What Exactly is Considered CUI?

What Exactly is Considered CUI?

Signing off contracts with the US Department of Defense, either in the capacity of a contractor or subcontractor, can be highly lucrative. After all, the DoD is an enormous market consisting of around 200,000 organizations that make up the Defense Industrial Base (DIB).

Unsurprisingly, however, the DoD is extremely cautious about who it does business with. After all, threats from state-sponsored attackers and cybercriminals continue to grow, and the DoD is one of the favorite targets.

The DoD must do everything they can to mitigate these risks in the name of national security. As such, they set high standards for information security, integrity, and confidentiality. Every organization that wants to work with the DoD must meet certain requirements before they can win requests for proposals (RFPs).

What does CUI Mean?

Confused about what constitutes Controlled Unclassified Information (CUI)? Understanding the meaning of CUI is crucial for organizations navigating compliance requirements. CUI encompasses sensitive information vital for national security and other government interests. Examples include Personally Identifiable Information (PII), Controlled Technical Information (CTI), and more. By grasping the breadth of CUI, organizations can implement effective security measures and ensure compliance with relevant regulations.

Related article: A Guide to Understanding DFARS Requirements

The DFARS 252.204-7012 clause requires that every organization that handles what it calls ‘controlled unclassified information’, or CUI, adheres to the NIST 800-171 standards. This is a globally recognized regulatory framework consisting of 110 controls across 14 domains like authentication and access control and physical safeguards. By meeting these controls, your organization will be free to bid on, and hopefully win, RFPs with the DoD.

DFARS compliance applies to any business that collects, stores, or transmits CUI on behalf of the DoD. However, it might not be immediately clear what sort of information is considered CUI.

Related article: What are the best ways to protect media and CUI?

Classified or Unclassified: Understanding Controlled Unclassified Information (CUI)

Classified information tends to get the lion’s share of attention in the mainstream media. CUI, on the other hand, is not the same thing. Whereas classified information pertains to things like state secrets, CUI may also be described as being for official use only or being sensitive but unclassified. In other words, the information is not what you would describe as top secret, but it must still be protected from unauthorized access or use.

Federal agencies like the DoD routinely generate, use, and share information that is sensitive but does not meet the threshold of information directly pertaining to things like national security or atomic energy. This might include any personally identifiable information (PII) pertaining to government employees, technical information regarding research and engineering, and data systems vulnerability information. Just like private businesses and other federal agencies, the DoD often outsources the care and management of this data to contractors who, in turn, may share it with subcontractors provided their agreements allow it.

For example, if your business is an accounting firm that works with federal agencies, then you will end up handling CUI such as financial and personal data pertaining to federal employees. This data must be protected according to other industry regulations as well. The aim of DFARS is to standardize controls across the board and align them with other federal and state-level regulations. As such, if you have already achieved a high level of cybersecurity maturity, then you should pass a DFARS compliance audit without too much trouble.

The Importance of Conducting an Organization-Wide Security Analysis

If you have any contracts with federal agencies, then you are likely already obligated to adhere to the NIST 800-171 controls. You can confirm this by going over your contracts and looking for the DFARS 252.204-7012 clause. However, even if you do not have any legal mandate to achieve compliance, doing so is strongly advisable. By becoming compliant, you will be able to achieve and demonstrate a higher standard of information security, whether or not you want to bid on RFPs with the DoD.

Related article: Tips for making sure your IT maintenance is up to standard

If your business is a subcontractor of an organization that works with the DoD, it might not be immediately obvious whether or not your systems handle CUI. Conversely, even if you have contracts with the DoD, that does not technically mean your systems handle CUI. However, every government contractor or subcontractor will have contracts citing the DFARS 7012 clause, so it makes no difference from a compliance standpoint.

These are yet more reasons to carry out a full audit of your existing information environment. A comprehensive analysis of your current environment will reveal which types of data you handle, which systems are used, and which security controls are in place to protect them. Conducting these audits regularly will help continuously improve your security and compliance posture, which will reduce risk and open up lucrative new lines of business.  

Charles IT can help you on your journey to achieve and maintain DFARS compliance starting with a comprehensive analysis of your current environment. Get in touch today Hereto schedule an assessment!

Most tech consulting starts with “Press 1”

We just like to start with “Hello.”