The federal government has a plethora of information and data stored throughout its servers. Much of this data is used by companies who contract with the government in the design and building of many different projects. The most commonly known type is classified information. But there is another category that is also protected by law. This is Controlled Unclassified Information (CUI). Though not classified, companies must still handle it according to regulations set by federal agencies. But what constitutes CUI and distinguishes it from other information? Here is some background.
How Information Is Classified as CUI
The National Archives and Registration Administration (NARA) was charged with the responsibility to designate data as CUI as per an executive order signed by President George W. Bush in 2009. NARA also sets the rules and standards for disseminating, marketing, controlling and disposing of such information as well as the parameters of CUI compliance for federal contractors. NARA provides oversight for all aspects of handling CUI.
Companies that use CUI in their business must demonstrate compliance. However, unlike most federal standards, CUI compliance does not require a third-party audit. Companies that wish to declare compliance must produce a written system security plan in which is detailed how security requirements are being met. Included in the plan is how the company will deal with known threats should they occur as well as anticipate future threats. Any current shortcomings must also be described and there must be a plan to fill those gaps in the future. CUI standards change frequently as cyberthreats become more sophisticated.
Scoring and the Supplier Performance Risk System (SPRS)
The Department of Defense has a scoring methodology for contractors’ use that assesses how well the system security plan is set to deal with the requirements of handling CUI. The score produced by following this methodology must be submitted to the government for continued work on a Defense contract.
Contractor information is stored in a federal database called the Supplier Performance Risk System (SPRS). Using this database, government officers can determine whether your company has submitted a score within the last three years before awarding a contract.
Examples of CUI
There are many kinds of information that constitute CUI and the list is always in flux. For that reason, it can be difficult to identify every type of information that might fall into the category. However here are some examples of CUI:
- Engineering and research data used in the development of projects for the federal government.
- Computer software and any code used in government applications.
- Blueprints and engineering drawings for any government use.
- Technical manuals and reports pertaining to government projects.
- Government project specifications or standards.
- Research, studies, analysis and any data sets connected to government projects.
- Lists and catalog designations associated with government projects.
CUI Is Changing
The definitions and handling of CUI change over time to handle the latest cyberattacks and threats. For example, in May of 2018, the management of CUI was turned over to the Defense Counterintelligence Security Agency (DCSA). The purpose of this move was to facilitate CUI assessment standards, prioritizing of them, managing the standards as well as creating a database accessible across all departments. One of the more recent changes is the Cybersecurity Maturity Model Certification (CMMC). This ensures that companies follow the latest regulations through third-party audits in order to receive certification.
Government data, whether classified or not, must be protected. Cyberattacks occur all too frequently and a data breach can have disastrous results. It is important for any government contractor to comply with the latest CUI regulations before being awarded a contract.
Author | Emily Forbes
An Entrepreneur, Mother & A passionate tech writer in the technology industry!