<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=352585001801011&amp;ev=PageView&amp;noscript=1">
Karen Cohen

By: Karen Cohen on March 12, 2024

Print/Save as PDF

What Is Controlled Unclassified Information (CUI) In NIST 800-171?

Compliance | IT Support | NIST

 If you work as a contractor or subcontractor to the U.S. government, you likely know that not all sensitive information is marked “secret,” “top secret,” or “classified.”

But how do you know which information is important and needs protection? How can you ensure that your technology infrastructure is up to the challenge of keeping sensitive data secure?

In this article, I’ll explain what controlled unclassified information (CUI) is, why it is important for NIST 800-171 certification, and how IT plays a role in protecting this information.

After reading this article, you’ll have a complete understanding and will be best positioned to use technology to keep your data and infrastructure safe.

At Kelser, we are committed to addressing confusing technical topics in simple terms, so business leaders have information that helps make important technical decisions they face every day.  

What Is CUI?

The National Science Foundation (NSF) defines CUI as:

"the information the government owns or creates, or that a firm or organization possesses or creates for the government, that needs to be safeguarded and protected using the information security controls required under current government laws, regulations and policies.”

The NSF goes on to say:

“although CUI isn’t classified information, the federal government has determined that it needs to be protected because its malicious release poses a threat to national security.”

Examples of CUI

There are many different types of information that fall into the CUI category. These include, but are not limited to:

1. Personally Identifiable Information (PII)

In general terms, PII is information that can be used to identify a particular individual.

2. Proprietary Business Information (PBI)

According to lawinsider.com, PBI includes any and all confidential and/or proprietary knowledge, data and information of a company that is either marked as PBI or should reasonably be understood to be PBI.

This includes customer and employee lists, intellectual property, pricing lists, marketing and pricing tools and information, business plans and budgets, and policies.

3. Unclassified Controlled Technical Information (UCTI)

The Department of Energy defines UCTI as:

technical data or computer software (as defined in Defense Federal Acquisition Regulation Supplement 252.227-7013) with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.

4. Sensitive But Unclassified (SBU) Information

The U.S. Department of State identifies SBU as information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons.

Again, this is not an exhaustive list, but does provide a sense of the types of information included in CUI.

What Is The Relationship Between CUI and NIST 800-171?

The National Institute of Standards and Technology developed a special publication known as NIST 800-171 (or NIST SP 800-171) about 10 years ago to provide a framework for protecting CUI.

The reasoning behind this is that although this information doesn’t fall into the traditional protected documentation safeguards, it could still be detrimental if it falls into the wrong hands.

How Does IT Play A Role In Protecting CUI?

NIST 800-171 outlines a framework for protecting CUI based on 14 controls which related directly to IT safeguards:

1. Access Control

Who is authorized to access data, and what permissions (read-only, read and write, etc.) do they have?

2. Awareness and Training

Are users properly trained in their roles involving how to properly secure this data and the systems it resides on?

3. Audit and Accountability 

Are accurate records of system and data access and activity kept and monitored? Can violators be positively identified?

4. Configuration Management

How are your systems standardized? How are changes monitored, approved, and documented?

5. Identification and Authentication

How are users positively identified prior to obtaining access to this information?

Related article: What Is Multi-Factor Authentication? Do I Need It?

6. Incident Response

What processes are followed when security events, threats, or breaches are suspected or identified?

Related article: What Are The Key Components Of An IT Disaster Recovery Plan?

7. Maintenance

How is information secured and protected against unauthorized access during maintenance activities?

8. Media Protection

How are electronic and hard copy records and backups stored and secured?

Related article: Data Backups Are Key To Disaster Recovery

9. Physical Protection

How does your organization prevent unauthorized physical access to systems, equipment, and storage?

Related article: Why Should I Lock My Work Computer And How Does It Protect My Company?

10. Personnel Security

How are individuals screened prior to granting them access to CUI? 

11. Risk Assessment

How are business risks and system vulnerabilities associated with handling CUI identified, tracked, and mitigated?

Related article: What’s The Difference Between A Vulnerability Scan & Penetration Test?

12. Security Assessment

How effective are current security standards and processes? What improvements are needed?

Related article: Testing Your IT Disaster Recovery Plan: Best Practices

13. System and Communications Protection

How is information protected and controlled at key internal and external transmission points?

Related article: What Is a Business, Commercial, or Enterprise Firewall? Do I Need One?

14. System and Information Integrity

How is CUI protected against such threats as software flaws, malware, and unauthorized access? 

Each of these 14 control families is further defined by specific processes or practices against which your company will be evaluated. 

What’s The Bottom Line?

In this article, we’ve defined CUI and provided examples to give you a comprehensive overview.

You also learned about the relationship between CUI and NIST 800-171. At this point, if you haven't already begun NIST certification, use the checklist below to get started.

Download Your NIST 800-171 Checklist

If you are NIST 800-171 certified, take the next step in your compliance journey by preparing now for the requirements outlined in CMMC 2.0. Learn what you need to know

Or if you still have questions about NIST, CMMC or another technical topic, use the button below to connect with one of our IT solutions experts who will reach out to schedule a 15-minute chat. Not a sales call, just a conversation.

Talk with a Human


About Karen Cohen

Karen brings unending curiosity to her role as Kelser's Content Manager. If you have a question, she wants to know the answer.

Suggested Posts

Visit Our Learning Center