In our previous blogs and whitepapers on the CMMC, there are two types of datasets that we have referred to, which are:
- FCI
- CUI
In this article, we take a closer examination of the latter.
What Is CUI?
CUI is an acronym that stands for “Controlled Unclassified Information”. There is often confusion as to whether datasets or documents that have this kind of labeling attached to them are considered to be Top Secret. The truth of the matter is that it is not. Simply put, anything marked with CUI can be shared only with those that are authorized under a federal contract to see it. CUI, like FCI (Federal Contract Information), is nonpublic information that has been released to entities under a federal contract. Documents (also include electronic information and media) has been marked by a federal employee under a set of regulations for information to organization that allow them to access and use the information under the terms and conditions of a federal contract.
The CUI program was developed and implemented by the Department of Defense (DoD). It was launched under Executive Order 13556 and was primarily designed to provide a set of practices and standards across a wide array of industries, not just the Federal Government. One of the by products of 9/11 was that different agencies in the federal government had different classification of information, which prohibited sharing to those entities with the need to know. As part of executive order 13556, the national archives was set up as the organization to manage the classification of CUI (https://www.archives.gov/cui/about).
In terms of Cybersecurity, it is used to protect those documents that are released from the DoD to defense contractors as they place their bids or awarded contracts. The cyber security data protection standard is NIST 800-171 and this standard has specific requirements on who is authorized to access CUI and how it is electronically and physically controlled.
Who Can Access CUI?
Any employee of the Federal Government that are affiliated with the DoD, members of Congress and the Senate, can access CUI or apply the CUI labelling as needed. But it is important to keep in mind that the recipient must take specialized training and pass an exam before they can be authorized to receive CUI related materials. Once this is done, the end user can then access whatever they need to, provided it is marked as “Lawful Government Purpose” and the user is an Authorized individual. In nonfederal systems, authorized individuals are defined under NIST 800-171
What Is The Best Way To Handle CUI?
There are a number of ways that CUI can be handled. For employees of the Federal Government, the following rules apply:
- In a government related meeting, CUI materials can be freely shared, assuming that the individuals have received the proper training.
- It can also be freely distributed among the members of Congress while they are in session. However, the CUI materials cannot leave the Chamber, and therefore, cannot be released to the public.
- Any materials marked as CUI can be retained by members of the Executive Branch for a reasonable time period.
- Any Congressional member who has appeared live and contributed to a meeting can request to keep and CUI materials that have been brought to it.
But as it relates to the private sector, such as Defense Contractors, the federal contract specifies what CUI is provided and that the CUI data security is managed under NIST 800-171. At the item of this writing, CUI access is only granted to Authorized individuals, which are US citizens, under the NIST 800-171.
The Types
Conclusions
As you embark further on your journey into the CMMC, CUI will be a term that you will hear quite often. If you have any questions on this or have concerns on how to proceed if you are in possession of CUI related materials, please contact us today.