The CMMC program employs progressively advanced levels, depending on the type and sensitivity of the information, to include Controlled Unclassified Information or “CUI”.  Therefore, the definition of CUI is critical to the CMMC program.  Many organizations treat CUI as if it were merely an abstract or conceptual description for data that is “critical” or “sensitive” information.  If that were the case, identifying CUI would be subjective, making it difficult for organizations to tell if something is CUI or not.  Fortunately, CUI has a specific, unambiguous definition that is concrete and objective.  The official Government-wide definition of CUI is found here.

 

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see paragraph (e) of this section) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

 

This definition consists of several parts that are especially pertinent to Federal contractors:

 

  • CUI does not include classified information, which requires much more robust controls than CUI does.
  • CUI must either (1) have “come from” a Federal agency into the possession of a contractor or (2) have been “created or possessed … for” a Federal agency by a contractor acting “on behalf of the Government.” This means that CUI is not limited to information that the Government provides to the contractor.  Information that is collected or produced by a contractor specifically for the performance of a service to the Federal Government might also be CUI.  However, internal information that a contractor maintains in its systems that is not “from” the Government, not “for” the Government, and not “on behalf of the Government” cannot be CUI.
  • CUI has safeguarding or disseminations controls defined in Federal laws, regulations, or Government-wise policies. Explicit Federal mandates are the reason CUI must be “controlled,” and those Federal legal mandates ultimately define whether information is CUI or not.  If a Federal law, regulation, or Government-wide policy specifically identifies requirements for safeguarding or disseminated certain types of information, then that information is CUI.  If not, then that information is not CUI.

 

Those three criteria are concrete, objective, and unambiguous, leaving little room for a contractor’s subjectivity or interpretation but also creating a huge problem.  The volume of Federal laws and regulations is almost unimaginable.  Each year, the Code of Federal Regulations grows by 60,000 – 100,000 pages.  Fortunately, the National Archives and Records Administration (NARA) has done the leg work of reviewing the laws, regulations, and Government-wide policies to and compiled the results in centralized registry.  The CUI registry (located here) lists all the categories of information that would be considered CUI.  To identify what is CUI, organizations need to assess each of the 125 categories listed in the CUI registry and determine what information pertaining to Federal contracts corresponds to those CUI categories.  Any information provided by the Government or produced by the contractor for or on behalf of the Government that matches a description of a subcategory in the CUI registry is by definition considered CUI.  Information that does not match-up to a category in the CUI registry is not CUI, regardless of how “critical” or “sensitive” that information might be.

 

For further information, refer to SecureIT’s blog “Follow the CUI for CMMC Compliance.”