Controlled Unclassified Information
From MgmtWiki
Full Title
CUI (Controlled Unclassified Information) is a term for data that the US DoD and other security agencies do not want to be widely available but does need to be shared with suppliers.
Context
- Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure.
- An overarching term representing many difference categories, each authorized by one or more law, regulation, or Government-wide policy.
- Information requiring specific security measures indexed under one system across the Federal Government.
Why is CUI important?
- The establishment of CUI was a watershed moment in the Department’s information security program, formally acknowledging that certain types of UNCLASSIFIED information are extremely sensitive, valuable to the United States, sought after by strategic competitors and adversaries, and often have legal safeguarding requirements.
- Unlike with classified national security information, DoD personnel at all levels of responsibility and across all mission areas receive, handle, create, and disseminate CUI.
- UI policy provides a uniform marking system across the Federal Government that replaces a variety of agency-specific markings, such as FOUO, LES, SBU, etc.
Standards
- From its inception NIST 171
- CCMC capability maturity
- SPRS
Solutions
- New draft of 171 2023-11-09 https://csrc.nist.gov/pubs/sp/800/171/r3/fpd
- Pre-Draft Call for Comments: NIST CUI Series - Analysis of Public Comments - 2022-11-01
- With the issuance of DoD Instruction 5200.48, the DoD was proud to be an early adopter of CUI Program requirements. (2020-03-06)
- Part 2002 of 32 Code of Federal Regulations prescribed Government-wide implementation standards on September 14, 2016.
- Executive Order 13556 established CUI on November 4, 2010.
