What Is Controlled Unclassified Information?
The Pentagon defines it this way: “CUI-protected information is unclassified, but requires control to prevent release of unclassified information that, if publicly associated with defense missions or aggregated with other sources of information, often will reveal exploitable information to adversaries or violate statutory requirements.”
In other words, it’s the sea of information that the DOD and its contractors share back and forth in the course of doing regular business. The Pentagon has created 108 categories of CUI. They include patent applications, archeological resources, pesticide producer surveys, national park system resources, general procurement and acquisition information, international agreement information and water assessments.
LEARN MORE: Why cyber incident response requires multiple tactics to succeed
There are also plenty of categories that have clearer national security implications: critical energy infrastructure information, ammonium nitrite, chemical-terrorism vulnerability information, export-controlled research, intelligence financial records and DOD critical infrastructure security information.
To clarify the issue, the DOD has established an additional 199 subcategories of CUI. Because it’s so robust, the Pentagon wants to be sure its contractors are tracking and protecting this quotidian knowledge stream.
“There are so many opportunities for bad actors to get to CUI,” says Vestal.
Contractors also need to identify the CUI they create themselves as part of working with the defense department.
Now Is the Time for State and Local Agencies to Get Started
The Pentagon is still in the process of rulemaking on CMMC. Most expect it to be a contracting requirement by 2025.
“There is no reason, if you are handling government information, that you should wait,” says Andrew Stewart, a senior federal strategist for Cisco Systems. “CMMC requires a lot of controls, organizing, a strategic approach and a commitment of resources.”
The Defense Department has hinted that companies performing voluntary cybersecurity appraisals will get a leg up on the CMMC.
“DOD is implying that if you have a satisfactory Joint Surveillance Audit, it will transform into a CMMC [level 2],” says Tony Bai, executive vice president for public sector at security and compliance company A-LIGN. There, he oversees the team that conducts FedRAMP, FISMA/RMF, NIST 800-171 and CMMC assessments for clients.