The average person has some idea what classified information is. This is information that the government keeps secret from the general public and which only people with the necessary clearance can access. But even material that isn’t classified isn’t necessarily for public consumption. Some information has a connection to classified information, but isn’t sensitive enough to require the same safeguards. This material is called controlled unclassified information (CUI).
History of the Program
Until 2008, material that was sensitive but not classified was categorized under various names: For Official Use Only, Sensitive But Unclassified, Law Enforcement Sensitive, and more. Different agencies used different terms, and different levels of sensitivity were called by a variety of names. A study found over 140 different types of unclassified information being used by the Federal Government.
The term CUI was coined to cover all these situations, while allowing for greater specificity with the category as needed. CUI comes in tiers based on its level of sensitivity. Each progressively higher tier requires a greater level of information security to protect it.
Who Is Allowed to Access CUI?
CUI, since it’s less sensitive than classified information, isn’t kept strictly within the Federal Government. It is often shared with federal contractors who have some reason to need this information. Given how closely government agencies work with private companies, it’s very common for CUI to be in the hands of civilians. But it is sensitive enough that standards exist for keeping that material safe.
Contractors can handle CUI if they need it to complete their contracts and can meet the security standards necessary for handling it properly. But that latter requirement can be surprisingly stringent, especially given the difficulty of keeping information secure in the digital age. The Cybersecurity Maturity Model Certification (CMMC) program sets standards for cybersecurity which are tiered depending on the sensitivity of the CUI a contractor handles.
A contractor’s subcontractors might also need to handle the same CUI. In that case, the original contractor is responsible for ensuring the compliance of all its subcontractors handling CUI. This way the information can be kept secure up and down the chain, wherever it is stored or used.
To help understand this better, we can use the parallel of food handling. It isn’t enough that the person who serves you a meal has clean hands. For the food to be safe, every single person who handles the food, from the supplier to the chef to the server, must also follow the same food safety rules. A mistake anywhere along the chain can have disastrous results.
How Is CUI Handled?
Sometimes, CUI takes the form of physical paper documents. In this case, those entrusted with it need to keep those pieces of paper safe. This may include locked cabinets, sealed envelopes, and offices with electronic locks. It should be properly labeled and shared only with those who have a lawful government purpose to use it. Even when a contractor is finished with it, they can’t simply recycle it. It has to be completely destroyed, generally with a crosscut shredder.
Pieces of paper, however, are the easy part. Keeping digital information safe requires much more complex procedures. Hackers constantly develop new ways to access private information. That means contractors who work with CUI always have to stay two steps ahead. Most businesses have some level of security on their computer systems, but companies that work with CUI need more than the usual industry standard.
That said, the same safety measures that work to protect CUI can also protect a company’s other private material. Once a contractor’s security meets government standards, they have essentially upgraded their entire data handling system to something which will protect their own non-CUI documents too.
Keeping CUI Safe
Government contractors, since they’re not under the direct supervision of the Federal Government, sometimes get careless. They ignore some of the standards for handling CUI, with the assumption that no one is watching them too closely. However, an audit can turn up embarrassing flaws in your system. Or worse, a security breach can make it clear that your systems weren’t up to par. In cases like this, you may lose your government contracts and be ineligible to bid on future projects.
Government standards on CUI are complex enough that a company’s normal IT firm likely can’t bring it into compliance. Neither is this something you can do on your own while also running a business. Instead, call upon an expert firm that specializes in this one area of cybersecurity. Mission Compliant is one such provider. Our specific mission is to bring government contractors into compliance with all of the complex rules governing CUI. Drawing on 85 years of combined cybersecurity experience, our team of instructors and consultants guide your business along the path to best practices, efficiency, and compliance.
