CUI in a Nutshell
Not having a thorough understanding of Controlled Unclassified Information (CUI) has made it difficult for Contactors to put the proper cybersecurity practices in place. The new DoD CUI registry is a starting point for understanding what information needs protecting.
CUI is information that must be handled with safeguards or dissemination controls, in accordance with the law, regulation or government policy; in other words, data that isn’t classified but is still sensitive enough to require protection. In 2010, Executive Order 13556 established a government-wide program for managing CUI. The National Archives and Records Administration (NARA) was tasked with managing the program and establishing a National CUI Registry, which defined the types of CUI processed by each government agency.
The DoD CUI Registry
In March 2020, DoD Instruction 5200.48 established a separate DoD CUI Registry, designed to mirror the National CUI Registry but provide “…additional information on the relationships to the DoD by aligning each Index and Category to DoD issuances.” How can contractors use this CUI registry? A good starting point is to explore the following sections: Electronic Funds Transfer (EFT), Contract Use, the Procurement/Acquisition category, and the Proprietary Business Information category. These are types of information that nearly every DoD contractor is likely to process.
You will notice that the CUI Registry labels CUI as either ‘Basic’ or ‘Specified’, depending on whether the safeguarding requirements are the same as other types of CUI, or if there is specific, unique guidance. In both cases, the CUI Registry includes a link to the law, regulation, or policy that the security or dissemination controls are derived from. The CUI registry also provides clear guidance on how to correctly mark the CUI.
It was once very difficult to determine what could be considered CUI, but the DoD’s CUI Registry provides a way to understand the various types of sensitive information that your company might process. Armed with that knowledge, you can then begin the hard work of applying the cybersecurity safeguards (namely those listed in NIST SP 800-171 and CMMC ) needed to protect this data from unauthorized disclosure. A sense of urgency is critical: the Defense Federal Acquisition Regulation Supplement (DFARS) that governs all business agreements between the DoD and private sector is being strengthened with new contractor cybersecurity requirements which will eventually be mandatory across the board. If you’re still not sure where to begin, consider our cybersecurity compliance virtual workshops.