What is Controlled Unclassified Information? Best Practices for CUI Security

Whether you’re working for the federal government as an employee or a contractor, you’ll likely encounter the term “controlled unclassified information,” or CUI. And, if you’re working toward CMMC compliance, you know that securing CUI data is a critical element of CMMC compliance and NIST SP 800-171 guidelines.   

In this post, we’ll break down what CUI is, provide you with examples of CUI in government, and walk through best practices to protect CUI that needs to move within and outside of your organization. 

What is CUI? 

Controlled Unclassified Information, CUI, refers to sensitive data, created and/or managed by federal government agencies, that is not classified. The CUI framework aims to standardize how this data is protected across the 15 agencies that make up the executive branch of the U.S. government — as well as how that data is accessed by government contractors with access to that information.

The FTC defines CUI as “information that requires safeguarding or dissemination controls according to federal laws, regulations, and government-wide policies, but is not classified information.” 

The CUI framework  exists to give structure and process to how these 15 executive-branch agencies should handle the vast amounts of data that are sensitive, but not at the level of sensitivity to be marked “classified.” CUI and its subcategories were introduced in a 2010 executive order by President Obama with the objective of clarifying the “ad-hoc and agency-specific policies, procedures, and markings” being used to protect sensitive information involving privacy, security, proprietary business interests, and law enforcement investigations. 

This was a big problem, and you can tell by the language used in the EO: “This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing,” the EO reads, adding, “The fact that these agency-specific policies are often hidden from public view has only aggravated these issues. To address these problems, this order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information, that emphasizes the openness and uniformity of Government-wide practice.”

So, clearly there was a lot of friction as a result of this information being shared in ad-hoc ways, likely unsecured, and without any clear protocols in place. 

Here’s why secure handling of CUI matters.

Examples of Controlled Unclassified Information (CUI)

The 15 agencies in the executive branch include the Department of Defense (DoD); the Department of Commerce; Department of Health and Human Services; and the Department of Justice, just to name a few. Even across those four agencies alone, you’re looking at a vast wealth of information that can be considered sensitive — everything from homeland security to healthcare, justice, agriculture, energy, and much more. 

The CUI Registry includes 20 organizational groupings and categories with their respective CUI, including (but not limited to) the following. You'll see how highly sensitive some of this CUI data can be, and why it needs to be properly handled with secure practices. 

Critical Infrastructure CUI

Critical infrastructure CUI covers everything from emergency management (think major disasters or situations where executive-branch organizations need to keep continuity), to information systems vulnerabilities, to toxic substances and critical infrastructure details. As we saw with the Colonial Pipeline ransomware attack years ago, critical infrastructure is of the utmost importance to national security.  

Defense CUI

This covers controlled technical information related to military or space applications, information related to naval nuclear propulsion plants (including information related to radiation and radioactivity), and information related to the security of DoD critical infrastructure.

Export Control CUI

 Information (including technology and software) that would adversely affect U.S. security if that information left the country — this is where ITAR comes in for protecting CUI that needs to remain in the United States. 

Financial and Tax CUI

This includes a wide range of financial data relating to things like Electronic Funds Transfers, bank secrecy, financial transactions, and details concerning the federal budget. This also includes federal taxpayer information, including tax returns. 

Immigration CUI

Details related to asylum, visas, and information that would identify victims of human trafficking and domestic abuse. Understandably, this information must be protected, as a failure to do so would have a direct impact on individuals' safety and well-being. 

Intelligence CUI

While a lot of intelligence data would be considered classified, there is still a considerable amount of intelligence-related data is considered CUI, including declassified information, information about intelligence activities and sources, CIA personnel information, and internal data. 

Law Enforcement and Legal CUI 

Information related to law enforcement investigations, informants, DNA, whistleblower identity, victims, protective orders, federal grand juries, child victims, and witness protection all encompass highly sensitive information in need of protection. 

Nuclear CUI

Information surrounding nuclear facilities, public health, defense, and recommendations to the Department of Energy. 

Privacy Related CUI

Everything from PII to death records to health records, genetic information, military personnel records, and student records (subject to FERPA). 

Practical CUI Examples

General, practical examples of CUI data include:

• Personal data, such as PII, personal addresses, social security numbers, and financial records
• Legal documents around regulatory matters, investigations, audits, and litigation  
• Security information on systems, buildings, and personnel
• Export controlled data, intellectual property, and trade secrets

Even though CUI is unclassified, it still poses major risks if it is leaked or breached. Unauthorized access to CUI can lead to identity theft, legal issues, security vulnerabilities, loss of competitive advantage, and compliance penalties.

That's why it's critical for organizations to implement robust data encryption and access controls to secure CUI and meet regulatory compliance requirements like NIST 800-171, CMMC, DFARS, and more.

CUI Basic vs. CUI Specified

There are two key subsets of CUI: CUI Basic and CUI Specified. One is not more advanced than the other, but the requirements may simply be different, depending on the kind of information being protected and what laws may apply to it. You can think of CUI Basic as the default type of CUI, unless there are special guidelines for handling the data (such as specific distribution lists, or specific rules or laws for the data), in which case, the data is CUI Specified. 

Here’s how GSA defines CUI Basic and CUI Specified: 

CUI Basic Definition

CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not have any specific handling or dissemination requirements. CUI Basic is handled according to the uniform set of controls set forth in the CFR and the CUI Registry.

CUI Specified Definition

 CUI Specified is different in that the authorizing law, regulation, or Government-wide policy contains specific handling controls that differ from those for CUI Basic. The CUI Registry indicates which authorities include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic. CUI Specified is NOT a “higher level” of CUI, it is simply different. Since CUI Specified is based upon a law, federal regulation, or Government-wide policy, this form of CUI cannot be legally ignored or overlooked. 

Who is Responsible for Protecting CUI? 

All authorized holders of CUI are responsible for abiding by CUI usage guidelines — ensuring it is only accessed by those with a need to know, and that CUI is not exposed to unauthorized parties. The GSA, in particular, makes an important distinction here that protecting CUI should also be balanced with making it accessible only to the right individuals: 

“CUI, regardless of its form, shall be protected in a manner that minimizes the risk of unauthorized disclosure while allowing for access by authorized holders. Persons working with CUI shall be careful not to expose CUI to unauthorized users or others who do not have a lawful government purpose to see it.” 

So, security must be implemented that provides both data protection and ready access by the people who need the data to get their jobs done. 

CUI Encryption for ITAR and CMMC Compliance

Encrypting CUI is a crucial element of compliance regulations for many federal contractors, namely CMMC 2.0 compliance — which is designed to ensure that contractors accessing CUI have the means and infrastructure to safeguard the data they’re entrusted with. CUI data can also overlap with ITAR data, subject to International Traffic in Arms Regulations. Our post on CUI vs ITAR  data goes into more detail (and, as a bonus, uses a whiskey analogy). 

CUI Security Best Practices: End-to-End Encryption and Fine-Grained Access Control for Governance

When it comes to protecting CUI, there are a few best practices you'll want to keep in mind:

1. Encrypt CUI data that moves outside your perimeter: It's not enough to protect the data that lives inside your organization's perimeter. Implement client-side, end-to-end encryption for CUI data that needs to be shared as part of a contract or project — especially when that data leaves your organization's perimeter for any reason.
2. Govern CUI data access at the object level: As we covered above, not all CUI is created equal: Whether it's CUI Basic or CUI Specified, it's a best practice to ensure that each piece of data is treated with the care it deserves. It's wise to govern CUI data access at an object level, as each piece of CUI can have different requirements for security, and may have different individuals or systems that need to access it at any given time.
3. Use attribute-based access control (ABAC) for fine-grained data governance: Unlike role-based access control or other methodologies, attribute-based access control (ABAC) provides the most granular ability to protect each piece of data according to its contents, and to govern exactly which users or systems can access that data, when, and under what circumstances. This is critical for protecting highly sensitive CUI, as projects or missions continuously evolve.
4. Choose tools that balance collaboration with CUI security: Your security is only as good as its support for the way your teams work. Choose a legacy tool that introduces friction, and you'll wind up with users circumventing security in order to get their jobs done. When it comes to protecting CUI with the right balance between military-level security and ease of access for those who need that data, it’s important to choose the right tools that can help you achieve a balanced and effective outcome. 

Recommended CUI Data Encryption

Virtru provides client-side encryption for sensitive data, while also making it easy to maintain visibility and control over that data, even after it’s been shared. So, if a piece of CUI data is protected with Virtru and then leaves your organization’s perimeter, you can still revoke it or change access permissions any time. This comes in handy when you have contractors or external partners who need to engage with CUI only for a short period of time. Or, if you need approval on a document from another agency or organization before moving forward with a project, you can set an expiration date for 1 week so that the sensitive CUI does not remain in the recipient’s inbox indefinitely. 

Virtru brings powerful data protection (through end-to-end encryption, or E2EE, plus granular access controls that apply persistent, Zero Trust security to each data object. With end-to-end encryption (E2EE), CUI data remains confidential, both at rest and in transit, so only the sender and intended recipients can access the plaintext data.  

Virtru provides the easiest way to encrypt CUI and enforce access control for compliant data protection. With Virtru's data-centric security, organizations can:

• Encrypt CUI emails, files, and data flowing through SaaS applications with the open Trusted Data Format (TDF) and AES 256-bit encryption, which integrates with the apps and workflows your teams are already using every day.
• Set access policies and revoke access to shared CUI data on-demand 
• Enforce encryption and DLP rules to support a strong data security and access control posture
• Audit access for appropriate reporting and compliance requirements
• Manage your encryption keys in the location of your choosing with the Virtru Private Keystore — whether on-premises, or in a public or private cloud, 

By making encryption easy and automatic, Virtru helps you ensure CUI stays secure and compliant everywhere it's shared. Schedule a demo now to see how Virtru can safeguard your critical information.