There are lots of acronyms in the cybersecurity world, and several you should know by heart if you are interested in or going to be a part of the government contracting world. CUI, or “controlled unclassified information” is information that requires safeguarding or dissemination controls that adhere to applicable law, regulations, and government policies but is NOT classified under Executive Order 13526 “Classified National Security Information” or the Atomic Energy Act, as amended. CUI is not classified information. It is not corporate intellectual property (unless created or included in requirements related to a government contract).
Because, as a whole, there are fewer limits over CUI as compared to classified information, CUI is an easier entry point for attackers or those wanting to gather information and access. CUI theft is one of the most significant risks to national security, directly affecting information controls, safety and wellbeing, and overall the safeguard of our country. Understandably, it is critical we keep CUI secure and protected.
There are two subsets of CUI:
CUI Basic Laws, Regulations, or Government-wide policies that DO NOT require specific protections. Agencies handle CUI Basic according to the uniform set of controls set forth in this part and the CUI Registry.
CUI Specified Laws, Regulations, or Government-wide policies that require specific protections. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements.
Controlled Technical Information
Controlled Technical Information (CTI) is a special type of CUI. It consists of technical information with military or space application that is subject to controls on access, use, reproduction, modification, performance display, release, disclosure, and dissemination.
Examples of CTI include research and engineering data, engineering drawings, and associated lists, specification, standards, process sheets, manuals, technical reports, technical orders, catalog-item identification, data sets, studies, and analysis, and related information, and computer software executable code and source code.
CTI is a CUI category that has been specifically singled out by the DoD in the CMMC framework. It is information that may need additional protection above and beyond the CMMC level 3. If you’re ever considering taking on government contracting, or wondering if you may need to know more about what it would look like to ensure you’re following the most recent regulations about controlled unclassified information or controlled technical information, you may want to look into CMMC (Cyber Maturity Model Specification). You can find out more information about CMMC here or email our team at [email protected] with questions.
Simple Plan IT is nationally recognized and accredited as a registered provider organization by the Cybersecurity Maturity Model Certification Accreditation Cody (CMMC-AB).