Who is Responsible for Protecting CUI?

Organizations that handle sensitive government data need to know who’s responsible for protecting Controlled Unclassified Information (CUI). Understanding these responsibilities helps ensure proper safeguarding of this critical information within the CUI program framework, maintaining both security and compliance.

What is Controlled Unclassified Information?

Controlled Unclassified Information (CUI) is information created or possessed by the U.S. government, or created or possessed on behalf of the government, that requires protection or controlled sharing according to laws, regulations, or government-wide policies. CUI includes many types of information such as personally identifiable information (PII), proprietary business information, unclassified controlled technical information, protected health information, law enforcement sensitive data, and For Official Use Only (FOUO) information.

For defense contractors, finding a DFARS 252.204-7012 clause in your contract means you’ll be handling CUI. When working with multiple partners, subcontractors, and service providers, understanding how to protect CUI becomes especially important for national security and compliance reasons.

Understanding the CUI Program

Before 2010, federal agencies used over 100 different markings for sensitive information, which made information sharing difficult. Executive Order 13556 created the CUI program to standardize how the government handles sensitive but unclassified information. This program provides a single system for protecting CUI, clear guidelines for sharing data between agencies, consistent marking requirements, and proper protection without unnecessary restrictions.

The National Archives and Records Administration (NARA) manages the CUI program through its Information Security Oversight Office, providing guidance for all executive branch agencies. This standardization helps agencies properly handle CUI while allowing appropriate information sharing for legitimate government purposes.

CUI Basic vs. CUI Specified

The CUI program divides information into two main categories with different protection needs. CUI Basic needs standard protection without special handling instructions. This is the default level for all controlled unclassified information. Basic CUI follows the baseline controls set by NARA and must be protected according to NIST SP 800-171 requirements.

CUI Specified needs extra protection beyond the basics. The laws or regulations for this information require specific safeguards or sharing controls. For example, ITAR-controlled technical data has strict rules about foreign access and requires more protections beyond NIST SP 800-171. All CUI needs protection, but the CUI Specified label means you need to add more controls based on what the governing authority requires.

CUI Categories and the CUI Registry

The CUI Registry maintained by the National Archives lists all types of controlled unclassified information. This database has 125 CUI categories organized into 20 groups, covering areas like Defense, Privacy, Financial, Law Enforcement, Intelligence, and Critical Infrastructure.

For example, technical information for a defense contract might be labeled as “Controlled Technical Information” (CTI) under the Defense category. The CUI registry shows whether it’s Basic CUI or CUI Specified and lists the laws that govern its protection. If you’re not sure whether information counts as CUI, check the registry or ask your Contracting Officer. Information must be covered by a specific law, regulation, or government-wide policy to qualify as CUI.

CUI Categorization Process

To determine if your organization has controlled unclassified information, use this structured approach. Ask: Was the data created by the government and given to you for your contract? Will you use the data to fulfill your contract responsibilities? Can you find the data type in the NARA CUI registry categories?

When reviewing information, first check if it’s classified national security information or truly unclassified. Then, see if it falls under a law, regulation, or government-wide policy. If not, it’s not CUI. A common mistake is thinking all proprietary information is CUI. If you’re not working on a government contract and the information isn’t specifically tied to the government, it’s probably not CUI. For example, a company’s budget is only CUI Specified when it’s a federal agency budget.

CUI Marking Requirements

Good CUI marking ensures everyone handling the information understands its sensitivity. Clear markings prevent improper sharing and show how to handle the information correctly. At minimum, CUI documents need a banner at the top of each page showing “CUI” (replacing older markings like FOUO). For emails with CUI, adding an indicator in the subject line is recommended. Documents should also show which agency is responsible for the information, and CUI Specified information may need additional marking instructions.

The CUI marking handbook offers detailed guidance on how to mark different materials containing controlled unclassified information. These markings act as visual alerts that tell users they’re dealing with sensitive information that needs protection. Without proper marking, CUI might be treated like regular information, potentially causing security problems that could affect national security.

Applying CUI Markings

The person who holds the information when it’s created is responsible for applying CUI markings and figuring out the right CUI category, markings, and sharing controls. The Federal agency you have a contract with is responsible for marking or identifying any CUI shared with non-Federal organizations.

The CUI must be marked according to the National CUI Registry, and the agency labeling the CUI must let recipients know they’re receiving sensitive information. If you receive information from the government that isn’t labeled as CUI but you think it might be, check with your Prime contractor or Contracting Officer. Using consistent CUI markings is important for maintaining proper protection throughout the information’s lifecycle.

Controlled Technical Information

Controlled Technical Information (CTI) is an important type of CUI in the aerospace and defense industry. CTI includes technical data or computer software that has rules about who can access, use, copy, modify, display, release, or share it. Technical information means technical data or computer software as defined in the DFARS clause 252.227–7013.

This definition doesn’t include regular commercial products you can buy in stores. CTI contains critical technological data that could give military or economic advantages to competitors if they got it, making its protection especially important for national security. Organizations handling controlled technical information need to use proper safeguards to prevent unauthorized disclosure.

Who is Responsible for Protecting CUI?

If your contract has a DFARS 252.204-7012 clause, it means you’re handling CUI and you’re responsible for protecting it. This responsibility stays with your organization even when you use outside companies for IT support or cloud storage. You need to make sure any service provider you use has the right safeguards that meet DFARS 7012 requirements.

Several groups share responsibility within the CUI program. Federal agencies need to identify, mark, and ensure proper protection of controlled unclassified information. Contractors and subcontractors working with the Department of Defense must follow the security controls outlined in NIST SP 800-171. Everyone who handles CUI must follow the rules and only share information with authorized people who have a legitimate need for it.

While protecting CUI involves many stakeholders, the main responsibility for protecting CUI belongs to organizations with federal government contracts. Contract holders must implement security measures throughout their operations and make sure their subcontractors who handle controlled unclassified information do the same. This creates a chain of responsibility that keeps information secure throughout the supply network.

Basic CUI Protection Requirements

All controlled unclassified information needs protection according to defined standards. Both Basic CUI and CUI Specified information must be protected using the 110 security controls in NIST SP 800-171. When using encryption to protect CUI, organizations must use FIPS 140-2 validated encryption tools, keep good records of security measures, and train their staff properly.

Protecting CUI helps maintain defense systems’ security and reliability. Unauthorized disclosure can harm national security, lead to stolen intellectual property, or enable espionage. Organizations need to create policies and procedures covering the complete CUI lifecycle, from when you first receive or create it through its secure destruction.

Covered Defense Information and DFARS Requirements

Covered Defense Information (CDI) includes CUI referenced in defense contracts. The DFARS 7012 clause—Safeguarding Covered Defense Information and Cyber Incident Reporting—sets security requirements for contractors. This clause doesn’t apply to suppliers of regular commercial items available to the public.

Defense contractors must provide adequate security to protect unclassified covered defense information, implement 110 security controls from NIST SP 800-171, use FIPS 140-2 validated encryption tools when needed, quickly report cyber incidents to the Department of Defense Cyber Crime Center, and meet Federal Risk and Authorization Management Program (FedRAMP) standards. These requirements must be passed down to all subcontractors handling CDI to maintain security throughout the supply chain.

CUI Compliance Requirements

To comply with CUI regulations, government contractors and organizations working with federal agencies need to develop comprehensive security plans. These plans must address 14 control areas:

1. Access control
2. Awareness and training
3. Audit and accountability
4. Configuration management
5. Identification and authentication
6. Incident response
7. Maintenance
8. Media protection
9. Physical protection
10. Personnel security
11. Risk assessment
12. Security assessment
13. System and communications protection
14. System integrity

Everyone who handles CUI needs proper training on how to manage and protect this information. This training should cover insider threats, role-specific responsibilities, protection methods, and compliance awareness. Make sure to document all training activities and keep these records for compliance verification.

Remember, CUI compliance isn’t optional if you’re a government contractor. If you don’t implement proper security measures, you’re more vulnerable to cyber threats and could be in breach of your contract. This might lead to corrective actions from the DoD or even contract termination. Good CUI compliance not only helps national security but also ensures you can continue to share information appropriately.

Access Control for CUI

Controlling who can access CUI is a key part of protecting controlled unclassified information. Organizations must establish clear rules governing who can access CUI. Good implementation requires both physical and digital control methods to prevent unauthorized disclosure.

Physical access controls include:

1. Surveillance systems
2. Access management technology such as key cards or biometric verification
3. Intrusion detection systems
4. Secure storage in locked cabinets or facilities

Digital access controls include:

1. User authentication systems
2. Role-based access management
3. Least privilege implementation
4. Thorough access monitoring and logging

Access to CUI must be limited to individuals with a lawful government purpose who need the information for official responsibilities. Organizations should implement Non-Disclosure Agreements for personnel with CUI access and conduct regular access reviews to verify that only authorized individuals maintain system access. These access control measures help maintain information integrity and protect sensitive information from compromise.

Aerospace and Defense Industry Considerations

The aerospace and defense industry faces unique challenges in protecting CUI due to complex global supply chains and international operations. Defense manufacturing typically involves multiple tiers of contractors worldwide, creating significant cybersecurity vulnerabilities that must be systematically addressed.

Organizations in the aerospace and defense industry must navigate both domestic regulations (DFARS, NIST) and international requirements when operating globally. International Traffic in Arms Regulations (ITAR) and Export Administration Regulations (EAR) create additional compliance obligations for organizations handling defense-related controlled unclassified information. The sophisticated systems and networks typical in aerospace environments require advanced protection mechanisms beyond basic compliance requirements.

The protection of CUI remains fundamental to maintaining security within the aerospace and defense industry. Sensitive data exchanged throughout supply chains creates potential exposure to cyber attacks and intellectual property theft that could compromise national security and damage organizational reputation and financial stability.

Best Practices for CUI Compliance: A Step-by-Step Guide

Step 1: Identify CUI in Your Environment

1. Review all contracts for DFARS 252.204-7012 clauses
2. Examine all data received from government agencies
3. Map data flows to understand where CUI exists in your systems
4. Document all identified CUI by category using the NARA Registry
5. Create an inventory of systems processing, storing, or transmitting CUI

Step 2: Implement Security Controls

1. Conduct a gap assessment against NIST SP 800-171 requirements
2. Develop a System Security Plan (SSP) documenting your approach
3. Create a Plan of Action & Milestones (POA&M) for addressing gaps
4. Implement access controls limiting CUI access to authorized personnel
5. Deploy FIPS 140-2 validated encryption for CUI at rest and in transit
6. Segment networks to isolate CUI from less secure environments
7. Establish multi-factor authentication for systems containing CUI

Step 3: Train Your Personnel

1. Develop role-based training programs for all staff handling CUI
2. Conduct specialized training for IT personnel on security controls
3. Train managers on oversight responsibilities and compliance verification
4. Establish regular refresher training scheduled at least annually
5. Document all training activities for compliance evidence

Step 4: Establish Marking Procedures

1. Create standardized templates with proper CUI markings
2. Implement processes to verify marking accuracy before sharing
3. Train personnel on specific marking requirements for different CUI types
4. Develop procedures for handling unmarked information that may be CUI
5. Implement periodic audits of document markings

Step 5: Develop Incident Response Capabilities

1. Create a cyber incident response plan specific to CUI breaches
2. Establish communication protocols with the DoD Cyber Crime Center
3. Conduct regular tabletop exercises to test response procedures
4. Implement capabilities to preserve forensic evidence for 90 days
5. Document incident response testing and actual incidents thoroughly

Relevant Compliance offers specialized services to help organizations navigate these complex requirements efficiently. Their comprehensive assessment services identify gaps in current practices and provide actionable recommendations tailored to your specific environment.

Conclusion

Protecting CUI takes teamwork across federal agencies, contractors, subcontractors, and individual staff. If you’re a defense contractor, remember that the ultimate responsibility for protecting CUI stays with your organization, even when you work with outside service providers. This means you need to implement good safeguards, train your employees, and make sure everyone understands what they need to do.

The penalties for failing to protect CUI properly can be serious – you could face civil and criminal penalties, lose contracts, damage your reputation, face increased oversight, and potentially compromise national security. By understanding your responsibilities and putting proper safeguards in place, you protect both sensitive government information and your ability to keep valuable government contracts.

Relevant Compliance helps organizations navigate the complex world of CUI protection. Their assessment services find gaps in your current practices and provide practical recommendations to achieve compliance while minimizing disruption to your operations. With their expert guidance, you can build effective  CUI protection measures that satisfy regulatory requirements while supporting your business objectives.

FAQs