What is the difference between unclassified and controlled unclassified information CUI?

Controlled Unclassified Information (CUI) is federal non-classified information (i.e. information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government) that requires safeguarding or dissemination controls compliant with law, regulations, and government-wide policies. 

The federal CUI Program is a government-wide approach to creating a uniform set of requirements and information security controls directed at securing sensitive government information.

*Disclaimer: The video above is reflective of the CMMC 1.0 model; however, the information presented is still applicable to protecting CUI under CMMC 2.0.

The CUI Program was established as a result of Executive Order 13556 and is intended to standardize the way the government, and those doing business with the DoD handle and protect unclassified information. Prior to the current CUI program, every agency used a different set of markings (FOUO, LES, SBU, UCTI, etc.), information classifications, and rules for how to manage and control the information. Many organizations in the Aerospace and Defense industry may have become accustomed to markings being applied to data such as For Official Use Only (FOUO), Law Enforcement Sensitive (LES), Sensitive but Unclassified (SBU), and Unclassified Controlled Technical Information (UCTI), etc... All of these are now Controlled Unclassified Information or CUI.  This information, although unclassified, is still crucial to national defense and it warrants special protection to prevent unauthorized access or disclosure.

NARA CUI Registry Definitions:

There is an incredibly wide range of data that is unclassified but falls within the CUI definitions found in the NARA CUI registry, many of which are casually overlooked by organizations. Here are common examples of data you must protect under DFARS/CMMC as a defense contractor:

• Controlled Technical Information (CTI): Technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24 and found in the DoD-provided guidance for CUI Markings for Unclassified Documents.
• ITAR Data: Export controlled data that The International Traffic in Arms Regulation (ITAR) deems as defense-related articles and services on the United States Munitions List (USML). The USML is a list of articles, services, and related technology designated as defense and space-related by the United States federal government. Read more about handling ITAR here.
• Personally Identifiable Information (PII): data this is transmitted, stored, or processed on behalf of the government as part of the delivery of a contract that data is government-owned. For example, if PII is included in a contract that processes benefits, this would be considered CUI. 

Much like organizations and businesses, government agencies frequently create, share, and store information that requires protection. Some of these agencies handle information that is so sensitive that it’s deemed “classified,” or perhaps even “secret” or “top-secret.” On the other hand, other agencies handle information that is considered “unclassified,” albeit still sensitive enough to remain outside of the public domain. Due to the nature of such unclassified information, while its protection may not be quite as critical compared to classified information, it does still require some protection. Because the U.S. government’s separate agencies developed separate methods to protect their data over time, though, ensuring the security of that data as it was shared across agencies became increasingly convoluted. The Controlled Unclassified Information (CUI) Program is a means of standardizing data classification and protection across these separate agencies.

CUI is best understood by first knowing what does not qualify as CUI. Put simply, any information classified under Executive Order No. 13526 and the Atomic Energy Act cannot be considered CUI. In other words, any classified information labeled “classified,” “secret,” or “top-secret” cannot be designated as CUI. Furthermore, CUI cannot be any information possessed by a non-executive branch entity or any information that is lawfully or publicly available without restrictions.

Controlled unclassified information is unclassified information possessed by an entity of the executive branch requiring safeguarding and dissemination controls, consistent with applicable law, regulation, or government-wide policy.

Who is responsible for applying CUI markings?

The first step in designating information as CUI is to correctly identify and mark it as such. The original authorized holder (the creator) of the information is always the one tasked with determining whether a piece of information falls into a CUI category, and then applying the proper CUI markings and dissemination instructions if it does qualify. An “authorized holder” of CUI is an individual, agency, organization, or group of users legally permitted to designate or handle CUI. 

Who is responsible for protecting CUI?

After a piece of information is designated as CUI and given the proper markings and dissemination instructions, the information can then be shared across agencies and authorized holders. When CUI is being stored, it always requires a controlled environment. Whether this means the offices and/or buildings have security measures in place to restrict access to CUI or that the CUI is stored in locked cabinets, it is imperative that only those with a lawful government purpose can freely access the information.

With this in mind, anybody intending to transmit or store CUI is responsible for its handling and protection. The sender must ensure that only authorized holders will be able to access the information once it is transmitted and that it will be kept in a controlled environment once it is in the hands of the recipient. CUI should only be sent through secure channels, whether it be through mail, approved secure communication systems, or other systems using transport layer security. 

On a higher level, the Information Security Oversight Office (ISOO) oversees and enforces the CUI Program to ensure its proper implementation and compliance by executive branch agencies. 

What are some examples of CUI?

Being that CUI is an umbrella term for information with a range of markings across several agencies, it encompasses several varieties of sensitive information including the following:

• For Official Use Only (FOUO) Information
• Law Enforcement Sensitive (LES) Information
• Personally Identifiable Information (PII)
• Proprietary Business Information (PBI)
• Sensitive but Unclassified (SBU) Information
• Sensitive Personally Identifiable Information (SPII)
• Unclassified Controlled Technical Information (UCTI)

For an even more detailed look into what types of information can be designated as CUI, take a look at the categories outlined in the CUI Registry.

What is the difference between CUI and unclassified?

What is the difference between CUI and classified information?

What is the difference between CUI and CDI?

What are the 2 types of CUI?