If you work as a contractor or subcontractor the U.S. government, you likely know that not all sensitive information is marked “secret” or “classified.”
But how do you know what other information is important and which information you need to protect? How can you ensure that your technology infrastructure is up to the challenge of keeping sensitive data secure?
In this article, I’ll explain the difference between two types of sensitive information: controlled unclassified information (CUI) and federal contract information (FCI).
We’ll explore what the classifications mean, why it matters, and how IT plays a role in protecting this information, so that you have a complete understanding and will be best positioned to use technology to keep your data and infrastructure safe.
At Kelser, we are committed to addressing confusing technical topics in simple terms, so business leaders have information that helps make important technical decisions they face every day.
What Is CUI?
According to the National Archives CUI “requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”
So, what does that mean? The National Science Foundation (NSF) explains that CUI is defined as the information the government owns or creates, or that a firm or organization possesses or creates for the government, that needs to be safeguarded and protected using the information security controls required under current government laws, regulations and policies.”
The NSF goes on to say that “although CUI isn’t classified information, the federal government has determined that it needs to be protected because its malicious release poses a threat to national security.”
Examples
There are many different types of information that fall into the CUI category. These include, but are not limited to:
1. Personally Identifiable Information (PII)
In general terms, PII is information that can be used to identify a particular individual.
2. Proprietary Business Information (PBI)
According to lawinsider.com, PBI includes any and all confidential and/or proprietary knowledge, data and information of a company that is either marked as PBI or should reasonably be understood to be PBI.
This includes customer and employee lists, intellectual property, pricing lists, marketing and pricing tools and information, business plans and budgets, and policies.
3. Unclassified Controlled Technical Information (UCTI)
The Department of Energy defines UCTI as technical data or computer software (as defined in Defense Federal Acquisition Regulation Supplement 252.227-7013) with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
4. Sensitive But Unclassified (SBU) Information
The U.S. Department of State identifies SBU as information that is not classified for national security reasons, but that warrants/requires administrative control and protection from public or other unauthorized disclosure for other reasons.
Again, this is not an exhaustive list, but does provide a sense of the types of information included in CUI.
What Is FCI?
FCI is defined as “information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.”
Examples
Some examples of FCI include reports, charts, emails, notes, contracts, and subcontracts.
The above infographic from the National Archives CUI Program Blog helps define FCI, CUI, and public information.
How Can Your IT Infrastructure Help Protect CUI & FCI From Unauthorized Access?
Businesses and organizations that handle CUI and FCI are bound to certain compliance requirements.
Many IT tools help keep CUI and FCI safe from unapproved users and keep organizations in compliance with requirements. Whether it’s NIST 800-171, CMMC 2.0 compliance or other contractual requirements, IT tools play a key role.
IT Tools That Help Protect FCI
Certain IT tools may be required to protect FCI. These include:
1. Encryption
Encryption tools convert data from a readable format into an encoded format, which means the data can only be read or processed after it’s been decrypted.
2. Role-Based Access Control
Limiting access to your infrastructure to certain groups of authorized people helps limit your risk of a data breach. Role-based access is granted by department or group, (dependent on job function), rather than individually.
IT Tools That Safeguard CUI
The IT tools that can be used to provide an extra layer of protection for CUI include:
1. Data Loss Prevention (DLP) Software
DLP software monitors and protects sensitive data while in use, in motion, and at rest. This allows the detection of and protection against potential data breaches/data exfiltration transmissions.
2. Multi-Factor Authentication (MFA)
MFA is a security tool that requires users to provide multiple pieces of identification before accessing an application, website, or other IT service.
MFA requires a combination of username, password, and at least one other form of identification (biometric or a push notification to a mobile phone for example).
Related article: What Is Multi-Factor Authentication? Do I Need It?
What’s Next?
After reading this article, you have a complete understanding of CUI and FCI. You know what they mean and what kinds of information falls into each category. You also know some of the IT tools you can put into place to help keep all of your data safe.
Because the truth is that whether you handle CUI and FCI or not, it’s always best practice to put IT tools like firewalls, MFA, and more in place to keep your data safe.
And, as technology continues to evolve there may be additional threats as well as solutions. It’s possible, for example, that artificial intelligence (AI) may be a significant tool in detecting and mitigating threats.
In the meantime, you may be wondering how to determine whether you handle FCI or CUI. The best way to find out is to review your contracts. If you are still unsure, ask your government partner. The key here is that you are responsible for protecting this data whether you know you possess it or not.
At this point, you may be considering implementing some of the tools we discussed in this article. You may have internal resources you can rely on for this, or you may need help from an external IT provider.
If you are considering partnering with an external partner, we encourage you to explore several options.
I know that may sound funny coming from an IT provider, but the truth is that while we offer a comprehensive suite of managed IT solutions and solutions, we know that our approach may not be the right fit for every organization.
Rather than talk incessantly about the value we can provide, we are more concerned that you find the IT partner that is the right fit for your organization. That’s why if we have a conversation together, you’ll notice that we always ask about your business, your goals, your current technology solution, and your technology pain points.
We know this is a unique approach, but the way we see it, we can’t begin to offer you a solution until we understand your priorities.
If you are considering working with an external IT support provider for the first time, read this article to learn your options.
Already made a decision to explore external IT support? Learn the 10 best questions to ask any IT provider and the 13 qualities that lead to a successful IT partnership.
Prefer to talk with a human? (So do we!) Click the button below and one of our IT solutions experts will reach out to schedule a 15-minute call at your convenience to explore whether we might be a good fit to work together.
