Controlled Unclassified Information (CUI)

Secure your business with CyberHoot Today!!!

Sign Up Now

Controlled Unclassified Information (CUI) is federal non-classified information (information the federal government creates or possesses, or that an entity creates or possesses for or on behalf of the government) that requires safeguarding or dissemination controls compliant with the law, regulations, and government-wide policies. The federal CUI Program is a government-wide approach to creating a uniform set of requirements and information security controls directed at securing sensitive government information.

CUI is a term that contains many different markings to identify information that is not classified but which should be protected. Some examples you may be familiar with include:  

• Personally Identifiable Information (PII) 
• Sensitive Personally Identifiable Information (SPII) 
• Proprietary Business Information (PBI) or currently known within EPA as Confidential Business Information (CBI) 
• Unclassified Controlled Technical Information (UCTI) 
• Sensitive but Unclassified (SBU) 
• For Official Use Only (FOUO) 
• Law Enforcement Sensitive (LES), and others.

What CUI is not, is Classified or Top Secret information.  Those are both even more critical than CUI.

An example of CUI might be the business schedule of politicians in the senate.  What is Classified would be the president’s and vice president’s schedule (outside of public engagements published to the media).  Top Secret might be some of the troop movements of the United States military or the sale of weapons to our allies.

What does this mean for an SMB or MSP?

Most SMBs and MSPs don’t need to worry about Controlled Unclassified Information (CUI) unless they’re working with government entities or are themselves defense contractors. If your company is interested in working with the government, your organization may need CMMC compliance. CMMC compliance requirements vary depending on the contract, with many contracts requiring only Level 1 or Level 2 compliance, but some contracts require Level 3 (most stringent mandatory controls). 

If you’re yet not working with the government, but plan to work in the Defense industry in the future, you should still begin your CMMC journey. Many estimate that it can take an organization 12 to 18 months to reach CMMC Level 2 readiness and longer for level 3.

You also should engage with a CMMC consultant to help you prepare. There are many paths that can be taken that will lead to a dead end. Still, other decisions within CMMC compliance are yet to be determined – most notably who can self-attest to Level 2 compliance and who will be required to be certified by a licensed certification organization.

The basic principles of CMMC compliance relate to proactive and consistent security best practices based upon NIST 800-171 control objectives. These are controls that most organizations should be focused on implementing for strong defense-in-depth cybersecurity programs and just plain old peace of mind. 

The additional recommendations below will help get your organization on the right path towards CMMC compliance. 

Additional Cybersecurity Recommendations

Additionally, these recommendations below will help you and your business stay secure with the various threats you may face on a day-to-day basis. All of the suggestions listed below can be gained by hiring CyberHoot’s vCISO Program development services.

1. Govern employees with policies and procedures. You need a password policy, an acceptable use policy, an information handling policy, and a written information security program (WISP) at a minimum.
2. Train employees on how to spot and avoid phishing attacks. Adopt a Learning Management system like CyberHoot to teach employees the skills they need to be more confident, productive, and secure.
3. Test employees with Phishing attacks to practice. CyberHoot’s Phish testing allows businesses to test employees with believable phishing attacks and put those that fail into remedial phish training.
4. Deploy critical cybersecurity technology including two-factor authentication on all critical accounts. Enable email SPAM filtering, validate backups, deploy DNS protection, antivirus, and anti-malware on all your endpoints.
5. In the modern Work-from-Home era, make sure you’re managing personal devices connecting to your network by validating their security (patching, antivirus, DNS protections, etc) or prohibiting their use entirely.
6. If you haven’t had a risk assessment by a 3rd party in the last 2 years, you should have one now. Establishing a risk management framework in your organization is critical to addressing your most egregious risks with your finite time and money.
7. Buy Cyber-Insurance to protect you in a catastrophic failure situation. Cyber-Insurance is no different than Car, Fire, Flood, or Life insurance. It’s there when you need it most.

All of these recommendations are built into CyberHoot the product or CyberHoot’s vCISO Services. With CyberHoot you can govern, train, assess, and test your employees. Visit CyberHoot.com and sign up for our services today. At the very least continue to learn by enrolling in our monthly Cybersecurity newsletters to stay on top of current cybersecurity updates.

To learn more about Controlled Unclassified Information (CUI), watch this short 2-minute video:

Sources: 

UMICH.Edu

NIST

DCSA

EPA

Additional Reading:

Becoming Compliant with CMMC

Related Terms:

Cybersecurity Maturity Model Certification (CMMC)

CyberHoot does have some other resources available for your use. Below are links to all of our resources, feel free to check them out whenever you like: 

• Blog
• Cybrary (Cyber Library)
• Infographics
• Newsletters
• Press Releases
• Instructional Videos (HowTo) – very helpful for our SuperUsers!

Note: If you’d like to subscribe to our newsletter, visit any link above (besides infographics) and enter your email address on the right-hand side of the page, and click ‘Send Me Newsletters’.