by Scott Jack
Content Contributor, E-N Computers
Over 10 years of experience in healthcare IT and tech support.
The federal government expects contractors at all levels to protect their information. Besides basic Federal Contract Information (FCI), there is a more sensitive category of data called Controlled Unclassified Information (CUI). To get and keep a contract, defense contractors and their subcontractors need to know what CUI they have and implement a system to adequately protect it.
In this blog post, we’ll discuss what CUI is, why it matters, and how to handle it effectively. We will also provide practical tips and resources to help you comply with CUI regulations and protect your organization’s sensitive information.
QUICK ANSWER:
What is CUI, and should I worry about it?
CUI, or Controlled Unclassified Information, is sensitive information related to the deliverables of a government contract. Defense contractors that handle CUI are required to protect it according to NIST SP 800-171. Having the right documentation to prove that you are handling CUI properly is essential to reaching CMMC Level 2 and keeping your defense contracts.
Table of Contents
What is CUI?
CUI stands for Controlled Unclassified Information. Based on regulation 32 CFR 2002.4, it can be described this way:
“information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, not including information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”
We know that sounds like government word salad. In practical terms, CUI is sensitive information related to the deliverables of a contract. It can be information sent to you by your government partner or information you produce for them. Here are a few examples:
- Technical drawings
- Specifications
- Manuals
- Reports
- Computer code
CUI can seem overwhelming, but it’s actually an improvement over the old way of doing things. In the past, government agencies had separate marking systems and it was nearly impossible to keep them all straight. In contrast, the DoD says, “CUI policy provides a uniform marking system” that “alerts recipients that special handling may be required”.
How is CUI different from FCI?
FCI is non-public information related to your contract, like payment information—things like invoices, payment account details, and emails between you and federal employees.
CUI is a more sensitive subset of FCI because it includes details about the particulars of a project. It must be marked and requires additional safeguards. It’s often said that all CUI is FCI, but not all FCI is CUI. For more information, see our article, What is FCI?
FCI vs. CUI
How CUI relates to CMMC
You are required to protect all information you handle as part of a government contract, even if you are just a subcontractor. If it is related to a defense contract, then you are also subject to CMMC, the Cybersecurity Maturity Model Certification program.
A business that exclusively handles FCI only needs to meet CMMC Level 1 requirements. However, many defense contractors—such as manufacturing and engineering firms—also handle CUI and need to reach CMMC Level 2.
In part, CMMC Level 2 compliance means that you need to have a system security plan (SSP), incident response plan (IRP), and plan of action and milestones (POA&M). You also must pass an assessment carried out by a Certified Third Party Assessor Organization (C3PAO). This isn’t just a one-and-done certification, either—you must recertify every three years to demonstrate that you are actively protecting government data.
Scoping is critical
Scoping refers to the process of figuring out what data you have, what systems it touches, who should have access to it, and what security controls you need to implement. Organizations can be tempted to jump ahead to lock things down. But we strongly encourage you to start with scoping for at least two reasons:
- Scoping allows you to focus on what matters. When you identify what is in scope, you also know what is out-of-scope, and you don’t have to waste time on those systems. You can put your time and budget toward what’s needed for compliance.
- Scoping makes your assessment go more smoothly. Your CMMC assessor will expect clear documentation of your scope and for you to be familiar with it. It also makes their job easier and allows them to concentrate on scoped items.
If you don’t take time to properly scope your project, you will waste time and money doing unnecessary things, you will make your assessment more stressful, and you may fail to implement needed controls because you weren’t thorough.
What does scoping involve?
Here’s a brief overview of the scoping process:
- Gather your contracts. This includes direct government contracts as well as any subcontracts.
- Review your contracts. They will often mention specific information—such as technical drawings, specifications, manuals, reports, or computer code—that you are expected to protect.
- Take inventory of your information assets. This is any information your company processes, stores, or transmits, whether electronically, on paper, or on removable media (e.g., CDs and USB drives).
- Map information to contracts. Document which contract each type of information is associated with.
- Decide what information is CUI. Does the information meet the definition of CUI as outlined in 32 CFR 2002.4?
- Map information to systems. Clearly document what information is CUI, where it resides, what systems it touches, and who should have access.
You can find the official Level 2 Scoping Guidance on the DoD CMMC website.
How should CUI be handled?
CUI must be handled according to the cybersecurity standards in NIST SP 800-171. This 113-page document details 110 controls broken up into 14 families. For an in-depth explanation, check out our Ultimate Guide to DFARS and NIST SP 800-171.
It’s important to note that the specific way you implement these controls is up to you. It is your responsibility to protect all CUI that you handle. As a contractor, you have the right to set your policy on how you will handle CUI. Don’t be timid about talking with your government partner if you need clarification on whether something is CUI or need to remind them how to securely transmit information to you.
Whatever solution you use, you want it to be right-sized. Sometimes we find that people skip scoping and immediately overspend on a solution that’s total overkill. Then when they realize how much money they’re hemorrhaging, they switch to a pathetic, cheap solution. With a clear scope, you’ll be able to implement a Goldilocks solution that saves you time and money.
One example of this can be seen with Microsoft 365. Someone who only handles FCI can be fine using a commercial Microsoft 365 tenant. Someone who handles CUI will need Microsoft 365 Government Community Cloud (GCC), and someone who also has export-controlled information will need GCC High. GCC and GCC High will allow you to implement tags to label and track CUI tenant wide. For a more thorough comparison of these services, see our article, What is Microsoft 365 GCC High and do I need it?
The Cyber AB, the DoD’s exclusive CMMC implementation partner, highly recommends working with a Registered Practitioner (RP) through this process. A Registered Practitioner is an experienced IT professional who has been tested to demonstrate understanding of the CMMC framework. A good Registered Practitioner will guide you through scoping and implementation so that you are compliant and well-prepared for your assessment. E-N Computers is a Registered Practitioner Organization with two RPs, and we’re actively helping businesses prepare for CMMC.
Official CUI resources
The National Archives CUI Registry is “the Government-wide online repository for Federal-level guidance regarding CUI policy and practice.” You can find the CUI Marking Handbook here as well as some CUI training.
The DoD CUI Registry gives information on categories of CUI, required markings, policies, and examples.
This DoD Mandatory CUI Training is designed for DoD personnel as well as industry and provides information on “accessing, marking, safeguarding, decontrolling and destroying CUI along with the procedures for identifying and reporting security incidents.”
The DoD website provides official CMMC documentation, including a Level 2 self-assessment guide.
E-N Computers offers an audio version of the CMMC Level 2 Self-Assessment Guide as a free service to the IT community. Download or listen via Spotify or Amazon.
Next Steps
When you have the right people working together, you can implement systems and processes that actively help you reach your business goals. We sometimes call this IT maturity. But for many organizations, something is off when it comes to their partnerships, strategy, systems, and settings. How can you know what’s working well and where you have room for improvement? Start by taking our free IT Maturity Self-Assessment. You’ll walk away with some pointers and, if you want, a free appointment to discuss your results.
Take the IT Maturity Assessment
Is your business ready to weather changes, including employee turnover? Find out by taking our IT maturity assessment.
You’ll get personalized action items that you can use to make improvements right away. Plus, you’ll have the opportunity to book a FREE IT strategy session to get even more insights into your IT needs.
