What Exactly is CUI (Controlled Unclassified Information)?

Welcome back.

We are here with Carl B. Johnson from Cleared Systems, and today we would like to talk about CUI. It’s a topic on everyone’s mind if you work with the federal government or are preparing for a CMMC audit.

So, Carl, hello. How are you today?
I’m well, thank you. How are you?
I’m doing fine, thanks for having me back.

What-Exactly-is-CUI

Could you please explain what exactly CUI is?

Yeah, absolutely. I think it’s funny that we’re having this conversation because, as you said, it comes up almost every day. Sometimes it’s explained a bit more complexly than it needs to be, so I hope I do a great job of simplifying it.

I’ll start with the roots of CUI. First, CUI stands for Controlled Unclassified Information. Its roots go back to March 6, 2020, when the Office of the Under Secretary of Defense for Intelligence and Security released the DoD instruction on how to mark and identify any information related to the DoD.

And the reason why I said this is an alphabet soup is because all these agencies are involved. But what it really means is how information that belongs to the Department of Defense is identified and shared with federal contractors, whether inside or outside of an agency.

Before CUI, each agency had its own markings or categories for its data. A perfect example is seeing things such as “for your eyes only” or “FOIA” on documents. That all came from where the DoD said we have to mark these documents a certain way.

You know, if you look back at old movies, you see those little stamps that say “classified.” When we’re talking about CUI, think of unclassified information that still has some sensitivity levels. Within CUI, there are different categories, and I’ll discuss some of them in our conversation today.

The most important part of CUI is understanding how to mark the documents you communicate with the federal government, whether it’s the DoD, the Department of Commerce, the FBI, or any other agency. This way, you know these documents have different regulatory or compliance requirements than the documents within your organization.

To put it simply, if you’re familiar with PII (personally identifiable information), such as your social security number or date of birth, think of CUI as under that same umbrella. PII is not classified but is still considered sensitive.

If someone gets a hold of that information, they can do a lot of damage. We hear about data breaches daily. With CUI, the federal government wants to ensure that whoever holds their information outside of their agencies stores it correctly and ensures only authorized personnel can access it.

In a nutshell, at a high level, that’s what we are talking about when we talk about CUI. You may also hear terms such as CDI (Covered Defense Information) or CTI (Controlled Technical Information). As I said when we started, it’s an alphabet soup.

But with CUI, think of it as an umbrella that covers CDI, CTI, PII, or anything that relates to the business of the federal government, specifically the Department of Defense.

Okay, thank you for explaining that. This is great going forward, but what about all the older archived records? How is that dealt with?

That’s a great question. Especially for organizations, CUI is pretty new. It’s only been around for a few years now. Even if we’re talking about markings themselves, now that everything is in the cloud, with platforms like SharePoint or file storage for documents and records, there are tools out there.

For instance, Microsoft uses labeling or unified labeling. If you’re not using Microsoft, but maybe an Amazon tenant, there are products like Titus, which is great at identifying CUI documents using artificial intelligence and can help mark the documents.

With this video, I’ll include an example of what a marked document looks like. For organizations with terabytes of documents going back many years, no one expects you to mark each and every one of those documents.

Instead, I recommend addressing those in your POAM (Plan of Action and Milestones) along with your SSP (System Security Plan) to basically say, “Mr. Auditor, we recognize that we have all these documents going back many years, but from this day forward, we have implemented a CUI program using Titus or Microsoft to categorize, label, and mark documents going forward.”

It seems like larger organizations and governmental organizations could manage CUI, but it seems like a lot of work for small organizations. Are there any tools that can help with markings for records and documents specifically for small organizations?

Yes, absolutely. Titus is a great tool to start with, even for small organizations. I think it’s important to note that small organizations may not have the infrastructure to spend a lot on upgrading their systems. I recommend using your existing IT architecture and putting your CUI documents on-premise, ensuring that the security model complies with NIST SP 800-171.

For small and medium businesses with a budget, I’m a bit biased toward Microsoft, but I recommend migrating to Microsoft GCC or GCC High. I’ll leave a link to the video Susan and I did earlier about migrating to Microsoft GCC and GCC High. As a small organization, you don’t need a huge budget to protect CUI.

Even if it’s scary when you see a contract with the federal government that says you must have a compliant NIST SP 800-171 way of storing CUI, there are budget-friendly ways to protect the government’s data, whether in the cloud or on-premise, using what you currently have.

Thank you for that. So you covered budget for managing CUI. Do you have any other guidance outside of budgetary concerns about managing CUI?

Yes, that’s a good point. The first rule of any security is the principle of least privilege. Think of a door where you’re not monitoring who’s coming in and out; you don’t know who is in the building or who has left. Apply the same concept to CUI: the most important part is limiting access to the information.

Not everyone in the organization needs access to every CUI document. Work with your FSO (Federal Security Officer) to create a CUI program. The most important part is not to overcomplicate it. At the end of the day, it’s about categorizing data according to the type of category you’re working with, whether financial, NATO, or export-related like ITAR.

In the world we live in today, everything involves data. The federal government wants to ensure you are categorizing their data to fit the right policy, regulation, or compliance requirements for storing that data.

I appreciate your insight, Carl. It’s always very enlightening talking to you about these subjects. Thank you for clearing up CUI, and I appreciate your time.

Thank you, Susan. I love talking about this. It’s a very important subject, especially with data breaches and cybersecurity being on everyone’s mind. Every day, I encounter attempts to breach systems or hear horror stories from customers about data breaches. Understanding your security posture as an organization, especially as a federal contractor, is important. I could talk about this all day.

Great stuff, Carl. Thank you so much for everything you’ve shared. We appreciate it, and I’ll see you next time.
Have a great day, Susan.

Thank you, Carl. Bye.

Susan: Hi everyone, welcome back. We’re continuing our discussion with Carl B. Johnson from Cleared Systems. In our last segment, Carl did an excellent job explaining the basics of CUI and provided valuable guidance on how both large and small organizations can handle it. Now, Carl, let’s dive a bit deeper into some practical steps and strategies for managing CUI effectively.

Carl: Absolutely, Susan. Managing CUI effectively involves several steps and strategies. It’s about building a comprehensive program that integrates into the organization’s existing processes and workflows.

Susan: That makes sense. So, what would you say are the first steps an organization should take when starting to implement a CUI management program?

Carl: The first step is conducting a thorough assessment. Organizations need to understand the types of CUI they handle, where it’s stored, and how it’s currently protected. This involves reviewing all data flows and storage locations, both digital and physical.

Susan: That sounds comprehensive. What tools or methods can organizations use for this assessment?

Carl: There are several tools and methods available. Organizations can use data discovery and classification tools, like Microsoft’s Information Protection or Titus, which help identify and classify CUI across the organization’s network. Additionally, conducting interviews with key personnel and reviewing documentation can provide insights into current practices and potential gaps.

Susan: Once the assessment is complete, what’s the next step?

Carl: The next step is developing a CUI management policy. This policy should outline how CUI is to be handled, including classification, marking, storage, transmission, and destruction. It should also define roles and responsibilities within the organization, ensuring that everyone understands their part in protecting CUI.

Susan: Policies are crucial. How do organizations ensure that these policies are followed?

Carl: Training and awareness are key. Employees need to be trained on the importance of CUI and how to handle it properly. Regular training sessions, along with clear and accessible documentation, help reinforce the policies. Additionally, implementing technical controls and regular audits can help ensure compliance.

Susan: Speaking of technical controls, what are some specific technologies or practices that can help protect CUI?

Carl: There are several technologies and practices that organizations can implement. Encryption is essential for protecting CUI both at rest and in transit. Access controls, such as multi-factor authentication and role-based access control, limit who can access CUI. Data loss prevention (DLP) solutions can help prevent unauthorized sharing or transmission of CUI. And, of course, regular backups and incident response plans are critical for mitigating the impact of any potential data breaches.

Susan: Those are great points. What about small organizations that might have limited resources? Are there any cost-effective solutions for them?

Carl: Definitely. Small organizations can leverage cloud services that offer built-in security features. For example, Microsoft’s GCC and GCC High environments are designed to meet federal security requirements and can be a cost-effective way to manage and protect CUI. Additionally, small organizations can focus on prioritizing their most sensitive data and implementing strong access controls and encryption for those critical assets.

Susan: That’s reassuring for smaller organizations. Let’s talk a bit about incident response. What should an organization do if they suspect a CUI breach?

Carl: If a breach is suspected, it’s crucial to act quickly. First, contain the breach to prevent further unauthorized access or data loss. Then, conduct a thorough investigation to understand how the breach occurred and what data was affected. Notify any impacted parties and comply with any regulatory reporting requirements. Finally, take corrective actions to prevent future breaches, which might include updating policies, improving security measures, and providing additional training to employees.

Susan: It sounds like having a solid incident response plan is essential. Any final thoughts or tips for organizations working to improve their CUI management?

Carl: My final tip is to continuously monitor and improve. Cyber threats are constantly evolving, and so should your security measures. Regularly review and update your CUI policies, conduct audits, and stay informed about the latest security trends and technologies. And remember, protecting CUI is not just about compliance; it’s about safeguarding sensitive information and maintaining the trust of your stakeholders.

Susan: Excellent advice, Carl. Thank you so much for sharing your expertise with us today. It’s been a very informative discussion, and I’m sure our audience has learned a lot.

Carl: Thank you, Susan. It’s been a pleasure talking with you. I hope the information we discussed today helps organizations better understand and manage their CUI.

Susan: Absolutely. Thank you to everyone for tuning in. Be sure to join us next time for more insights and discussions. Have a great day!

Please follow and like us:
Pin Share

Author Profile

John Muller
John Muller
Hi, I'm John, the creator of "I Hate CBTs." With a background in Computers, I've experienced the highs and lows of Computer-Based Training (CBTs). This platform explores the challenges of CBTs and encourages diverse learning discussions.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top