CUI Considerations for the Defense Industrial Base

What’s considered Controlled Unclassified Information (CUI), what’s not considered CUI, and what’s the proper handling and safeguarding of CUI? If you’re a prime contractor for the Department of Defense (DOD) or a downstream subcontractor, you likely have CUI in one form or another, whether in paper or digital format.

What is CUI?

CUI is unclassified information within the federal government requiring safeguarding, or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies. If you’re a prime contractor or subcontractor for the Department of Defense (DOD), it’s important to recognize and properly handle CUI to ensure compliance with federal standards.

For the Defense Industrial Base (DIB), CUI is critical because it encompasses a broad range of information that, while not classified, is still sensitive and integral to national security.

Here’s a detailed look at what CUI means to the DIB:

• Safeguarding information: CUI includes information related to defense programs, procurement, technical specifications, and other sensitive data that must be protected from unauthorized access and disclosure. The DIB is responsible for implementing adequate security measures to safeguard CUI.
• Compliance requirements: The DIB must comply with regulations such as the National Institute of Standards and Technology (NIST) Special Publication 800-171, providing guidelines for protecting CUI in non-federal systems and organizations. Compliance ensures companies meet the security requirements necessary to protect sensitive information.
• Contractual obligations: The DOD often requires defense contractors and subcontractors to handle CUI. This includes stipulations in contracts and agreements mandating the protection of CUI according to specified guidelines and standards.
• Cybersecurity measures: Protecting CUI necessitates robust cybersecurity practices, including implementing access controls, encryption, regular security assessments, incident response plans, and employee training on handling sensitive information.
• Risk management: Proper handling and protection of CUI helps mitigate risks associated with data breaches, cyber espionage, and other security threats. This is essential for maintaining defense operations’ integrity and sensitive information confidentiality.
• Trust and reputation: Companies within the DIB protecting CUI enhance their reputation and trust with the DOD and other stakeholders. This can lead to additional opportunities and sustained business relationships within the defense sector.
• Legal and financial implications: Failure to adequately protect CUI can result in legal penalties, loss of contracts, and significant financial costs due to data breaches or non-compliance with regulations.

What information is considered CUI?

The items listed as examples of CUI, provided by the DOD or generated in support of fulfilling a DOD contract or order, cover a wide range of data types and documents. These can exist in paper and digital formats and include:

• Personally identifiable information (PII): While PII can be sensitive and protected under privacy laws, it isn’t automatically considered CUI unless specified by regulation or policy within a particular context.
• Research and engineering data: Information resulting from research and development activities, including experimental data, methodologies, and findings.
• Engineering drawings and lists: Technical drawings and associated lists detailing the design, dimensions, and specifications of components and systems.

Technical reports: Documents describing technical findings, methodologies, experiments, and results related to specific projects or studies.

• Technical data packages: Comprehensive packages with detailed information necessary to produce, install, operate, and maintain equipment and systems.
• Design analysis: Analytical documents evaluating and describing the design process, decisions, and rationale behind design choices.
• Specifications: Detailed descriptions of the requirements, dimensions, materials, and other specific criteria for products and systems.
• Test reports: Documents recording procedures, outcomes, and evaluations of testing processes for equipment, systems, or components.
• Technical orders: Official directives providing instructions for the operation, maintenance, inspection, and modification of equipment and systems.
• Cybersecurity plans/controls: Plans and measures implemented to protect information systems and data from cyber threats and unauthorized access.
• IP addresses, nodes, links: Information related to network infrastructure, including IP addresses, network nodes, and the links between them.
• Standards: Official standards and guidelines specifying criteria for processes, products, and systems.
• Process sheets: Documents detailing steps, methods, and resources required to complete manufacturing or other processes.
• Manuals: Instructional guides providing detailed information on equipment and systems operation, maintenance, and troubleshooting.
• Data sets: Collections of related sets of information typically used for analysis, research, or reference purposes.
• Studies and analyses and related information: Comprehensive examinations and evaluations of specific topics, issues, or projects, including related supporting information.
• Computer software executable code and source code: Software in its executable form and source code form, detailing the instructions and operations of computer programs.
• Contract Deliverable Requirements Lists (CDRL): Lists of all deliverables required by a contract, including descriptions, due dates, and other pertinent information.
• Financial records: Documents recording financial transactions, budgets, expenditures, and other monetary details related to DOD contracts or projects.
• Contract information: Details about contracts, including terms, conditions, statements of work, and related contractual documents.
• Conformance reports: Documents certifying compliance with specified standards, requirements, or regulations.
  

What isn’t considered CUI?

CUI encompasses a range of sensitive information but not all unclassified information falls under CUI. Here are examples of information normally not considered CUI:

• Publicly available information: Information readily accessible to the public through media, government publications, or official public disclosures.
• Basic marketing information: General marketing materials, product brochures, and advertisements intended for public distribution.
• Public relations information: Information released to the public by the organization for promotional or informational purposes, such as press releases, newsletters, and public statements.
• Educational materials: General educational content and resources used for public training and education that don’t contain sensitive or proprietary information.
• General administrative information: Routine administrative documents and records not including sensitive or proprietary content.
• Open-source information: Information derived from open sources, such as published books, articles, and reports, is available to the public without restrictions.
• General business information: Standard business documents such as publicly filed financial reports, stockholder communications, and basic corporate information.
• Non-sensitive emails and communications: Routine internal or external communications not containing sensitive, proprietary, or otherwise protected information.
• Non-proprietary technical information: Technical information released for public use or not containing sensitive or proprietary content.
• General correspondence: Letters, memos, and other correspondence without sensitive information or requiring protection.
• Unrestricted meeting minutes: Records of meetings not discussing sensitive, proprietary, or protected information.
  

It’s important to note while the above types of information are generally not considered CUI, specific contexts or regulatory requirements may lead to certain items being classified as CUI in particular circumstances. Always refer to the specific associated guidelines and policies for accurate classification.

Handling and safeguarding CUI

• Identification and marking: Ensure CUI is clearly marked according to federal guidelines to indicate its status and required protection level.
• Access control: Restrict access to authorized personnel with a legitimate need to know.
• Secure storage: Store CUI in secure, access-controlled environments (e.g., locked cabinets for physical documents, encrypted digital storage for electronic documents).
• Secure transmission: Use encryption for electronic transmission and secure methods for physical transfer (e.g., secure courier services).
• Proper disposal: Dispose of CUI securely through methods like shredding for paper documents and data wiping for digital files to prevent unauthorized recovery.

Understanding and implementing these practices for handling CUI is crucial for compliance with federal standards and protecting sensitive information.

Bluestreak Consulting https://www.go-bluestreak.com

Joe Coleman is the cyber security officer and CMMC-RPA for Bluestreak Consulting, a division of Bluestreak | Bright AM, a CMMC Registered Practitioner Organization (RPO). He can be reahed at joe.coleman@go-throughput.com or 513.900.7934.