UUI vs CUI vs Confidential vs Secret vs Top Secret
Executive Orders (EO) 12356 and 13526 established the foundation for what "classified" data is. EO 13556 established the foundation for Controlled Unclassified Information (CUI).
Unclassified Data
There are two (2) types of Unclassified data from the US Government's perspective:
- Controlled Unclassified Information (CUI)
- CUI Basic
- CUI Specified
- Uncontrolled Unclassified Information (UUI)
- General UUI (not publicly released or FCI)
- Federal Contract Information (FCI)
- Information that has been cleared for public release
Classified Data
There are three (3) types of Classified data from the US Government's perspective:
- Confidential
- Secret
- Top Secret
A common question is “What is Controlled Unclassified Information (CUI)?”
ANSWER: Controlled Unclassified Information (CUI) is difficult to provide a simple answer to. The authoritative source that defines CUI is the US National Archives with the CUI Registry. However, for most businesses that have to address NIST 800-171 and/or Cybersecurity Maturity Model Certification (CMMC), the focus is on a subset of CUI, Controlled Technical Information (CTI). "Technical Information" means technical data or computer software. Examples of technical information include:
- Research and engineering data
- Engineering drawings
- Associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and
- Computer software executable code and source code.
Understanding Requirements For CUI
The best place to start is with understanding Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, since that establishes the definitions and need to protect CUI.
- DFARS 252.204-7012 defines a requirement to provide "adequate security" that means protective measures that are commensurate with the consequences and probability of loss, misuse, or unauthorized access to, or modification of information.
- Defined by the security requirements in the contract for services or systems operated on behalf of the US Government.
- Further defined by NIST 800-171 for all other “Covered Contractor Information Systems.”
- Covered Contractor Information System (CCIS) means an unclassified information system that is owned, or operated by or for, a contractor and that processes, stores, or transmits “Covered Defense Information.”
- Covered Defense Information (CDI) means unclassified "Controlled Technical Information" or other information, as described in the Controlled Unclassified Information (CUI) Registry.
- When you read through the CUI Registry and find Controlled Technical Information (CTI), it means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.
- CTI is to be marked in accordance with Department of Defense Instruction 5230.24, "Distribution Statements of Technical Documents."
- The term does not include information that is lawfully publicly available without restrictions.
For Official Use Only (FOUO) & Sensitive But Unclassified (SBU)
There are two (2) legacy data types that are replaced by CUI:
- For Official Use Only (FOUO)
- Sensitive But Unclassified (SBU)
Per US Government guidance, "legacy documents" do not need to be remarked until and unless the information is re-used, restated, or paraphrased. When new documents are derived from legacy documents, they must follow the new CUI marking standards.
There are no products listed under this category.
-
Efficient CMMC Scoping
Determining the scope of controls (e.g., assessment boundary) is different than determining control...
-
Are you a cyber criminal?
As a Chief Information Security Officer (CISO) or cybersecurity director, it is likely that you been...
-
New Standard For Third-Party Cybersecurity Assessments
The release of the Cybersecurity & Data Protection Assessment Standards (CDPAS) is important to the...
-
Cybersecurity Materiality & Key Controls
There is a "materiality ecosystem" that exists within modern cybersecurity risk management discussio...