In today’s interconnected digital world, safeguarding sensitive data and preventing unauthorized access is vital, especially for U.S. government agencies, contractors, and other information-sharing partners that compete for Department of Defense (DoD) contracts. While many organizations that work alongside the U.S. government have historically dedicated significant energy to protecting classified information, controlled unclassified information (CUI) also contains sensitive data that could pose risks to national security. To develop a standardized approach to CUI management and mitigate risks, the U.S. government created the CUI Program.
This article helps contractors and subcontractors understand CUI, how the CUI program helps secure data, and how they can use the DoD’s Cybersecurity Maturity Model Certification to ensure they protect CUI and demonstrate robust cyber hygiene to the DoD and other federal agencies.
Protect CUI across your third-party ecosystem with the world’s #1 TPRM solution: UpGuard Vendor Risk
What is controlled unclassified information (CUI)?
CUI refers to any type of unclassified data that the U.S. Government creates or possesses that requires safeguards and dissemination controls due to its sensitive nature. This classification includes a broad spectrum of information, ranging from personally identifiable information (PII) to proprietary business information. However, CUI excludes all information classified by Executive Order 13526 or the Atomic Energy Act. Agencies and contracted organizations may only access CUI for lawful government purposes, restricting the general public from interacting with CUI.
What are some examples of CUI?
The U.S. Government uses the acronym CUI to refer to many different types of protected information. This spectrum includes the following types of data:
- Personally identifiable information (PII): Any type of data that organizations or individuals could use to distinctly identify, contact, or locate a specific individual
- Sensitive but unclassified (SBU): Any type of unclassified information that still requires protection due to its sensitive nature
- Proprietary business information: Any type of confidential information that gives organizations a competitive edge over its competitors
- Export control information: Any information related to the export of goods or services controlled by international agreements
- Law enforcement sensitive (LES) information: Any information that could affect law enforcement activities or security if compromised
- Classified national security information: Any information related to systems or assets that the U.S. Government uses to ensure national security, economic security, public health, or public safety
- Financial and health information: Any protected health or financial information that organizations are required to safeguard under one or more privacy regulations
While there are many types of CUI, the term essentially encompasses any data that could pose significant risks to national security, public health, or critical government infrastructures if compromised.
Classified information vs controlled unclassified information
CUI and classified information vary from each other in sensitivity and the handling requirements they necessitate. Classified information undergoes a formal classification process, determining its level of criticality (confidential, secret, and top secret) and the security protocols organizations must follow. In contrast, CUI lacks formal categorization.
While not included in the formal classification process associated with classified information, federal agencies still organize and distinguish CUI with visual cues called CUI markings.
What are CUI markings?
CUI markings help federal agencies and other organizations quickly identify information sensitivity and the handling procedures necessary to protect the information. The U.S. Government uses four main categories of visual cues to mark CUI:
- Banner markings: Agencies add banner markings to the top and bottom of each page to indicate that a document contains CUI. These markings include the date an agency created the document, the date of any revisions, and the agency's name.
- Designation indicators: Agencies add designation indicators to the body of a CUI document to indicate what types of information the document contains.
- Limited dissemination controls (LDC): Agencies use limited dissemination controls to indicate that a document contains information that requires additional restrictions. These control markings will replace legacy markings such as FOUO (For Official Use Only) and NOFORN (No Foreign Access).
- Cover letter markings: When agencies transmit CUI through cover letters, they include “CUI” and other markings to indicate that the document contains CUI and the procedures the reader must follow.
By incorporating these visual cues, federal agencies aim to ensure government personnel and outside organizations effectively identify, protect, and safeguard CUI throughout the document’s lifecycle. In addition to CUI markings, the U.S. Government also subjects CUI to further restrictions as a part of its formal CUI program.
What is the CUI program?
On November 4, 2024, President Obama executed Executive Order 13556 to establish the CUI program and create standardized and straightforward government-wide policies for protecting controlled unclassified information. The CUI program simplifies how the Executive branch and its agencies handle and manage CUI, including distributing and managing security protocols and dissemination controls. Executive Order 13556 also designated the National Archives and Records Administration (NARA) as the CUI Executive Agent, granting the administration the authority to oversee the CUI program and the responsibility to publish periodic status reports and directives on the program’s implementation.
Who is required to implement the CUI program?
All Executive branch departments and agencies are required to implement the CUI program. The head of each department or agency is responsible for overseeing implementation throughout their department and serves as a program manager.
What is the DoD CUI Registry?
The CUI Registry is the government-wide repository for guidance regarding CUI policies, practices, and management. The registry can be found on the DoD’s official website. On the registry, organizations can view CUI protocols by category, including patent, tax, critical infrastructure, and more.
What is 32 CFR Part 2002?
Shortly after being designated the CUI Executive, the NARA delegated oversight responsibilities to the Information Security Oversight Office (ISOO). ISOO issued 32 CFR Part 2022, “Controlled Unclassified Information,” to achieve its legal duties. This federal CUI policy ensures agencies comply with the CUI Program’s designating, safeguarding, marking, decontrolling, and disseminating rules. The policy applies to all Executive branch agencies that handle CUI and all organizations that interact with CUI while working with the U.S. Federal Government.
What is DoD Instruction 5200.48?
Organizations competing for government contracts, specifically DoD contracts, must demonstrate the ability to monitor and protect CUI. DoD Instruction 5200.48 presents basic requirements for ensuring effective CUI management in contractor relationships. These CUI requirements include the following:
- The DoD must inform all contractors of all documents that contain CUI.
- The DoD must mark all documents that contain CUI.
- The DoD must articulate that it is distributing CUI in all contracts.
- Contractors are required to monitor CUI and report classification to the DoD.
- Contractor information systems must follow security guidelines listed in DoDI 8582.01.
- Contractors must follow all mandatory disposition authorities when the DoD provides CUI or anyone other than the DoD generates CUI.
To secure CUI across their internal systems and infrastructure and demonstrate compliance with DoDI 5200.48, contractors must develop robust cybersecurity protocols and adhere to the Cybersecurity Maturity Model Certification (CMMC) 2.0 framework.
Protecting CUI with the CMMC
The DoD’s CMMC framework includes cyber protection standards contractors and subcontractors can implement to ensure they comply with the department’s CUI guidelines. The CMMC contains five maturity levels that range from “basic cybersecurity hygiene” to “advanced.” The five levels of the CMMC include:
- Level 1: Basic practices to improve cyber hygiene, like installing anti-virus software and regularly updated passwords to safeguard data and sensitive information
- Level 2: Intermediate cybersecurity practices, including implementing NIST Special Publication 800-171 to ensure CUI security
- Level 3: Advanced cybersecurity protocols, including implementing all security requirements in NIST SP 800-171 and creating a company-wide cybersecurity management plan
- Level 4: Installs processes and techniques for addressing advanced threats, including access control, risk management, and security risk assessments
- Level 5: Standardizes the processes and techniques introduced in Level 4 and establishes programs to review and measure the success of internal security practices
In order to achieve CMMC levels two through five, organizations will need to develop robust third-party risk management (TPRM) and attack surface management (ASM) programs, as required by NIST SP 800-171. Developing effective TPRM and ASM programs is the easiest way contractors can deploy critical cybersecurity techniques, like risk assessments and security questionnaires, communicated throughout CMMC levels four and five.
How can UpGuard help you achieve CMMC certification?
UpGuard’s comprehensive cybersecurity tools offer government contractors access to powerful TPRM and ASM solutions. These solutions make it easy and affordable for contractors to implement critical cybersecurity techniques, such as vendor due diligence, risk assessments, cybersecurity questionnaires, incident response plans, business continuity planning, and continuous security monitoring.
Here’s how UpGuard Vendor Risk helps contractors develop a comprehensive TPRM program:
- Vendor risk assessments: Fast, accurate, and comprehensive view of your vendors’ security posture
- Security ratings: Objective, data-driven measurements of an organization’s cyber hygiene
- Security questionnaires: Flexible questionnaires that accelerate the assessment process and provide deep insights into a vendor’s security
- Reports library: Tailor-made templates that support security performance communication to executive-level stakeholders
- Remediation and mitigation workflows: Comprehensive workflows to streamline risk management processes and improve overall security posture
- Integrations: Application integrations for Jira, Slack, ServiceNow, and over 4,000 additional apps with Zapier, plus customizable API calls
- Intuitive design: Easy-to-use first-party dashboards
- World-class customer service: Plan-based access to professional cybersecurity personnel that can help you get the most out of UpGuard
Here’s how UpGuard BreachSight helps contractors develop a comprehensive ASM program:
- Data leak protection: Protect your brand, intellectual property, and customer data with timely detection of data leaks and avoid data breaches
- 24/7 continuous monitoring: Real-time notifications and risk updates using accurate supplier data
- Attack surface reduction: Reduce your attack surface by discovering exploitable vulnerabilities and domains at risk of typosquatting
- Shared Profile: Eliminate having to answer security questionnaires by creating an UpGuard Shared Profile
Together, Vendor Risk and BreachSight form a complete cybersecurity solution your organization can utilize to help manage risks and protect data across its first and third-party ecosystems.
Get started with UpGuard and develop your comprehensive cybersecurity program today.
