Sensitive information that could impact the safety of US citizens is often classified by the US government. But beyond formally classified documents, there are other kinds of data that are similarly sensitive and need to be protected. These are grouped under the term Controlled Unclassified Information (CUI), which can be Basic or Specified. So, what is CUI Basic?
What is CUI Basic? A Beginner’s Guide
CUI Basic is a subset of CUI that is not directly subject to any special requirements, beyond the baseline protections for all CUI. There are many categories of CUI Basic, relevant to several industries and any organizations that work closely with governmental entities.
The most critical things to understand about CUI Basic include:
- What CUI is as a general category
- Which subsets of CUI are Basic
- How to protect all kinds of CUI
Beyond these, other considerations include how CUI Basic relates to regulatory compliance for specific industries and niches, such as organizations that work with the US Military.
What is Controlled Unclassified Information?
Controlled Unclassified Information is data that the US government has deemed sensitive and in need of protection, despite not carrying formal “classified” status. All CUI is subject to safeguarding, dissemination, marking, and other requirements. These govern who has access to the CUI, what they are able or required to do with it, and under what circumstances.
Many authorities intersect to govern CUI. However, a select few are the most important.
Namely, per Executive Order 13566, the National Archives and Records Administration (NARA) oversees all agency matters related to compliance. NARA delegates certain responsibilities to the Information Security Oversight Office (ISOO).
The ISOO has established requirements for all agencies and private organizations to safeguard, disseminate, decontrol, and mark CUI. The legal document 32 CFR Part 2002 prescribes controls all impacted parties need to implement and other rules they need to follow.
Certain categories of CUI are also subject to other controls, beyond what the ISOO has deemed necessary for all CUI.
Which Categories of CUI are Basic?
From a definition perspective, there’s a bit of circular reasoning with CUI Basic and CUI Specified. CUI Basic comprises all CUI that is not Specified. This begs the question: What is CUI Specified? It’s defined as any CUI that is directly beholden to additional requirements beyond those placed on CUI Basic.
In total, there are 125 categories of CUI. These fall into 21 Organizational Index Groupings. And there are 93 CUI Basic categories, which are distributed across 17 of these niches:
- Critical Infrastructure – 11 Basic categories:
- Ammonium Nitrate (CRITAN)
- Chemical-terrorism Vulnerability Information (CVI)
- Critical Energy Infrastructure Information (CEII)
- Emergency Management (EMGT)
- General Critical Infrastructure Information (CRIT)
- Information Systems Vulnerability Information (ISVI)
- Physical Security (PHYS)
- Protected Critical Infrastructure Information (PCII)
- SAFETY Act Information (SAFE)
- Toxic Substances (TSCA)
- Water Assessments (WATER)
- Defense – Three Basic categories:
- Controlled Technical Information (CTI)
- Naval Nuclear Propulsion Information (NNPI)
- Unclassified Controlled Nuclear Information – Defense (DCNI)
- Export Control – Two Basic categories:
- Export Controlled (EXPT)
- Export Controlled Research (EXPTR)
- Financial – 10 Basic categories:
- Bank Secrecy (FSEC)
- Comptroller General (COMPT)
- Electronic Funds Transfer (XFER)
- Federal Housing Finance Non-Public Information (FHFA HPI)
- Financial Supervision Information (FSI)
- General Financial Information (FNC)
- International Financial Institutions (FINT)
- Mergers (MERG)
- Net Worth (NETW)
- Retirement (RTR)
- Immigration – Seven Basic categories:
- Asylee (ASYL)
- Battered Spouse or Child (BATT)
- Permanent Resident Status (RESD)
- Status Adjustment (ADJ)
- Temporary Protected Status (PROT)
- Victims of Human Trafficking (IVIC)
- Visas (VISA)
- Intelligence – Four Basic categories:
- Agriculture (AG)
- General Intelligence (INTEL)
- Internal Data (ID)
- Operations Security (OPSEC)
- Law Enforcement – 12 Basic categories:
- Committed Person (CMPRS)
- Communications (LCOMM)
- General Law Enforcement (LEI)
- Informant (INF)
- Investigation (INV)
- Juvenile (JUV)
- National Security Letter (LNSL)
- Pen Register/Trap & Trace (TRACE)
- Reward (RWRD)
- Sex Crime Victim (SCV)
- Terrorist Screening (LSCRN)
- Whistleblower Identity (WHSTL)
- Legal – 11 Basic categories:
- Administrative Proceedings (ADPO)
- Child Victims or Witnesses (CVIC)
- Collective Bargaining (BARG)
- Federal Grand Jury (JURY)
- Legal Privilege (PRIVILEGE)
- Legislative Materials (LMI)
- Presentence Report (PRE)
- Prior Arrest (PRIOR)
- Protective Order (LPROT)
- Victim (LVIC)
- Witness Protection (WIT)
- Nuclear – Four Basic categories:
- General Nuclear (NUC)
- Nuclear Recommendation Material (RECCOM)
- Nuclear Security-Related Information (SRI)
- Unclassified Controlled Nuclear Information – Energy (UCNI)
- Patent – Three Basic categories:
- Inventions (INVENT)
- Patent Applications (APP
- Secrecy Orders (PSEC)
- Privacy – Eight Basic categories:
- Death Records (DREC)
- General Privacy (PRVCY)
- Genetic Information (GENETIC)
- Health Information (HLTH)
- Inspector General Protected (PRIIG)
- Military Personnel Records (MIG)
- Personnel Records (PERS)
- Student Records (STUD)
- Procurement and Acquisition – Two Basic categories:
- Small Business Research and Technology (SBIZ)
- Source Selection (SSEL)
- Proprietary Business Information – Five Basic categories:
- Entity Registration Information (CONREG)
- General Proprietary Business Information (PROPIN)
- Ocean Common Carrier and Marine Terminal Operator Agreements (OCCMTO)
- Ocean Common Carrier Service Contracts (SERV)
- Proprietary Postal (POST)
- Provisional – 8 Basic categories:
- Homeland Security Agreement Information
- Homeland Security Enforcement Information
- Information Systems Vulnerability Information – Homeland
- International Agreement Information – Homeland
- Operations Security Information
- Personnel Security Information
- Physical Security – Homeland
- Privacy Information
- Statistical – Three Basic categories:
- Investment Survey (SURV)
- Pesticide Producer Survey (PEST)
- Statistical Information (STAT)
- Tax – Two Basic categories:
- Tax Convention (CONV)
- Taxpayer Advocate Information (TAI)
- Transportation – One Basic category:
- Railroad Safety Analysis Records (RAIL)
- (No Grouping) – One Basic category:
- DoD Critical Infrastructure Security Information (DCRIT)
Note that, of these 93 CUI Basic categories, 27 also carry the Specified designation. This means that, depending on the contents of the specific document in question, either the Basic or the Specified designation will be appropriate.
Whether you deal primarily in Basic or Specified CUI (or both) will determine what kinds of controls or what level of system is required for CUI at your organization.
How to Ensure the Security of CUI Basic
All CUI is subject to the rules and requirements set out in 32 CFR Part 2022, governing the safeguarding, access, and dissemination of CUI. These include requirements for storage, processing, and transmission, building on frameworks like NIST SP 800-53 and FIPS PUB 200.
In the aggregate, CUI Basic controls require thorough cybersecurity planning to secure CUI throughout its lifecycle. Even processes like discarding CUI files need to be carefully planned; questions like “what is the goal of destroying CUI” should inform every action taken.
One way to safeguard CUI and control its access and dissemination is through marking. Every document, regardless of category, needs to clearly display “Controlled” or “CUI.”
CUI Basic differs from Specified in that Basic marking does not need to include a code for the category. However, CUI Basic documents may need to carry additional marking such as “AC” for Attorney-client privilege or “DISPLAY ONLY” followed by specific countries if it is only authorized for disclosure in those places.
Finally, organizations also need to decontrol CUI at their earliest possible convenience once it has been determined that the data no longer requires protection. And “Decontrolled” status also needs to be marked alongside other designations above.
Compliance Considerations for CUI Basic
One particular category of CUI Basic, DCRIT, is directly related to compliance concerns for Defense Industrial Base (DIB) contractors. DoD Instruction 5200.48 implements the DoD CUI program and DoD CUI Registry. Because of that, DCRIT is subject to several regulatory frameworks with controls well above 32 CFR Part 2022’s scope.
If your organization works in any capacity with the US Military or comes into contact with DCRIT information regularly, you may need to achieve Cybersecurity Maturity Model Certification (CMMC). There are multiple CMMC Levels that may be required, entailing implementation of NIST SP 800-171 and potentially SP 800-172 controls.
Working with a CMMC advisor will help you prepare for any remediation, employee training, and assessments needed to secure CUI.
Secure CUI Basic with RSI Security
If your organization works with governmental agencies, directly or indirectly, you may need to account for CUI in your cyberdefense program. That means identifying where that information lives and what threats could compromise it, then minimizing and mitigating any risks proactively.
RSI Security will help you rethink your approach to safeguarding, accessing and disseminating, decontrolling, and marking CUI. To dive deeper into questions like what is CUI basic, or how does CUI Basic differ from CUI Specified, contact RSI Security today!