Understanding CUI - a DIB perspective
First posted 16 April 2020
Edited 15 Sept 2020 to clarify CDI
Disclaimer: I have written this on my own and has not been approved by my company as an official opinion. I have lots of links here to prove why I think this is the right opinion. I reserve the right to change my opinions in the future based on your comments and future guidance.
I work in IT Security within the Defense Industrial Base (DIB) and want to share what I have learned to the larger community. I am NOT trying to sell you anything - I just want to help share information in the community.
This post is focused on Controlled Unclassified Information (CUI), focusing on what I have learned and some of the misconceptions I have heard. I welcome feedback via comments, DM, email (if you have mine) or physical mail (I leave that up to you to find).
While I am not wholly responsible for CUI at my company, I am helping the company recognize, mark, and control the flow of CUI. I have been working to understand CUI ever since the DFARS 7012 rules were changed to include SP800-171. Since then, there has been lots of conflicting information and CUI has not been well understood. I think we finally are at a point where we are getting the information that industry needs to understand CUI, but the message is not getting out to everyone.
Let's start with some basic information to make sure we all have the same understanding. CUI (pronounced C-U-I, not Cooey) is controlled by the Information Security Oversight Office (ISOO) as part of their mission from the president to control classification and declassification of documents, as well as marking and policy around unclassified data. ISOO is in charge of setting all policies around CUI, answering questions, and helping the different agencies more towards CUI marking. The term Covered Defense Information (CDI) which is referenced in DFARS 7012 points to the CUI registry.
What exactly is CUI? First, let's start with the definition from ISOO:
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
That is a mouthful. Let's look at the definition again two different ways, based on my highlighting of the definition: Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.
The underlined part above applies to either of the bolded parts: If information has controls on it (based on the categories defined in the CUI Registry) then they are CUI. However - the data also has to meet either of the bolded pieces of text. If the government is creating the data, then it makes sense that it is CUI. If you as a contractor are creating information for the government, AND it falls into one of the categories in the CUI Registry, then it is CUI.
But.... what about information that matches a CUI category but is not created by or for the government? What about the ITAR classified parts I build not under contracts? What about PII of my employees? What about proprietary company data that you send to the government?
If you go to the ISOO blog entry for the Q2 2020 Stakeholders Update and look at the linked presentation, you will see something stated very clearly that has been a question for a while.
Question: Is my Proprietary Information CUI?
Answer: The government will protect it as CUI (and may even send it back to you as CUI) but the proprietary information you create internally and maintain ownership of is not CUI (though it may require protections pursuant to other laws or regs).
Now read it one more time. This is important (emphasis added).
Question: Is my Proprietary Information CUI?
Answer: The government will protect it as CUI (and may even send it back to you as CUI) but the proprietary information you create internally and maintain ownership of is not CUI (though it may require protections pursuant to other laws or regs).
Let's parse that statement into two parts, separated by the but. First, when you send YOUR proprietary information to the government, they will mark it as CUI. Why? Because it becomes Controlled Unclassified Information while it is on their network. Your data does not belong to the government and has restrictions on how it can be shared by the government . Using their definition, it is CUI because it does NOT belong to the government - it still belongs to you. Even if they send it back to you with CUI markings on it, it is still your data to do with what you want (the "maintain ownership" part of the second half).
Now look at the second half. When you create information, even if it is export controlled, PII, HIPAA, etc. it is still your information. If you are not creating it specifically for the government, then it is not CUI.
So how can we turn this into a summary (aka tl;dr)?
Information is CUI if it is both 1) created by or for the government and 2) listed in the CUI Registry. If it does not meet both of those cases, then it is not CUI.
I hope that my references and subtext here have helped you understand more about what exactly counts as CUI and what does not.
Cyber CEO | ZeroTrust & NIST Expert | DoD & F500 CISO
4 年Leslie Weinstein put together a great resource on this as well - https://dodcui.com/
Technical know how with a strategic mindset. | CISSP
4 年Thanks Jake, I almost thought I understood the difference between CUI and CDI "is a subset of CUI" and then I saw this: https://isoo.blogs.archives.gov/2020/05/20/cui-marking-class-qa/ See answer to question: "Is CDI (what we use ) the same as CUI?" The answer seems to state the opposite, and that CDI is the umbrella term and that CUI can be a subset of CDI"
National Industrial Security Program (NISP) and ICD contractor specializing in FSO, AFSO, CPSO, CSSO services, and secure area (Closed Area, SCIF, SAPF) construction consulting (design, review, oversee, CSM, etc.).
4 年Nice explanatory article. Thanks, Jake. Thanks, Joel, for sharing it.
CISSP | 26yrs Cybersecurity | CMMC | Governance | Risk | Compliance | DoD | Federal | Private-Sector
4 年Excellent article covering the critical "from / for Government" distinction so often ignored in CUI primers! Deserves attention of the Cybersecurity Maturity Model Certification Accreditation Body (CMMC AB)
"she's actually a time traveler from a future where human consciousness has fully merged with the digital world"| Digital Wellness advocate for Montanans | And, a ROCKIN TEAMMATE for anyone looking to hire! ??????
4 年Amazing! Very well laid out. I DO finally understand Cooey....er...umm..I mean C-U-I. (*snicker snicker*) :) THANK YOU, GOOD SIR WILLIAMS!