CUI Paradigm: Planning For Superseded Data Categorizations

The path to hell is paved with good intentions. When you get into the details of what CUI is and what it is not, it begs the question of what non-CUI work products will US Government employees / contracts deal with in the not-too-distant future. This addresses Uncontrolled Unclassified Information (UUI), which is a little-known type of unclassified data, similar to Controlled Unclassified Information (CUI) that was made popular through NIST SP 800-171 and Cybersecurity Maturity Model Certification (CMMC).

This article addresses:

• What is CUI going forward, specifically around legacy categories?
• What is reasonably going to be considered UUI?

Step 1: Understanding The High Water Mark For CUI From FIPS 199 & 200

Per NIST, the requirement to protect CUI with the NIST SP 800-53 "moderate" baseline comes from FIPS 199 and FIPS 200. This is how NIST SP 800-171 is merely tailored from NIST SP 800-53.

Section 2.1 of NIST SP 800-171 R2 stipulates "three fundamental assumptions" to account for in the protection of CUI:

1. Statutory and regulatory requirements for the protection of CUI are consistent, whether such information resides in federal systems or nonfederal systems including the environments in which those systems operate;
2. Safeguards implemented to protect CUI are consistent in both federal and nonfederal systems and organizations; and
3. The confidentiality impact value for CUI is no less than FIPS 199 moderate.

Where people tend to get confused with this is with the "no less than FIPS 199 moderate" statement:

• When you follow the footnote to the bottom of page 5 of NIST SP 800-171 R2, it states “the moderate impact value defined in [FIPS 199] may become part of a moderate impact system in [FIPS 200], which requires the use of the moderate baseline in [SP 800-53] as the starting point for tailoring actions.”
• From page 4 of FIPS 199, it states “…the potential impact values assigned to the respective security objectives (confidentiality, integrity, availability) shall be the highest values (i.e., high water mark) from among those security categories that have been determined for each type of information resident...”

What makes this interesting is that with CUI having NIST SP 800-53 moderate baseline requirements, it begs the question as to what US Government systems, applications and/or services would ever be able to utilize the NIST SP 800-53 low baseline? While Federal Contract Information (FCI) is technically UUI, it has unique protection requirements, as stipulated in FAR 52.204-21 and those fifteen (15) requirements are below the low baseline in NIST SP 800-53. Even with UUI, when you factor in integrity and availability considerations for publicly-visible websites, it is likely that even the most benign government websites would still have to adopt moderate or high baseline requirements.

This path to the moderate baseline can be visualized in the following graphic:

Step 2: Understanding Legacy Sensitivity Labels

There are quite a few "legacy" sensitivity labels that are getting rolled up into various CUI categories on the CUI Registry. This includes, but is not limited to:

• For Official Use Only (FOUO)
• Sensitive But Unclassified (SBU)
• Law Enforcement Sensitive (LES)
• Sensitive Security Information (SSI)
• Proprietary Business Information (PBI)
• Confidential Business Information (CBI)
• Unclassified Controlled Technical Information (UCTI)
• Personally Identifiable Information (PII)
• Sensitive Personally Identifiable Information (SPII)

First off, to address the "FOUO is not automatically CUI" crowd:

Per the US National Archives (NARA):

• U//FOUO is a legacy marking used to indicate sensitivity based on agency policy or practice. CUI is a marking that is used to indicate the presence of CUI basic information. CUI markings are applied only to those information types/categories found on the CUI Registry and can be linked to laws, regulations, or Government-wide policies calling for protection or control of the information. As the CUI program is implemented, U//FOUO will cease to be an authorized marking, but may still be seen on legacy documents once the transition to CUI is complete.
• In cases of excessive burden, agency heads may issue a “Legacy Marking Waiver,” as described in 32 CFR 2002.38(b) of the CUI Rule. When such a waiver is granted by the agency head, legacy material that qualifies need not be remarked as CUI until and unless it is to be “re-used” in a new document.

Per the US Department of Defense (DoD):

• CUI is not a classification. Therefore, information cannot be “classified as CUI;” rather, this type of information is designated as CUI. In some cases, CUI designations replace FOUO and SBU designations and markings.
• Sensitive types of unclassified information (such as information marked as FOUO or SBU) that was marked prior to the implementation of the CUI program which meets the standards for CUI is considered legacy information. Legacy documents do not need to be remarked until and unless the information is re-used, restated, or paraphrased. When new documents are derived from legacy documents, they must follow the new CUI marking standards.

Step 3: Categorizing Government Work Products

Getting to the point of this article, when you take a look at the following CUI categories, you will see that US Government employees / contracts will be swimming in CUI as a result of day-to-day work products falling under one of those CUI categories.

This begs the question of what, if anything, will be considered UUI. As a colleague pointed out, an example of UUI might be "one government employee emailing another government employee about lunch plans." That would clearly be information that should be both uncontrolled and unclassified. As for PowerPoint presentations, decision papers, etc. that gets into the area where a significant amount of Business As Usual (BAU) work products will be CUI.

CUI Groupings

There are twenty (20) groupings of CUI:

1. Critical Infrastructure
2. Defense
3. Export Control
4. Financial
5. Immigration
6. Intelligence
7. International Agreements
8. Law Enforcement
9. Legal
10. Natural and Cultural Resources
11. North Atlantic Treaty Organization (NATO)
12. Nuclear
13. Patent
14. Privacy
15. Procurement and Acquisition
16. Proprietary Business Information
17. Provisional
18. Statistical
19. Tax
20. Transportation

CUI Categories

Within those groupings are one hundred twenty five (125) categories of CUI:

1. Accident Investigation
2. Administrative Proceedings
3. Agriculture
4. Ammonium Nitrate
5. Archaeological Resources
6. Asylee
7. Bank Secrecy
8. Battered Spouse or Child
9. Budget
10. Campaign Funds
11. Chemical-terrorism Vulnerability Information
12. Child Pornography
13. Child Victim/Witness
14. Collective Bargaining
15. Committed Person
16. Communications
17. Comptroller General
18. Consumer Complaint Information
19. Contract Use
20. Controlled Substances
21. Controlled Technical Information
22. Criminal History Records Information
23. Critical Energy Infrastructure Information
24. Death Records
25. DNA
26. DoD Critical Infrastructure Security Information
27. Electronic?Funds Transfer
28. Emergency Management
29. Entity Registration Information
30. Export Controlled
31. Export Controlled?Research
32. Federal Grand Jury
33. Federal Housing Finance Non-Public Information
34. Federal Taxpayer Information
35. Financial Supervision Information
36. Foreign Intelligence Surveillance Act
37. Foreign Intelligence Surveillance Act Business Records
38. General Critical Infrastructure Information
39. General Financial Information
40. General Intelligence
41. General Law Enforcement
42. General Nuclear
43. General Privacy
44. General Procurement and Acquisition
45. General Proprietary Business Information
46. Genetic Information
47. Geodetic Product Information
48. Health Information
49. Historic Properties
50. Homeland Security Agreement Information
51. Homeland Security Enforcement Information
52. Informant
53. Information Systems Vulnerability Information
54. Information Systems Vulnerability Information - Homeland
55. Inspector General Protected
56. Intelligence Financial Records
57. Internal Data
58. International Agreement Information
59. International Agreement Information - Homeland
60. International Financial Institutions
61. Inventions
62. Investigation
63. Investment Survey
64. Juvenile
65. Law Enforcement Financial Records
66. Legal Privilege
67. Legislative Materials
68. Mergers
69. Military Personnel Records
70. National Park System Resources
71. National Security Letter
72. NATO Restricted
73. NATO Unclassified
74. Naval Nuclear Propulsion Information
75. Net Worth
76. Nuclear Recommendation Material
77. Nuclear Security-Related Information
78. Ocean Common Carrier and Marine Terminal Operator Agreements
79. Ocean Common Carrier Service Contracts
80. Operations Security
81. Operations Security Information
82. Patent Applications
83. Pen Register/Trap & Trace
84. Permanent Resident Status
85. Personnel Records
86. Personnel Security Information
87. Pesticide Producer Survey
88. Physical Security
89. Physical Security?- Homeland
90. Presentence Report
91. Prior Arrest
92. Privacy Information
93. Proprietary Postal
94. Proprietary?Manufacturer
95. Protected Critical Infrastructure Information
96. Protective Order
97. Railroad Safety Analysis Records
98. Retirement
99. Reward
100. Safeguards Information
101. SAFETY Act Information
102. Secrecy Orders
103. Sensitive Personally Identifiable Information
104. Sensitive Security Information
105. Sex Crime Victim
106. Small Business Research and Technology
107. Source Selection
108. Statistical Information
109. Status Adjustment
110. Student Records
111. Tax Convention
112. Taxpayer Advocate Information
113. Temporary Protected Status
114. Terrorist Screening
115. Toxic Substances
116. Unclassified Controlled Nuclear Information - Defense
117. Unclassified Controlled Nuclear Information - Energy
118. US Census
119. Victim
120. Victims of Human Trafficking
121. Visas
122. Water Assessments
123. Whistleblower Identity
124. Witness Protection
125. Written Determinations

About The Author

If you have any questions about this, please feel free to reach out. Tom Cornelius is the Senior Partner at?ComplianceForge, an industry leader in cybersecurity and privacy documentation. He is also the founder of the?Secure Controls Framework?(SCF), a not-for-profit initiative to help companies identify and manage their cybersecurity and privacy requirements.