What’s the difference between CUI Basic And CUI Specified?

Controlled unclassified information (CUI) falls under one of two categories: CUI Basic and CUI Specified. But how do the two differ? Do the differences matter with becoming compliant with the Cybersecurity Maturity Model Certification (CMMC) requirements?

In this article, we’ll examine the differences between the two categories of CUI. We’ll also outline ways it could affect your compliance preparation.

If you’re among the organizations that need to get CMMC 2.0 compliant, you know that you’ll need to identify the type of federal data you handle so that you can establish the right safeguards to protect it.

After reading this article, you’ll have a better understanding of what CUI is and what you need to do to ensure its proper handling, dissemination, and disposal.

This will help ensure you can pass your third-party assessment, get certified, and maintain your relationship with the Department of Defense (DoD) to keep your existing contracts or win new ones. 

What Is CUI Exactly?

Controlled unclassified information, or CUI, is information created for or by the federal government that is highly sensitive, but not considered classified or top secret.

Because of its sensitive nature, however, the government has established robust dissemination rules and safeguarding requirements to protect such data while it’s at rest or in transit.

These measures are designed to keep the information out of the hands of bad actors who might try to steal or compromise it in a cyberattack.

Related Article: Step 1 For CMMC Certification: Understanding Your CUI & CMMC Level

On the other hand, federal contract information (FCI) is more broadly defined as government information not intended for public release. While it also requires safeguarding, the requirements to protect it are less strict than they are for CUI.

All CUI within government contracts is considered FCI, but not all FCI is CUI. 

Many organizations with Department of Defense (DoD) contracts store, process, or transmit FCI, including small businesses, large enterprises, higher education institutions, and not-for profit research organizations. 

Although the federal government is generally responsible for marking CUI in its contracts, businesses will need to determine not only what kind of federal data they have and where it lives in their environment, but also which specific type of CUI they are responsible for protecting.

What Is CUI Basic?

Under the broad umbrella of CUI, think of CUI Basic as sensitive, non-classified government information that requires the baseline disclosure and handling protections of NIST SP 800-171 that apply to all CUI data.

Related Article: NIST 800-171 vs CMMC:What’s The Difference? How Do They Work Together?

Examples of CUI Basic:

• An example of CUI Basic could be a DoD contractor’s proprietary business data, such as confidential research and development information, disclosed within its federal contract.
  
  
• Another example of CUI Basic is controlled technical information (CTI), such as the technical drawings of a submarine that a DIB contractor creates and submits to the government for review.

CUI Basic may be found in:

• DoD contracts and solicitations
• financial records
• technical drawings, designs, and other hard copy documents
• business plans
• customer lists
• email communications
• cloud-hosting platforms
• electronic documents and files
• other media records
• databases, networks, websites
• on-premises servers
• removable storage devices
• mobile devices

Related Article: How To Find CUI Within Your Environment & Set A CUI Boundary For CMMC

What Is CUI Specified? 

CUI Specified is high-risk information involving high-priority DoD programs. 

Security controls for CUI Specified are designed to restrict access to such data to only key stakeholders within an organization working with the DoD, such as network administrators or company officials.

In contrast to CUI Basic, CUI Specified is a subcategory of CUI that often requires additional enhancements or handling guardrails to keep such highly sensitive information from falling into the wrong hands.

Those enhancements may also include additional security requirements, depending on the type of CUI Specified data and the nature of the business itself.

Examples of CUI Specified:

• There are various categories of CUI Specified, each with their own CUI marking (label) and enhancements.
  
  
• An example of CUI Specified is Naval Nuclear Propulsion Information (NNPI). This is information specifically related to the design, maintenance, and operation of these types of U.S. Navy plants and their support facilities.
  
  
• Another type of CUI Specified data is International Traffic in Arms Regulations (ITAR). ITAR governs the manufacture, export, or temporary import of defense items, data, or services.

What Are Some Of The Security Requirements For Protecting CUI Data?

The Code of Federal Regulations (32 CFR Part 2002) and the CUI Registry establish the framework for how all CUI should be accessed, processed, shared, and destroyed.

While protections for CUI Basic and CUI Specified are spelled out in NIST 800-171, the requirements for protecting CUI Specified are more strictly enforced by the government.

The penalties and fines for failing to satisfy the security mandates for protecting CUI Specified are substantially higher and could have significant financial consequences for organizations found to be noncompliant.

Some of the security requirements for protecting both CUI Basic and CUI Specified data include:

• Specialized training: Provides in-depth training to staff with access to the CUI data you handle. This allows you to thoroughly explain and demonstrate the specific security devices, systems, policies, and procedures you have implemented to protect CUI Specified data.
  
  
• Robust security controls: Rigorous security measures such as advanced multi-factor authentication (MFA), password-protected access, network microsegmentation, next-generation firewalls, remote access VPN, and intrusion protection systems (IPS), among others.
  
  
• Advanced encryption: Strong data encryption is necessary to ensure the security and integrity of CUI data while at rest or in transit.
  
  
• Incident response: A comprehensive incident response plan establishes the steps to follow in the event of a cyber incident, including identifying the roles and responsibilities of key stakeholders, the escalation process, and reporting procedures. 

• Regular testing: Performing regular penetration testing on parts of your environment to test the effectiveness of your security measures to block or mitigate cyber threats, along with regular vulnerability scanning to detect any new security risks within your infrastructure.

What CMMC Level Does CUI Data Fall Under?

Under the CMMC 2.0 Final Rule, the DoD assigns each organization handling FCI and CUI to one of three levels.

Level 1 contractors, which only handle FCI, are required to meet basic cyber hygiene requirements. Organizations at Level 2 and Level 3 handle both FCI and CUI, so they must meet more stringent data security and assessment requirements.

Related Article: CMMC Step 2: How A Gap Analysis Can Help You Find Your Security Risks

Level 2 businesses must implement 110 security requirements taken from the 14 control families of NIST SP 800-171. Most organizations at this level will also need to get assessed every three years by an independent third-party assessor organization (C3PAO).

Level 3 businesses are required to undergo a triennial audit performed by a federal Defense Contract Management Agency (DCMA) assessor through its Defense Industrial Base Cybersecurity Assessment Center (DIBAC).

These organizations must first achieve Level 2 compliance before getting assessed on up to 24 additional security controls taken from NIST SP 800-172. These more rigorous requirements are intended to combat advanced persistent threats (APTs).

Contractors and subcontractors at all levels must annually attest to ongoing compliance.

Keep in mind that all CUI is not classified the same nor is it treated equally. This means that organizations that handle CUI Specified will not automatically require CMMC Level 3.

How Can I Determine My Required CMMC Level?

Prime contractors are required to pass down the same security obligations that they’re required to meet. As a DoD subcontractor, primes are required to flow down security requirements for protecting the CUI they handle to their subcontractors. 

Related Article: 5 Questions To Pinpoint Your Required CMMC Level

The government will decide the appropriate CMMC level on a case-by-case basis, with the highest level required for organizations handling what it considers high-risk CUI and depending on the nature of the contract.  

It is critical that contractors and subcontractors have a clear understanding of the CUI they handle in order to correctly satisfy the compliance standards for their level. 

Subcontractors that are unsure of their CMMC level or the type of CUI they handle should contact their primes for clarification.

Primes should review their contract language to look for Defense Federal Acquisition Regulation Supplement (DFARS) clauses. If still unsure, primes should also reach out to their contracting agencies for specific CUI and compliance questions. 

The Bottom Line: Protecting CUI Within Your Infrastructure

As a DoD contractor or subcontractor within the DoD, you know that meeting CMMC 2.0 compliance is no longer a far-off requirement.

Following its adoption last December, language for the new regulation has already started showing up in DoD contracts. This means businesses must start getting ready now to meet compliance.

Keep in mind that if you wait too long to start your compliance journey, you could run the risk of not being able to schedule an assessment when the time comes. That’s because there are a limited number of C3PAO assessors around the country, and dates are already filling up on assessors’ schedules.

More importantly, failing to put the right security measures in place and get certified means you could hurt your DoD standing, jeopardizing your existing contracts and potentially preventing you from winning others.

Do you know where you stand with becoming CMMC compliant? If you’re unsure, click the button to get your free, no-obligation CMMC readiness roadmap.