What Is Controlled Unclassified Information (CUI) In NIST 800-171?
Compliance | IT Support | NIST
But how do you know which information is important and needs protection? How can you ensure that your technology infrastructure is up to the challenge of keeping sensitive data secure?
In this article, I’ll explain what controlled unclassified information (CUI) is, why it is important for NIST 800-171 certification, and how your IT plays a role in protecting this information.
After reading this article, you’ll have a better understanding of what type of information requires safeguarding and will be best positioned to use technology to keep your data and infrastructure safe.
At Kelser, we are committed to addressing confusing technical topics in simple terms, so business leaders have information that helps make important technical decisions they face every day.
What Is CUI?
The National Science Foundation (NSF) defines CUI as:
"the information the government owns or creates, or that a firm or organization possesses or creates for the government, that needs to be safeguarded and protected using the information security controls required under current government laws, regulations and policies.”
The NSF goes on to say:
“although CUI isn’t classified information, the federal government has determined that it needs to be protected because its malicious release poses a threat to national security.”
Let's get rid of the technical jargon. Imagine you are a contractor or subcontractor for a government project that is involved in critical infrastructure design. The blueprints and specifications for the design wouldn't necessarily be classified, but you could still consider this information to be highly sensitive. That's what CUI in a nutshell.
It's government created or possessed information that requires safeguarding but doesn't fall under the traditional bucket of classified information.
What Are Some Examples of CUI?
There are many different types of information that fall into the CUI category. These include, but are not limited to:
1. Personally Identifiable Information (PII)
In general terms, PII is information that can be used to identify a particular individual.
2. Proprietary Business Information (PBI)
According to lawinsider.com, PBI includes any and all confidential information, proprietary information, and data of a company that is either marked as PBI or should reasonably be understood to be PBI.
This includes customer and employee lists, intellectual property, pricing lists, marketing and pricing tools and information, business plans and budgets, and policies.
3. Unclassified Controlled Technical Information (UCTI)
The Department of Energy defines UCTI as:
"Technical data or computer software (as defined in Defense Federal Acquisition Regulation Supplement 252.227-7013) with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination."
4. Sensitive But Unclassified (SBU) Information
The U.S. Department of State identifies SBU as information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons.
5. Critical Infrastructure Security Information (CISI)
This is information that has details about the design, function, and maintenance of critical infrastructure, like power grids and transportation systems.
6. Federal Contract Information (FCI)
This includes non-public information that is exchanged between contractors, subcontractors, and the government.
Again, this is not a complete list, but it it gives an idea of the types of information included in CUI.
What Is The Connection Between CUI and NIST 800-171?
The National Institute of Standards and Technology developed a special publication known as NIST 800-171 (or NIST SP 800-171) about 10 years ago to provide a framework for protecting CUI.
You can think of this NIST cybersecurity framework as requirements or a roadmap for organizations to follow if they handle CUI and are working with government.
The reasoning behind this is that although this information doesn’t fall into the traditional protected documentation safeguards, it could still be detrimental and a security risk if it falls into the wrong hands.
How Does IT Help Protect CUI?
NIST 800-171 outlines a framework for protecting CUI based on 14 controls which are related directly to IT safeguards:
1. Access Control
Who is authorized to access data, and what permissions (read-only, read and write, etc.) do they have?
2. Awareness and Training
Are users properly trained in their roles involving how to properly secure this data and the systems it resides on?
3. Audit and Accountability
Are accurate records of system and data access and activity kept and monitored? Can violators be positively identified?
4. Configuration Management
How are your systems standardized? How are changes monitored, approved, and documented?
5. Identification and Authentication
How are users positively identified prior to obtaining access to this information?
Related article: What Is Multi-Factor Authentication? Do I Need It?
6. Incident Response
What processes are followed when security events, threats, or breaches are suspected or identified?
Related article: What Are The Key Components Of An IT Disaster Recovery Plan?
7. Maintenance
How is information secured and protected against unauthorized access during maintenance activities?
8. Media Protection
How are electronic and hard copy records and backups stored and secured?
Related article: Data Backups Are Key To Disaster Recovery
9. Physical Protection
How does your organization prevent unauthorized physical access to systems, equipment, and storage?
Related article: Why Should I Lock My Work Computer And How Does It Protect My Company?
10. Personnel Security
How are individuals screened prior to granting them access to CUI?
11. Risk Assessment
How are business risks and system vulnerabilities associated with handling CUI identified, tracked, and mitigated?
Related article: What’s The Difference Between A Vulnerability Scan & Penetration Test?
12. Security Assessment
How effective are current security standards and processes? What improvements are needed?
Related article: Testing Your IT Disaster Recovery Plan: Best Practices
13. System and Communications Protection
How is information protected and controlled at key internal and external transmission points?
Related article: What Is a Business, Commercial, or Enterprise Firewall? Do I Need One?
14. System and Information Integrity
How is CUI protected against such threats as software flaws, malware, and unauthorized access?
Each of these 14 control families is further broken down into specific processes or practices against which your company will be evaluated for compliance.
IT professionals use these controls as a roadmap to ensure your business has all the necessary technology and security requirements in place to safeguard CUI.
Implemetning these controls often involves installing properly configrued firewalls, implementing data encryption methods, establishing user access controls, patching systems regularly and educating employees through security awareness training.
What’s The Bottom Line?
In this article, we’ve defined what controlled unclassifed information (CUI) is, as well as provided a few examples to give you an overview.
We also established how CUI and NIST 800-171 are linked and the role IT plays in safeguarding sensitive government information and ensuring compliance.
At this point, if you haven't already begun NIST certification, use the checklist below to get started.
If you are NIST 800-171 certified, take the next step in your compliance journey by preparing now for the requirements outlined in CMMC 2.0. Learn what you need to know.
Or if you still have questions about NIST, CMMC or another technical topic, use the button below to connect with one of our IT solutions experts who will reach out to schedule a 15-minute chat. Not a sales call, just a conversation.