What is CUI?

Controlled Unclassified Information (CUI) is information that is unclassified and not strictly regulated by the federal government, but is sensitive and needs safeguarding. Data can be assigned the status of CUI even after you have received it and it is your responsibility to protect it. NIST (National Institute of Standards) is responsible for providing federal agencies with recommended requirements for protecting confidentiality of CUI. NIST 800-171 is a set of standards that define how to protect and distribute this material.

What materials constitute CUI?

  • Electronic files
  • Emails
  • Email attachments
  • Proprietary information (ie. sales contracts)
  • Blueprints
  • Paper files

If your organization holds a Department of Defense contract, does work for the DoD, or is a supplier to a DoD contractor or supplier then you probably maintain, process or store CUI. You can visit the CUI Registry to find out exactly what is considered CUI.

As defined in the National Archives, “Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.”

It is important that you identify CUI within your organization and make sure that it is being maintained, processed and stored properly. If CUI is not handled properly, you risk legal consequences and losing contracts. If you need help identifying, maintaining, processing and storing CUI, contact us today.