Your Guide to Controlled Unclassified Information
What is CUI, Controlled Unclassified Information, and does every DoD Contractor have to comply with DFARS 252.204-7012 / NIST 800-171?
The bottom line is most US Department of Defense (DoD) contractors and subcontractors must comply with DFARS 252.204-7012, because most of us operate and store Controlled Unclassified Information (CUI). Many, and maybe even most, defense contractors operate what is considered a “covered contractor information system” (a subset of CUI) which as defined by DFARS 7012:
"A covered contractor information system is an unclassified IT system owned, or operated by or for, a contractor that processes, stores, or transmits covered defense information"
As most of us indeed process what is considered Covered Defense Information (CDI), most of us therefore operate a covered contractor information system. “Covered” means beholden to DFARS 7012 and its requirements to build “adequate security” into our IT systems.
What is CUI: Understanding Controlled Unclassified Information
But what exactly is CUI, Controlled Unclassified Information? How can we make the assertion that most of us process, store, or transmit it? To understand what CUI or CDI is, we need to understand how the US Federal government classifies information.
CDI is a subset of what’s called Controlled Unclassified Information (CUI). Through experience or popular culture, most of us are familiar with well-known governmental information classifications of SECRET and TOP SECRET. This is the type of information the Mission Impossible or James Bond movie franchises deal with. Controlled Unclassified Information is not that type of information; it’s unclassified—in that it isn’t SECRET or TOP SECRET—but it is still sensitive and requires protection. If CUI makes its way into the adversary’s hands it could compromise the mission of the US or reduce our military competitive advantage. So, what is CUI? Controlled Unclassified Information is basically any information that is owned by the government and not fit for general public consumption. Here’s a rule-of-thumb for CUI: if you wouldn’t publish the information publicly—say, post it on Facebook—it’s probably Controlled Unclassified Information.
Protecting Controlled Unclassified Information (CUI) in Nonfederal Systems and Organizations
Classified information—SECRET and TOP SECRET—must be processed in highly-secured IT systems essentially owned by the Federal government, Controlled Unclassified Information (CUI) may be processed in privately-owned systems.
Contractors’ IT systems are privately owned, and if they process CUI, they must provide adequate security for that information. DFARS 7012 spells out requirements for securing contractors’ IT systems, including the implementation of CMMC / NIST 800-171 controls. It is also required that Controlled Unclassified Information is marked as such. You can learn to mark CUI in our How to Mark CUI blog.
Types of Data Considered Controlled Unclassified Information (CUI)
Controlled Unclassified Information has many constituent information types, such as Personally Identifiable Information (PII) and Protected Health Information (PHI). DoD-related Controlled Unclassified Information (CUI) includes information types, such as Controlled Technical Information, as well as financial and contract information. Some of the many types of information that are considered CUI include:
- research and engineering data
- engineering drawings & lists
- specifications
- standards
- process sheets
- manuals
- technical reports
- technical orders
- catalog-item identifications
- data sets
- studies & analyses and related information
- computer software executable code and source code
- contract deliverable requirements list (CDRL)
- financial records
- contract information
- conformance reports
You can see this list covers most of the types of information a prime or subcontractor would process as part of a DoD contract. That’s why we say that most DoD contractors will have to abide the DFARS 7012/NIST 800-171/CMMC.
How Controlled Unclassified Information becomes Top Secret
Aggregated Controlled Unclassified Information (CUI) may also constitute SECRET or TOP SECRET information. For instance, your organization may only process Controlled Unclassified Information of technical drawings so you can build widget X for a DoD weapons system. Another organization may only process different technical drawings (classified as Controlled Unclassified Information) so they can build widget Y for the same weapon. You build X, they build Y, and your organizations never interact or exchange information. Individually, the drawings for widget X and widget Y are considered Controlled Unclassified Information, but if those drawings are processed together, or aggregated, by the same organization, the DoD may consider that combination worthy of SECRET designation.
The adversary knows this “compartmentalization” is how much of our military industrial complex operates, and so they target X and Y companies separately to try to steal and then aggregate the respective information. It’s a covert mechanism the adversary uses to steal SECRET and TOP SECRET information, instead of overtly targeting primes. This mechanism has been adopted by the Chinese government and is a reason they have produced a nearly identical warplane to our highly advanced F-35 Joint Striker Fighter.
Think you may have Controlled Unclassified Information (CUI)?
If you are a DoD contractor wondering if you store, process, or transmit CUI, come grab a seat in one of our Workshops, where we identify CUI in your environment and dig deep into the current DFARS / NIST 800-171 / CMMC requirements. Or, check out our free Cybersecurity for Government Contractors eBook, which can put you on the right path for identifying CUI. As always, feel free to just drop us a line; we love talking about all this stuff!
Good Hunting!
-Adam
