Whether you’re working for the federal government as an employee or a contractor, you’ll likely encounter the term “controlled unclassified information,” or CUI. And, if you’re working toward CMMC compliance, you know that securing CUI data is a critical element of CMMC compliance and NIST SP 800-171 guidelines.
In this post, we’ll break down what CUI is, provide you with examples of CUI in government, and walk through best practices to protect CUI that needs to move within and outside of your organization.
Controlled Unclassified Information, CUI, refers to sensitive data, created and/or managed by federal government agencies, that is not classified. The CUI framework aims to standardize how this data is protected across the 15 agencies that make up the executive branch of the U.S. government — as well as how that data is accessed by government contractors with access to that information.
The FTC defines CUI as “information that requires safeguarding or dissemination controls according to federal laws, regulations, and government-wide policies, but is not classified information.”
The CUI framework exists to give structure and process to how these 15 executive-branch agencies should handle the vast amounts of data that are sensitive, but not at the level of sensitivity to be marked “classified.” CUI and its subcategories were introduced in a 2010 executive order by President Obama with the objective of clarifying the “ad-hoc and agency-specific policies, procedures, and markings” being used to protect sensitive information involving privacy, security, proprietary business interests, and law enforcement investigations.
This was a big problem, and you can tell by the language used in the EO: “This inefficient, confusing patchwork has resulted in inconsistent marking and safeguarding of documents, led to unclear or unnecessarily restrictive dissemination policies, and created impediments to authorized information sharing,” the EO reads, adding, “The fact that these agency-specific policies are often hidden from public view has only aggravated these issues. To address these problems, this order establishes a program for managing this information, hereinafter described as Controlled Unclassified Information, that emphasizes the openness and uniformity of Government-wide practice.”
So, clearly there was a lot of friction as a result of this information being shared in ad-hoc ways, likely unsecured, and without any clear protocols in place.
Here’s why secure handling of CUI matters.
The 15 agencies in the executive branch include the Department of Defense (DoD); the Department of Commerce; Department of Health and Human Services; and the Department of Justice, just to name a few. Even across those four agencies alone, you’re looking at a vast wealth of information that can be considered sensitive — everything from homeland security to healthcare, justice, agriculture, energy, and much more.
The CUI Registry includes 20 organizational groupings and categories with their respective CUI, including (but not limited to) the following. You'll see how highly sensitive some of this CUI data can be, and why it needs to be properly handled with secure practices.
Critical infrastructure CUI covers everything from emergency management (think major disasters or situations where executive-branch organizations need to keep continuity), to information systems vulnerabilities, to toxic substances and critical infrastructure details. As we saw with the Colonial Pipeline ransomware attack years ago, critical infrastructure is of the utmost importance to national security.
This covers controlled technical information related to military or space applications, information related to naval nuclear propulsion plants (including information related to radiation and radioactivity), and information related to the security of DoD critical infrastructure.
Information (including technology and software) that would adversely affect U.S. security if that information left the country — this is where ITAR comes in for protecting CUI that needs to remain in the United States.
This includes a wide range of financial data relating to things like Electronic Funds Transfers, bank secrecy, financial transactions, and details concerning the federal budget. This also includes federal taxpayer information, including tax returns.
Details related to asylum, visas, and information that would identify victims of human trafficking and domestic abuse. Understandably, this information must be protected, as a failure to do so would have a direct impact on individuals' safety and well-being.
While a lot of intelligence data would be considered classified, there is still a considerable amount of intelligence-related data is considered CUI, including declassified information, information about intelligence activities and sources, CIA personnel information, and internal data.
Information related to law enforcement investigations, informants, DNA, whistleblower identity, victims, protective orders, federal grand juries, child victims, and witness protection all encompass highly sensitive information in need of protection.
Information surrounding nuclear facilities, public health, defense, and recommendations to the Department of Energy.
Everything from PII to death records to health records, genetic information, military personnel records, and student records (subject to FERPA).
General, practical examples of CUI data include:
Even though CUI is unclassified, it still poses major risks if it is leaked or breached. Unauthorized access to CUI can lead to identity theft, legal issues, security vulnerabilities, loss of competitive advantage, and compliance penalties.
That's why it's critical for organizations to implement robust data encryption and access controls to secure CUI and meet regulatory compliance requirements like NIST 800-171, CMMC, DFARS, and more.
There are two key subsets of CUI: CUI Basic and CUI Specified. One is not more advanced than the other, but the requirements may simply be different, depending on the kind of information being protected and what laws may apply to it. You can think of CUI Basic as the default type of CUI, unless there are special guidelines for handling the data (such as specific distribution lists, or specific rules or laws for the data), in which case, the data is CUI Specified.
Here’s how GSA defines CUI Basic and CUI Specified:
CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not have any specific handling or dissemination requirements. CUI Basic is handled according to the uniform set of controls set forth in the CFR and the CUI Registry.
CUI Specified is different in that the authorizing law, regulation, or Government-wide policy contains specific handling controls that differ from those for CUI Basic. The CUI Registry indicates which authorities include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic. CUI Specified is NOT a “higher level” of CUI, it is simply different. Since CUI Specified is based upon a law, federal regulation, or Government-wide policy, this form of CUI cannot be legally ignored or overlooked.
All authorized holders of CUI are responsible for abiding by CUI usage guidelines — ensuring it is only accessed by those with a need to know, and that CUI is not exposed to unauthorized parties. The GSA, in particular, makes an important distinction here that protecting CUI should also be balanced with making it accessible only to the right individuals:
“CUI, regardless of its form, shall be protected in a manner that minimizes the risk of unauthorized disclosure while allowing for access by authorized holders. Persons working with CUI shall be careful not to expose CUI to unauthorized users or others who do not have a lawful government purpose to see it.”
So, security must be implemented that provides both data protection and ready access by the people who need the data to get their jobs done.
Encrypting CUI is a crucial element of compliance regulations for many federal contractors, namely CMMC 2.0 compliance — which is designed to ensure that contractors accessing CUI have the means and infrastructure to safeguard the data they’re entrusted with. CUI data can also overlap with ITAR data, subject to International Traffic in Arms Regulations. Our post on CUI vs ITAR data goes into more detail (and, as a bonus, uses a whiskey analogy).
When it comes to protecting CUI, there are a few best practices you'll want to keep in mind:
Virtru provides client-side encryption for sensitive data, while also making it easy to maintain visibility and control over that data, even after it’s been shared. So, if a piece of CUI data is protected with Virtru and then leaves your organization’s perimeter, you can still revoke it or change access permissions any time. This comes in handy when you have contractors or external partners who need to engage with CUI only for a short period of time. Or, if you need approval on a document from another agency or organization before moving forward with a project, you can set an expiration date for 1 week so that the sensitive CUI does not remain in the recipient’s inbox indefinitely.
Virtru brings powerful data protection (through end-to-end encryption, or E2EE, plus granular access controls that apply persistent, Zero Trust security to each data object. With end-to-end encryption (E2EE), CUI data remains confidential, both at rest and in transit, so only the sender and intended recipients can access the plaintext data.
Virtru provides the easiest way to encrypt CUI and enforce access control for compliant data protection. With Virtru's data-centric security, organizations can:
By making encryption easy and automatic, Virtru helps you ensure CUI stays secure and compliant everywhere it's shared. Schedule a demo now to see how Virtru can safeguard your critical information.