CUI is one of those government definitions that is simple and yet often misunderstood, misapplied, and over-complicated by poor information and fear of losing contracts. The easiest way to identify CUI is through examples, and here are a few examples of CUI to help clear up the misconceptions.
Four Examples of CUI
Below is a short list of CUI examples*, based on the categories in the CUI registry:
- Controlled Technical Information: Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses, and related information, and computer software executable code and source code.
- DoD Critical Infrastructure Security Information: Information that, if disclosed, would reveal vulnerabilities in the DoD critical infrastructure and, if exploited, would likely result in the significant disruption, destruction, or damage of or to DoD operations, property, or facilities, including information regarding the securing and safeguarding of explosives, hazardous chemicals, or pipelines, related to critical infrastructure or protected systems owned or operated on behalf of the DoD, including vulnerability assessments prepared by or on behalf of the DoD, explosives safety information (including storage and handling), and other site-specific information on or relating to installation security.
- Naval Nuclear Propulsion Information: Related to the safety of reactors and associated naval nuclear propulsion plants, and control of radiation and radioactivity associated with naval nuclear propulsion activities, including prescribing and enforcing standards and regulations for these areas as they affect the environment and the safety and health of workers, operators, and the general public.
- Unclassified Controlled Nuclear Information – Defense: Relating to Department of Defense special nuclear material (SNM), equipment, and facilities, as defined by 32 CFR 223.
*It’s important to remember that while you may have information that falls under one of these CUI examples, this does not necessarily mean it is CUI. The government should list in the contract if the specific information you are generating on their behalf falls into the law, regulation or government-wide policy that requires safeguarding.
After reading through the above examples of CUI, which of these two options seems more likely to be CUI?
- Any government information that’s not labeled classified
- Government information that is defined by law, regulation, or policy
If you answered “A,” you’re probably overburdening yourself with excessive protection. If you answered “B,” then kudos to you for being on the right track.
CUI is defined as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
The four factors that define CUI are:
- Created by the government
- Possessed by the government
- Created for the government**
- Created on behalf of the government**
**When created for or on behalf of the government, the contract must specify that information is CUI and must include the proper markings for it.
Additionally, for it to be CUI, it must:
- Fall under one of the categories of the CUI Registry and
- Be pursuant to applicable law, regulations, and government-wide policies, except for EO13526 or the Atomic Energy Act.
In addition, any information that is CUI must be properly marked as such according to government regulation.
If a document contains CUI, it must have the proper CUI markings in accordance with DoD Instruction 5200.48 Section 1.2. Below are the minimum proper CUI markings:
- The acronym CUI or the word CONTROLLED is at the banner and footer of the document.
- If CUI or CONTROLLED only appears in certain paragraphs or subparagraphs, while the rest of the document is unclassified, then only the paragraph or subparagraph containing CUI will be marked with CUI (called portion marking).
- The first page or cover page of all documents containing CUI must have the CUI designation indicator as follows:
- Line 1: the name of the DoD Component (or agency) determining the information is CUI (which can be omitted if this information appears on the letterhead).
- Line 2: the office making the determination
- Line 3: all types of CUI contained in the document (from the CUI Registry)
- Line 4: distribution statement or the dissemination controls
- Line 5: Point-of-Contact information, including phone or email address
What is not CUI?
Even if the information is similar to one of the above examples of CUI, that does not automatically make it CUI. It must first have a law, regulation, or government-wide policy applicable to it.
For example, if you have proprietary business information, it may or may not be CUI even though there is a category for it in the registry. The CUI Registry describes it as “Material and information relating to, or associated with, a company’s products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications.” This seems to imply that all your proprietary business information is CUI even if it has nothing to do with your government contracts.
However, you must remember that CUI categories assume the information is first pursuant to a specific law, regulation, or government-wide policy. If you’re a propulsion company that also has a defense contract, you’re not obligated to secure all propulsion information as CUI. If, however, the government contracts you to develop a new jet propulsion for the next-gen fighter jet, that propriety propulsion information and the delivered product could be CUI as you created it for the government and the government may have stated it is CUI in the contract itself.
Other examples of information that is not considered CUI would be internal company information, such as internal system information, and non-government related information.
How Do I Protect CUI?
If you have a DFARS 252.204-7012 clause in your contract or a derived requirement to NIST SP 800-171, then you can expect to receive or create CUI at some point. You are contractually obligated to protect CUI with a secure environment that complies with DFARS 7012 and/or NIST SP 800-171. If you cannot protect the data or prove you’re compliant, then you run the risk of losing contracts and not being able to compete in the DIB for new ones.
There are a few ways to safeguard CUI to fulfill NIST requirements:
- Build and manage a secure environment yourself (costly and time-consuming)
- Hire a third party to do it for you (even more costly)
- Use Cuick Trac’s secure virtual CUI enclave
Cuick Trac is an affordable solution for protecting CUI data and satisfying all the technical requirements of NIST SP 800-171. Schedule a quick demo with a solution expert today and see how easy it is to process, store, or transmit CUI in a secure, cost-effective, and compliant manner.