Organizations that work closely with the US government need to take special precautions to safeguard data that government agencies deem sensitive. One of the most common kinds of data that needs protecting is Controlled Unclassified Information (CUI). And CUI Specified is some of the most tightly regulated CUI. So, what is CUI Specified, and how can you secure it?
Everything You Need to Know About CUI Specified
CUI Specified is one of two kinds of CUI—the other being CUI Basic. Altogether, CUI comprises information that the US government has not classified (or has declassified) but still monitors and sets limitations in terms of who can access it and how. To understand CUI Specified, you’ll need to comprehend:
- What CUI is and what authorities exist to regulate it
- What special requirements make CUI Specified distinct
Another consideration is the particular way that CUI interacts with cybersecurity and compliance programs, especially for organizations that work with the US Military or its contractors.
Overview of Controlled Unclassified Information
CUI is an umbrella term; it includes 125 distinct categories of information that government agencies have deemed worthy of protecting. CUI Specified refers to 59 categories that have additional requirements beyond the baseline set of rules applicable to Basic categories.
Of the 59 categories that carry the Specified designation, 32 of them are Specified only. The other 27 have an alternative Basic designation, which means that extra requirements apply to only certain documents within the category, depending on which authority governs them.
Executive Order 13556 established the CUI program within the Executive branch. CUI is governed primarily by the National Archives and Records Administration (NARA). However, NARA has delegated certain responsibilities for rulemaking and compliance to the Information Security Oversight Office (ISOO), which has also delegated responsibilities to other agencies to whom specific categories of CUI are most relevant.
In practice, this means that the ISOO is responsible for most requirements directly applicable to all CUI, but not other agencies’ rules for individual Specified categories only.
Breakdown of Requirements for CUI Specified
What level of system is required for CUI Specified? The answer will depend on what specific categories of CUI you normally process. The ISOO’s 32 CFR Part 2002 establishes four baseline areas of control that dictate applicable requirements for all CUI.
CUI Specified requirements begin with controls for:
- Accessing and Disseminating
Safeguarding requires organizations and individuals to protect CUI in storage and transit, along with when it is (re)produced or destroyed. Information systems that process CUI are subject to technical and other protections laid out in FIPS PUB 200, NIST SP 800-53, and elsewhere.
Accessing and Dissemination controls dictate who can access CUI and to whom an organization may disseminate it (and under what circumstances). Agreements, monitoring, and other precautions work hand-in-hand with thorough Marking (see below) to limit CUI exposure.
Decontrolling requires organizations to cease rigorous control as soon as a document is no longer deemed to need protection. This lessens the burden on overall security systems, but it does not mean documents are fully public. They also need to be labeled as Decontrolled.
Special Markings for CUI Specified Categories
All CUI needs to be marked as such. Labeling always includes “Controlled” or “CUI,” and CUI Specified marking in particular also requires a code to designate the Specified category.
Here are all the CUI Specified markings, listed alphabetically by code:
- CUI//SP-ADPO – Administrative Proceedings
- CUI//SP-AIV – Accident Investigation
- CUI//SP-ARCHR – Archaeological Resources
- CUI//SP-BUDG – Budget
- CUI//SP-CCI – Consumer Complaint Information
- CUI//SP-CEII – Critical Energy Infrastructure Information
- CUI//SP-CENS – US Census
- CUI//SP-CHLD – Child Pornography
- CUI//SP-CHRI – Criminal History Records Information
- CUI//SP-CONTRACT – Contract Use
- CUI//SP-CRITAN – Ammonium Nitrate
- CUI//SP-CTI – Controlled Technical Information
- CUI//SP-CVI – Chemical-terrorism Vulnerability Information
- CUI//SP-DCNI – Unclassified Controlled Nuclear Information (Defense)
- CUI//SP-EXPT – Export Controlled
- CUI//SP-FISA – Foreign Intelligence Surveillance Act
- CUI//SP-FISAB – Foreign Intelligence Surveillance Act Business Records
- CUI//SP-FNC – General Financial Information
- CUI//SP-FSEC – Bank Secrecy
- CUI//SP-FUND – Campaign Funds
- CUI//SP-GENETIC – Genetic Information
- CUI//SP-GEO – Geodetic Product Information
- CUI//SP-HISTP – Historic Properties
- CUI//SP-HLTH – Health Information
- CUI//SP-ID – Internal Data
- CUI//SP-IFNC – Intelligence Financial Records
- CUI//SP-INF – Informant
- CUI//SP-INTEL – General Intelligence
- CUI//SP-INTL – International Agreement Information
- CUI//SP-INV – Investigation
- CUI//SP-JURY – Federal Grand Jury
- CUI//SP-LDNA – DNA
- CUI//SP-LFNC – Law Enforcement Financial Records
- CUI//SP-LPROT – Protective Order
- CUI//SP-MFC – Proprietary Manufacturer
- CUI//SP-NNPI – Naval Nuclear Propulsion Information
- CUI//SP-NPSR – National Park System Resources
- CUI//SP-NUC – General Nuclear
- CUI//SP-PCII – Protected Critical Infrastructure Information
- CUI//SP-PERS – Personnel Records
- CUI//SP-PRIIG – Inspector General Protected
- CUI//SP-PROCURE – General Procurement and Acquisition
- CUI//SP-PROPIN – General Proprietary Business Information
- CUI//SP-PRVCY – General Privacy
- CUI//SP-SGI – Safeguards Information
- CUI//SP-SRI – Nuclear Security-Related Information
- CUI//SP-SSEL – Source Selection
- CUI//SP-SSI – Sensitive Security Information
- CUI//SP-STAT – Statistical Information
- CUI//SP-STUD – Student Records
- CUI//SP-SUB – Controlled Substances
- CUI//SP-TAX – Federal Taxpayer Information
- CUI//SP-TSCA – Toxic Substances
- CUI//SP-UCNI – Unclassified Controlled Nuclear Information (Energy)
- CUI//SP-WDT – Written Determinations
- CUI//SP-WHSTL – Whistleblower Identity
- CUI//SP-WIT – Witness Protection
There are also two NATO-specific categories that are considered Specified but do not carry default markings (NATO Restricted and NATO Unclassified). For files in these categories, the specific marking required will depend on the contents of the document in question.
Beyond these markings, CUI Specified often requires additional designations for controls such as Limited Dissemination. For example, documents may require the marking “NF” if they are not authorized for foreign distribution. Or documents (or sections thereof) may require a “FEDCON” label if only federal employees and contractors are authorized to access them.
Other Security Requirements for CUI Specified
Aside from the mandatory markings for CUI Specified documents, many categories are subject to agency-specific regulations on their sharing, storage, processing, and more. Some have just one governing authority or framework, while others may be subject to multiple simultaneously.
However, the category FSEC is subject to multiple authoritative texts for its subcategories:
In practice, organizations should keep track of the various security frameworks and regulations that apply to any particular kind of CUI they process. This includes both Specified and Basic, as certain Basic categories also have compliance implications.
Ultimately, securing CUI is not about identifying what level of system and network configuration is required for CUI in general. Instead, it’s about implementing specific frameworks and controls designed by the authorities concerned with your categories of CUI.
How CUI Relates to NIST and CMMC Compliance
There are several categories of CUI Specified by the Department of Defense (DoD), including CTI, SP-DCNI, and SP-NNPI. If you process any of these, there’s a good chance you also come into contact with the Basic category of DoD Critical Infrastructure Security Information (DCRIT).
If that’s the case, you’ll need to prepare for Cybersecurity Maturity Model Certification (CMMC).
CMMC is an assessment program that certifies an organization’s commitment to cyberdefense and ability to protect sensitive information such as CUI. It requires implementing controls from other frameworks, such as NIST SP 800-171 and SP 800-172, and assessing these on an annual or triennial basis, depending on the specific Level of compliance required.
Working with a NIST or CMMC advisor is the best way to comply—and secure CUI.
Optimize Your CUI Specified Security
To return to our opening question: what is CUI Specified? It’s a subset of CUI, or information you’ll need to secure if you work with government agencies. RSI Security will help your organization implement controls to meet 32 CF Part 2002, CMMC, NIST, and other applicable requirements on any CUI you process. To learn how, get in touch today!