUI from disclosure to an unauthorized person or group. The organization (manufacturer or supplier) that works with CUI data which is received via a contract solicitation or request, is obligated to protect the CUI from disclosure to an unauthorized person or group.
A summary of Best Practices for CUI
The following suggestions represent a brief list of best practice items that a company/manufacturer should address when dealing with CUI. These items are especially important when addressing the DFARS cybersecurity compliance as embodied by the NIST SP 800–171r2 set of 110 controls.
- Layered Network Architecture
- Use of Multi-factor Authentication (MFA)
- Use of Role Based Access Control (RBAC)
- And other measures
- Apply a cybersecurity framework to the organization.
Conclusion
This article represented a primer on what CUI is. CUI, however, can be quite complex and needs to be well understood by the manufacturer or supplier to the Defense Industrial Base. Additional training links are provided in the references section below. Please feel free to contact me with any questions about this article.
References
- DoD Mandatory CUI Training: https://www.dodcui.mil/Home/Training/
- Department of Defense Instruction — Distribution Statements on Technical Documents: https://www.esd.whs.mil/Portals/54/Documents/DD/issuances/dodi/523024p.pdf
- Controlled Unclassified Information Guide: file:///Users/rmac/Downloads/HR001122S0050_Attachment_3_General_MTO_Controlled_Unclassified_Information_Guide__CUIG_.pdf
- NIST SP 800–171r2: https://csrc.nist.gov/publications/detail/sp/800-171/rev-2/final
About the Author
Ron McFarland, PhD, CISSP is a Senior Cybersecurity Consultant at CMTC (California Manufacturing Technology Consulting) in Torrance, CA. He received his doctorate from NSU’s School of Engineering and Computer Science, MSc in Computer Science from Arizona State University, and a Post-Doc graduate research program in Cyber Security Technologies from the University of Maryland. He taught Cisco CCNA (Cisco Certified Network Associate), CCNP (Cisco Certified Network Professional), CCDA (Design), CCNA-Security and other Cisco courses and was honored with the Cisco Academy Instructor (CAI) Excellence Award in 2010, 2011, and 2012 for excellence in teaching. He also holds multiple security certifications including the prestigious Certified Information Systems Security Professional (CISSP) certification and several Cisco certifications.
CONTACT Dr. Ron McFarland, PhD, MSc, CDNA, CISSP
CMTC Email: rmcfarland@cmtc.com
Email: highervista@gmail.com
LinkedIn: https://www.linkedin.com/in/highervista/
Website: https://www.highervista.com
YouTube Channel: https://www.youtube.com/channel/UCJ57_1OgZ5H1nMVdGElcvrw