What is CUI and does my organization have it?

Photos Courtesy Smithers Quality Assessments Div.

One of the most confusing aspects of Cybersecurity Maturity Model Certification (CMMC) is determining whether your organization processes, stores, and/or transmits controlled unclassified information (CUI).

Controlled Unclassified Information (CUI) is information requiring safeguards or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but isn’t classified under Executive Order 13526 or the Atomic Energy Act, as amended.

(https://www.archives.gov/cui/about). In plain English, CUI is data that, while not classified, needs to be protected from unauthorized disclosure or release. CUI is information owned or created by the federal government or created on behalf of the federal government that requires special security and handling guidelines. The U.S. Department of Defense (DOD) has taken the lead in defining the handling and protection of CUI using CMMC, leveraging the NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.

How do I know if I am handling CUI?

Do you have CUI? The simplest way to answer is to start with the contract between your company and the federal government or client/customer. If your contract contains any of the DFARS clauses (252.204-7012, 7019, 7020, or 7021), it is likely your organization is handling CUI. If that’s the case, your company must be compliant with CMMC and must implement NIST SP 800-171.

Another key to look for in your contract is any distribution statement that does NOT say, “Distribution Statement A: Approved for public release. Distribution is unlimited.” If distribution is limited, the data is likely CUI and must be handled in compliance with the previous DFARS clauses, even if the clauses aren’t spelled out in your contract.

If you’re still unsure whether you’re handling or storing CUI, refer to the program’s security classification guide, as it must clearly state what information is CUI or above. Remember, you’re within your rights (and expected) to ask the contracting officer and/or CUI owner for more information. Knowing what type and how much CUI you are handling will help improve your compliance with NIST SP 800-171 and the contract.

Pending questions

The final CMMC rule for enforcement of third-party assessments and certification is still pending. The implementation date is projected for late 2024 or the first quarter of 2025. Regardless of the final rule, the requirement for organizations handling CUI to be compliant with NIST SP 800-171 has been in effect since Jan. 1, 2018. Questions your organization should review in anticipation of the final CMMC rule include:

• How much and what type of CUI do you need to meet your contract performance?
• How will you store and protect the CUI?
• Who needs access to the CUI?
• What processes require CUI?
• How is your company going to define the scope of your assessment? To define scope, a company must define how CUI travels within the company and externally to other companies.
• If you intend to store CUI in the cloud, does your cloud provider meet the security requirements equivalent to FedRAMP moderate security baseline or have a FedRAMP moderate authorization?

As you move through NIST/CMMC compliance, don’t be afraid to hire a trusted consultant to answer your organization-specific questions. Often, advice is given generally, but the best advice must be catered to a company’s specific CUI and cyberinfrastructure.

Robert McVay (COL, ret) is a cybersecurity lecturer for Carnegie Mellon and a senior consultant with Information Security Services for Smithers. https://www.smithers.com