Your Guide to Understanding Controlled Unclassified Information
What is controlled unclassified information (CUI) and does every DoD Contractor have to comply with DFARS 7012/NIST 800-171?
The bottom line is most US Department of Defense (DoD) contractors and subcontractors must comply with DFARS 7012, because most of us operate and store Controlled Unclassified Information (CUI). The information that every defense contractor operates with what is considered a “covered contractor information system” (a subset of CUI) which as defined by 7012:
“A covered contractor information system is an unclassified IT system owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information”
As most of us indeed process what is considered Covered Defense Information (CDI), most of us therefore operate a covered contractor information system. “Covered” means beholden to DFARS 7012 and its requirements to build “adequate security” into our IT systems.
Understanding what Controlled Unclassified Information (CUI) Is
But what exactly is Controlled Unclassified Information (CUI)? How can we make the assertion that most of us process, store, or transmit it? To understand what CUI or CDI is, we need to understand how the US Federal government classifies information.
CDI is a subset of what’s called Controlled Unclassified Information (CUI). Through experience or popular culture, most of us are familiar with well-known governmental information classifications of SECRET and TOP SECRET. This is the type of information the Mission Impossible or James Bond movie franchises deal with. Controlled Unclassified Information is not that type of information; it’s unclassified—in that it isn’t SECRET or TOP SECRET—but it is still sensitive and requires protection. If CUI makes its way into the adversary’s hands it could compromise the mission of the US or reduce our military competitive advantage. Controlled Unclassified Information is basically any information that is owned by the government and not fit for general public consumption. Here’s a rule-of-thumb for CUI: if you wouldn’t publish the information publicly—say, post it on Facebook—it’s probably Controlled Unclassified Information.
Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
Classified information—SECRET and TOP SECRET—must be processed in highly-secured IT systems essentially owned by the Federal government, Controlled Unclassified Information (CUI) may be processed in privately-owned systems. Contractors’ IT systems are privately owned, and if they process CUI, they must provide adequate security for that information. DFARS 7012 spells out requirements for securing contractors’ IT systems, including the implementation of NIST 800-171 controls.
Controlled Unclassified Information has many constituent information types, such as Personally Identifiable Information (PII), Protected Health Information (PHI), and also CDI. CDI is just DoD-related Controlled Unclassified Information. CDI itself has constituent information types, such as Controlled Technical Information, as well as financial and contract information. Some of the many types of information that are considered CDI include:
- research and engineering data
- engineering drawings & lists
- process sheets
- technical reports
- technical orders
- catalog-item identifications
- data sets
- studies & analyses and related information
- computer software executable code and source code
- contract deliverable requirements list (CDRL)
- financial records
- contract information
- conformance reports
You can see this list covers most of the types of information a prime or subcontractor would process as part of a DoD contract. That’s why we say that most DoD contractors will have to abide the DFARS 7012/NIST 800-171.
How Controlled Unclassified Information becomes Top Secret
Aggregated Controlled Unclassified Information (CUI) may also constitute SECRET or TOP SECRET information. For instance, your organization may only process Controlled Unclassified Information of technical drawings so you can build widget X for a DoD weapons system. Another organization may only process different technical drawings (classified as Controlled Unclassified Information) so they can build widget Y for the same weapon. You build X, they build Y, and your organizations never interact or exchange information. Individually, the drawings for widget X and widget Y are considered Controlled Unclassified Information, but if those drawings are processed together, or aggregated, by the same organization, the DoD may consider that combination worthy of SECRET designation.
The adversary knows this “compartmentalization” is how much of our military industrial complex operates, and so they target X and Y companies separately to try to steal and then aggregate the respective information. It’s a covert mechanism the adversary uses to steal SECRET and TOP SECRET information, instead of overtly targeting primes. This mechanism has been adopted by the Chinese government and is a reason they have produced a nearly identical warplane to our highly advanced F-35 Joint Striker Fighter.
Prime Contractors Process Controlled Unclassified Information
The vast majority of, if not all, DoD prime contractors process some sort of Controlled Unclassified Information (CUI) and must abide DFARS 7012. Prime contractors—“primes”—have historically had a difficult time extracting from their DoD program management offices exactly what information is considered Controlled Unclassified Information. That’s because the DoD hasn’t adopted the Controlled Unclassified Information process as efficiently as it could have. (It’s understandable: the DoD has its hands full classifying and protecting SECRET and TOP SECRET information.)
For a while, it was up to the primes to guess what information was considered Controlled Unclassified Information based on the general list of information types presented in the bullets above. Of late; however, DoD contractor officers have begun including language in solicitations and contracts specifying what information is considered Controlled Unclassified Information.
When the process is perfected, all contracts will include a Security Classification Guide (SCG) or equivalent, which dictates classification, marking, and handling requirements for all information types processed under the contract. If, as a prime, your contract does not currently provide an SCG, ask for one—it’s the DoD’s duty to provide one.
Primes Required to Flow Down DFARS/NIST 800-171 Requirements
Primes are also required to flow down the DFARS 7012 / NIST 800-171 requirements to all their subcontractors that process Controlled Unclassified Information (CUI), and these subcontractors are likewise required to flow down DFARS 7012 / NIST 800-171 to their vendors and suppliers. It’s turtles all the way down with DFARS 7012.
Most of you reading this are associated with a DoD subcontractor or vendor and will have heard of the DFARS 7012 through your prime contractors. Some of you may have been requested by your prime to fill out an 800-171 questionnaire in a system like Exostar. This is expected. It’s the prime contractors’ responsibility to notify their subs of the requirement, and to define what types of information must be considered Controlled Unclassified Information. If, as a sub, you aren’t sure if you process Controlled Unclassified Information or what information is covered, make sure to inquire with your prime; it’s their job to tell you. They may not immediately be able to tell you exactly which types of information are Controlled Unclassified Information, but keep pressing them to find out.
Specifying exactly which data and information is critical to the first step in protecting Controlled Unclassified Information: determining whether to completely isolate the parts of your IT system that process CUI, or to co-mingle CUI with the rest of your corporate data and IT system. This crucial determination—which is covered in our Cybersecurity 101 course—will dictate much of the risk management process your organization has to implement as part of DFARS 7012/ NIST 800-171.
You should now understand a little bit more about what Controlled Unclassified Information (CUI) is, and how to know if your organization processes it.
Think you may have Controlled Unclassified Information (CUI)
Our Cybersecurity 101 online educational series not only goes over what controlled unclassified information (CUI) is, but also what is required for DoD contractors to comply with NIST 800-171/CMMC regulations.