In July 2022, the Pentagon’s acquisition office issued a memo reminding acquisition officials of the DoD’s requirements for handling controlled unclassified information (CUI). The standard which applies to Defense contractors is not new. The original Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012 requirement went into effect in 2017. With the renewed focus on protecting CUI and several regulations governing its handling, including CMMC 2.0, understanding CUI protection is of utmost importance to all US Government agencies, Defense contractors and suppliers.
What is CUI?
Controlled Unclassified Information or CUI is defined as government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies, including the pending CMMC 2.0, DFARS clause 252.204-7012, NIST Special Publication 800-171 and ITAR.
The security requirements are built on the principle that certain types of unclassified information are extremely sensitive, valuable to national security, sought after by strategic competitors and adversaries, and may also have legal safeguarding requirements. The CUI policy aims to standardize the CUI marking system across the Federal Government, replacing agency-specific markings such as FOUO, LES, SBU, etc.
CUI Types
CUI falls under two types of categories and subcategories: CUI Basic and CUI Specified.
CUI Basic
CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry. CUI Basic controls apply whenever CUI Specified ones do not cover the involved CUI.
CUI Specified
CUI Specified is a subset of CUI that has distinct handling controls specified in the authorizing law, regulation, or Government-wide policy. These controls may be more stringent than or simply different from those required for CUI Basic, which is the foundation of CUI. The CUI Registry identifies the laws, regulations, and Government-wide policies that include such specific requirements. While CUI Basic controls apply to all CUI information, CUI Specified has unique requirements outlined by the underlying authority. In instances where the applicable laws, regulations, or policies do not provide specific guidance, CUI Basic controls apply.
WHAT ARE THE CUI CLASSIFICATION CATEGORIES?
Controlled unclassified information (CUI) falls within one of 125 categories under the following groups:
- Critical Infrastructure
- Defense
- Export Control
- Financial
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural & Cultural Resources
- North Atlantic Treaty Organization (NATO)
- Nuclear
- Patent
- Privacy
- Procurement & Acquisition
- Proprietary Business Information
- Provisional (for DHS use only)
- Statistical
- Tax
- Transportation
A full list of CUI categories and the required banner markings and dissemination controls for each can be found here. Be sure to identify the category and the necessary markings and controls for the information that you are handling.
Limited Dissemination
Some CUI is subject to dissemination controls that place necessary restrictions on access to CUI, including those required by law, regulation, or Government-wide policy in accordance with 32 CFR 2002.16. CUI Limited dissemination control types and markings include:
- Attorney-client: Protected by attorney-client privilege unless dissemination is specifically permitted by the overseeing attorney who originated the work product or their successor.
- Attorney-WP: Protected by the Attorney Work Product privilege unless dissemination is specifically permitted by the overseeing attorney.
- DISPLAY ONLY [USA, List]: Disclosure allowed to a foreign recipient without providing a copy for retention.
- DL ONLY: Dissemination only to individuals, organizations or entities included on an accompanying dissemination list.
- FED ONLY: Federal Employees Only
- FEDCON: Federal Employees and Contractors Only
- NOCON: No dissemination to contractors
- NOFORN: No Foreign Dissemination
- REL TO [USA, List]: Authorized for release to certain nationals only (Ex: REL TO USA, Australia)
- RELIDO: Releasable by information disclosure official
What’s at Stake?
Improper safeguarding or loss of controlled unclassified information could have serious adverse effects on organizational operations, organizational assets and individuals. Any of these scenarios could result in a degradation in mission capability, damage to organizational assets, financial loss or harm to individuals. Not properly safeguarding CUI in accordance with DFARS, CMMC and NIST 800-171 can result in the loss of contracts, monetary fines and legal action.
CMMC 2.0 Compliance and CUI
As with many other regulations, the new CMMC Level 2 and Level 3 requirements will follow the 110 security controls in NIST SP 800-171, which were developed to protect CUI. Defense contractors handling CUI have been required to comply with NIST SP 800-171 since 2017 as part of their DFARS contract obligations. If you’re already in compliance with NIST SP 800-171, you’ve got a jumpstart on CMMC compliance.
DoD CUI MARKING GUIDELINES
If you have CUI, it needs to be categorized and marked accordingly. The purpose of CUI markings and the CUI designation indicator is to inform or alert recipients and users that CUI is present and of any limited dissemination controls. Here’s a summary of the DoD’s guidance on CUI Markings for Unclassified and Classified documents.
UNCLASSIFIED Documents Containing CUI
- Place “CUI” at the top and bottom of each page.
- Portion markings are optional on unclassified documents, but if used, all portions will be marked.
- The CUI designation indicator will be placed at the bottom of the first page or cover of all documents containing CUI:
- Line 1: The name of the DoD Component (not required if identified in the letterhead)
- Line 2: Identification of the office creating the document
- Line 3: Identification of the categories contained in the document
- Line 4: Applicable distribution statement or limited dissemination control (LDC)
- Line 5: Name and phone number or email of POC
CLASSIFIED Documents Containing CUI
- “CUI” does not go into the banner line.
- The CUI designation indicator and the classification authority block will be placed at the bottom of the first page.
- Portion markings are required on classified documents.
- Classified documents will be marked IAW DoDM 5200.01 Volume 2.
- CUI markings will appear in portions known to contain only CUI.
- A warning statement will be placed at the bottom of the first page of multi-page documents alerting readers to the presence of CUI in a classified DoD document.
Automating CUI Tagging and Marking in Microsoft 365 & GCC High
Relying on users to remember all of the classification and labeling requirements can be prone to error, which can lead to fines and/or loss of contracts, depending on the regulation. While most regulations reference NIST 800-171, each has its own caveats. You want to ensure you have tools to help identify CUI, label it appropriately and restrict access according to the applicable regulation(s).
NC Protect provides a full range of capabilities to identify, mark and protect CUI and other sensitive data. It can automatically classify and apply a CUI Designator Label to documents. Depending on the CUI level, user’s geographic location and security privileges, NC Protect can apply dynamic protection to prevent visibility of the document to unauthorized users, prevent emailing, and/or display the document within NC Protect’s secure ready-only viewer or allow the user to interact with the document fully.
It can also help manage CUI tagging, labeling and security across Microsoft 365, GCC and GCC High applications, and SharePoint on-premises. The dynamic labeling and marking capability and configurable access and protection policies can easily be extended to other government regulations and requirements for a seamless solution to manage information security and compliance.
Scan and Tag CUI
NC Protect helps organizations protect CUI from improper access and/or release. It scans your document repositories in M365, GCC or GCC High (SharePoint Online or Server, Teams, OneDrive, File Shares) and identifies CUI files. It then classifies the files according to their CUI level and restricts who in the organization can access the documents based on the documents’ classification and attributes, such as security clearance and country.
NC Protect’s access and protection policies can use multiple attributes in combination. It can leverage Microsoft Purview Information Protection (MPIP) sensitivity labels or classifications from other products (e.g., Janusseal, Titus, etc.) and use those values to apply dynamic protection policies and visual markings. Use NC Protect’s classifications or a combination of classifications to suit your organization’s taxonomy requirements and overcome labeling limitations in MPIP.
Automatically Apply CUI Markings
NC Protect dynamically embeds CUI Designation Indicator markings, including Owner Name, Controlled By, Category, Distribution/Limited Dissemination Control and POC, as well as headers/footers into documents as a persistent watermark. When any protected document is opened in Microsoft Office or the NC Protect Secure Reader, the CUI Designation Indicator label is embedded in the file as a persistent watermark.
Apply Dynamic Attribute-based Access Control (ABAC) and Data Protection Policies
NC Protect also provides robust access controls and data protection capabilities to safeguard CUI and enforce dissemination controls. Using ABAC, it evaluates data, environment and user attributes against defined policies to determine appropriate access, usage and sharing rights for each document.
- Use attribute-based access control polices to determine access rights.
- Fine grain policies control if an authorized user can edit, copy, download or share a file and with whom.
- Control access based on attributes such as nationality, location and security clearance.
- Enforce read-only access that prevents downloading or saving with a built-in Secure Reader.
- Dynamically encrypt sensitive data.
- Redact sensitive/classified information, such as keywords or phrases, in Word, Excel, PowerPoint and PDF, or when the file is presented in the Secure Reader.
Audit CUI Access and Activity
NC Protect audits all user activity and permissions. It logs and tracks sensitive access, user actions such as producing, editing or deleting data, and general access. Easily ingest user activity logs collected in NC Protect into Microsoft Sentinel or Splunk to analyze the data at scale and trigger holistic alerts and remediation actions.
