In our previous post, we provided an overview of CMMC and how it relates to DoD contractors. In this post we dive deeper into controlled unclassified information (CUI), one of the primary data types CMMC is designed to protect.
What is controlled unclassified information (CUI)?
Controlled unclassified information (CUI) is defined by the CMMC guide as “information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information that is classified under Executive Order 13526, Classified National Security Information, December 29, 2009, or any predecessor or successor order, or Atomic Energy Act of 1954, as amended.”
It’s important to note that, while CUI is not classified nor federally regulated, it is still considered sensitive to U.S. government and military interests. As such, the CMMC requires controls to be placed on CUI for proper safeguarding and dissemination.
What are some examples of CUI?
CUI is broken up into categories. CUI can vary greatly regarding sensitivity levels, but all requires the same level of safeguarding.
Examples of CUI are:
- Defense data and analysis
- Critical infrastructure plans
- Import/export controls
- Law enforcement and intelligence activities
- Federally funded research and project information
Are there other types of information that is intended to be protected by CMMC?
Yes, federal contract information (FCI) is also in intended to be protected by CMMC. The CMMC guide defines FCI as “information provided by or generated for the Government under contract not intended for public release.”
CMMC level 1 addresses the requirements to protect FCI. However, there may be overlap between what is CUI and FCI with information potentially classified as both information types, requiring contractors to meet the requirements of CMMC levels 2 and 3.
How does an Insider Risk program help safeguard CUI?
The safety of sensitive information shared with or managed by contractors is a core focus of any Insider Risk program. With CMMC requirements, this focus is on protecting CUI and FCI. The CMMC framework does not specifically address Insider Risk in a single domain. Instead, Insider Risk program requirements and controls are spread across multiple CMMC domains.
In the next installment of our CMMC blog series we’ll explore which CMMC domains address Insider Risk and how you can prepare to meet these requirements of these domains.