GovernmentSecurity

Protecting Controlled Unclassified Information Across Data Ecosystems

Warren Fish
March 27, 2024
6 min read

Companies that work with the Department of Defense (DoD) know that it is critical to store data properly and are constantly on guard against controlled unclassified information (CUI, sometimes pronounced cooey) in their environments.

Organizations that are a part of the DoD supply chain are frequently referred to as the Defense Industrial Base (DIB). Many of these companies have sensitive DoD data within their enterprise networks. Large defense contractors have mostly addressed the storage of DoD data by creating large enterprise networks purpose-built for their defense work. However, small- and medium-sized businesses (SMBs) who are members of the DIB often struggle to identify CUI in their environments. If an organization has CUI, it must be protected using the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171 framework. To accurately define their technical boundary, legal counsel, CFOs, and CISOs are clamoring to classify their data as CUI or not-CUI.

What is CUI?

CUI is not classified data but is sensitive enough that the U.S. government feels organizations should control this information as its release could threaten national security. In the past, CUI appeared under an assortment of other names including For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LSU). The U.S. government, realizing that these monikers alone did not dictate proper safeguarding, established CUI and, with it, a set of safeguards or security controls for protecting it from improper dissemination.

The Office of the Undersecretary of Defense for Information Security (OUSD I&S) maintains a website that provides policy guidance for the identification and protection of CUI which includes the standards for safeguarding, storing, destroying, transmitting and transporting CUI. The CUI Registry is the government’s online repository for guidance regarding CUI policy and practices. Registry categories cover a wide range of topics including critical infrastructure, defense, export control, financial, immigration, intelligence, law enforcement, legal, nuclear, patent and privacy.

Examples of CUI

Here are three examples of CUI data types in the DoD context:

  • Defense Critical Infrastructure Information (DCRIT): Information about the critical infrastructure crucial for defense. An example of DCRIT is a map of a military base or the blueprint of a defense facility. The map is not classified, but it is sensitive because it could be useful to adversaries.
  • Export controlled information: Information that is controlled due to its potential implications on national security if exported. An example of export-controlled information is the design of innovative technology. The technology itself is not classified, however, it is controlled because if it were shared with other countries, it could harm national security.
  • Pre-decisional budget or policy information: Information related to budget or policy still under consideration. A proposed federal or state budget or policy is an example of this type of data. The policy is not classified; however, it also is not finalized and has not been shared with the public.

Identifying CUI

Any organization that conducts business with the U.S. government may have CUI. However, here are four questions to make that determination:

Does the organization have a U.S. federal contract, or is a supplier on a U.S. federal contract?

If yes, then the organization likely has CUI. At the minimum, the organization has Federal Contract Information (FCI), which is information not intended for public release. FCI is provided by or generated for the federal government under a contract to develop or deliver a product or service. CUI and FCI both include information created or collected by or for the government.

Does the organization have any contracts with the Defense Federal Acquisition Regulations Supplement (DFARS) clause for CUI (DFARS Clause 252.204-7012 or 252.204-7020) in it?

If yes, then it likely has FCI and CUI. Clause 7012 specifies requirements for the protection of CUI per NIST SP 800-171, cyber incident reporting obligations, and other considerations for cloud service providers. Clause 7020 describes the DoD assessment requirements for information systems that contain CUI.

Can procurement readily contact the organization’s Contracting Officer Representative (COR)?

Contracting officers are responsible for including the necessary clauses in contracts to ensure the protection of CUI. If a company is working on a new contract with the U.S. government, one of these clauses may end up in its next engagement. The organization’s procurement team will want to be aware of this when submitting bids.

It is important to be aware that while contracting officers play a key role in managing CUI, they may or may not be subject matter experts on CUI-related regulations. Therefore, organizations with federal contracts must have a strong relationship with their COR to ensure that both sides are fully aware of the type of information the contract may involve.

Is the organization a subcontractor within the DoD supply chain?

Under the subcontractor flowdown requirements, prime contractors are responsible for ensuring that all teammates, including subcontractors and suppliers, meet applicable security requirements. If subcontractors handle CUI, they will be subject to the same controls as the prime, including the full set of NIST 800-171 controls.

Using our earlier example regarding DCRIT information, a fictional prime contractor is responsible for the construction of an airplane hangar on a military base, with an extensive list of security requirements including physical, logical and biometric controls. The prime has subcontracted the installation of the HVAC systems, requiring them to access the engineering diagrams. In this instance, the prime and the subcontractor would both be responsible for meeting the NIST 800-171 controls.

The Defense Industrial Base (DIB) refers to the network of organizations and facilities that provide the DoD with materials, products and services. This includes a diverse range of entities such as small- and medium-sized businesses, university laboratories and research centers and large multinational corporations. The DIB is responsible for a variety of functions, from the projection of complex military platforms such as aircraft carriers and highly specialized services like intelligence analysis. Any company or organization that is a part of the DIB will need to identify whether it is holding CUI, and if it is – it will need to protect it accordingly.

To learn more about our government security and compliance solutions, contact us. 

Warren Fish

Associate Director
Security and Privacy

View all posts

You may also like

Subscribe to Topics

Protiviti Technology Follow

Protiviti leverages emerging technologies to innovate, while helping organizations transform and succeed by focusing on business value.

ProtivitiTech
protivititech Protiviti Technology @protivititech ·
18 Apr

Learn more about what GRC Managed Service is and what it can do for SAP S/4HANA and SAP cloud solutions in the latest #SAP Blog post. https://ow.ly/OMaL50RfsHw #ProtivitiTech

Reply on Twitter 1781035159438954997 Retweet on Twitter 1781035159438954997 Like on Twitter 1781035159438954997 Twitter 1781035159438954997
protivititech Protiviti Technology @protivititech ·
17 Apr

Protiviti is a proud sponsor of ServiceNow Knowledge 2024—a three-day conference all about #AI. Stop by our booth (#2503) to visit with our team and learn how the #ServiceNow platform makes business transformation possible. https://ow.ly/qa6p50Rh9wf

Reply on Twitter 1780627914964308382 Retweet on Twitter 1780627914964308382 Like on Twitter 1780627914964308382 Twitter 1780627914964308382
protivititech Protiviti Technology @protivititech ·
16 Apr

What is #DesignThinking? Could it help your organization? Find out how Protiviti uses it to help clients build net new applications and modernize legacy systems. https://ow.ly/fMK550Rfsoi #ProtivitiTech

Reply on Twitter 1780204913663873376 Retweet on Twitter 1780204913663873376 Like on Twitter 1780204913663873376 Twitter 1780204913663873376
protivititech Protiviti Technology @protivititech ·
15 Apr

Join our May 2 webinar designed for privacy and security professionals seeking to navigate the intricate nuances of data governance within the ever-evolving global regulatory landscape. Register today! https://ow.ly/hzrG50R4fTX #ProtivitiTech #DataPrivacy

Reply on Twitter 1779872392535212145 Retweet on Twitter 1779872392535212145 2 Like on Twitter 1779872392535212145 1 Twitter 1779872392535212145
protivititech Protiviti Technology @protivititech ·
12 Apr

The latest Technology Insights Blog post offers insight into the unique risks associated with Large Language Models (LLMs) and how to establish strategies to mitigate them. https://ow.ly/q3w550RfbXm #ProtivitiTech #TechnologyInsights

Reply on Twitter 1778890996282982442 Retweet on Twitter 1778890996282982442 Like on Twitter 1778890996282982442 Twitter 1778890996282982442
Load More