Updated: Aug 14
Reading Time: 3 minutes
CUI is government-created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. It’s also not corporate intellectual property unless created for or included in requirements related to a government contract.
Why Is CUI Important? Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, provides federal agencies with a set of recommended security requirements for protecting the confidentiality of CUI when such information is resident in nonfederal systems and organizations.
Federal contractors routinely process, store and transmit sensitive federal information in their systems to support the delivery of essential products and services to federal agencies. If you fall anywhere within the supply chain of a Department of Defense (DoD) contractor, you are responsible for protecting CUI with DFARS 7012 (The Defense Federal Acquisition Regulation Supplement), and NIST 800-171 (a NIST Special Publication that provides recommended requirements for protecting the confidentiality of Controlled Unclassified Information). Defense contractors must implement the recommended requirements contained in NIST SP 800-171 to demonstrate their provision of adequate security to protect the covered defense information included in their defense contracts.
Prior to establishing CUI, individual agencies used their own unique labels to identify UNCLASSIFIED information in need of safeguarding:
Confidential Business Information (CBI),
Personally Identifiable Information (PII),
Sensitive But-Unclassified (SBU),
For Official Use Only (FOUO)
Under Executive Order 13556, the above labels were then standardized under the single Controlled Unclassified Information (CUI) label on November 4, 2010.
What Is CUI Basic And CUI Specified?
Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways:
Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.
Information designated as CUI Basic does not have to be labeled in any specific way, while CUI Specified information includes a clear process for signifying it as CUI. CUI Specified data may be required to use unique markings, increased physical safeguards, and even limits on who can access the data.
The Golden Standard for Business Cybersecurity Implementing DFARS & NIST 800-171 will help protect your company's data as well as your customer’s data. If a business is part of a DoD, General Services Administration (GSA), NASA, or other federal or state agencies’ supply chain, the implementation of the security requirements included in NIST SP 800-171 is a must.
YOUR BUSINESS IS AT RISK OF LOSING CURRENT CONTRACTS AND FUTURE BUSINESS IF YOU HAVE NOT STARTED THE COMPLIANCE PROCESS.
Before you can be NIST 800-171 compliant, you need to know more about the process and what steps you should take to comply with these regulations. Learn more about Bluestreak Consulting™ services and then give us a call to schedule your complimentary consultation.