CUI: The Complete Guide to Controlled Unclassified Information (2024)

Identifying and Categorizing CUI

When trying to determine if your organization has CUI, try asking yourself these questions:

• C – Is the data originally Createdby the government and provided to you in association with the contract?
• U - Is the data going to be Usedto deliver your contractual responsibilities to the government?
• I - Can the data type be Identifiedwithin the sub-categories listed on the NARA CUI registry?

These three criteria should help you navigate figuring out whether the data you're handling is CUI.

Here's something else that might help you identify whether or not you're handling CUI. This a copy of what the DoD typically workshops in their public documentation. We changed the verbiage a little bit for simplicity's sake.

The first question is, are youdealing with classified or truly unclassified information?

Next up, does the information fall within a law, regulation or government-wide policy? If not, it's not CUI.

All of the proprietary data you have – if you're not delivering on a contract and it doesn’t call it out as something unique to the government – it's probably not CUI.

If it does have a law, regulation or government-wide policy, you'll need to look up those categories in the National Archives or the DoD CUI Registry. We'll do that in the next step.

Before we do, though, let's take a quick look at a Microsoft tool you can use to help find CUI.

Identifying CUI with Microsoft 365

Microsoft Purview helps defense contractors identify Controlled Unclassified Information (CUI) in their IT systems to comply with CMMC 2.0 requirements.

The following blog discusses how Organizations Seeking Certification (OSC) can effectively identify CUI in their current IT environment using the Microsoft 365 platform:

Identifying CUI with Microsoft 365 For CMMC

How to Identify CUI Outside of Microsoft 365

As you work through the process of identifying CUI, one question that might come up is around how to find CUI data outside of Microsoft 365.

Locating data containing CUI outside of your Microsoft 365 environment is a bit of a process. You'll need to map all your internal processes and data flows to identify potential areas where CUI might be residing outside of Microsoft 365.

We have a CMMC Level 2 solution with a specialized CUI scoping project dedicated to addressing precisely this challenge. Our team can provide the necessary expertise to guide you through the process of identifying and relocating the non-M365 data containing CUI securely.

If you're interested in learning more about our CMMC Level 2 solution and CUI scoping project, reach out to us here.

Walkthrough of CUI Categorization

For this example, we're going to use the National Archives CUI website. Visit the website, then click on Category list.

You’ll see a column called Organizational Index Groupings with the CUI categories underneath.

One of the examples we like to talk about when it comes to CUI is Controlled Technical Information, which is found next to the Defense section.

If you click Controlled Technical Information, you’ll see a category description. This one has a long category description, but it’s basically telling you what CTI is, where the reference documentation is located, that DFARS 7013 has the definition and other helpful information.

As you read through it, you might start to think that everything is CUI. But if you look all the way down at the very bottom of the Controlled Technical Information page, you’ll see a table with a heading titled Safeguarding and/or Dissemination Authority.

This is going to tell you which reference document to look at to determine if this applies to you. It’s also going to tell you if it's Basic or Specified CUI as well as the banner marking that you'regoing to need if/when youmark it.

But if you click the link under the Safeguarding and/or Dissemination Authority heading, a document will be opened that will tell you things like which types of systems that you need, how you need to configure them, which type of a cloud environment you need to use – and it’s all wrapped up in this document.

For the sake of this example, do a search in the document for “Controlled Technical Information” and you’ll see the definition of what CTI is.

It even goes into things like distribution statements that you might see coming from the DOD.

But this poses another great question. You might think, “Okay, I get the word “controlled,” is there a better definition of what "technical information” is?

If you scroll over within that same clause, it actually tells you that “technical information” means technical data or computer software as those terms are defined in the referenced DFARS clause.

And if you look at what that clause is called, Rights in Technical Data for Non-Commercial Items, you can tell something just from that: it means this definition does not apply to consumer off the shelf items. If you can go to Walmart and pick up, then this clause doesn’t apply.

But to dig a little deeper, you’ll next want to do a Google search for the clause that’s referenced in the document. In this case, it’s “DFARS 252.227–7013”. If you do a Google search for it, you’ll find a page on Acquisition.gov with the document on it.

As you're going through that page, you'll see that it covers definitions of computer database, computer program, and computer software.

This is what helps you refine and understand if the data you're handling is actually going to be CUI, or in this case Controlled Technical Information.

Read more: Identifying CUI with Microsoft 365 For CMMC

Common Mistakes with Identifying CUI

It's important to remember that not everything is CUI.

For example, some companies think their budget should be considered CUI. They might be concerned about different ERP systems and other kind of technologies they have with budget information. And, to be safe, they think it wise to consider it CUI.

Marking CUI

This video from the US National Archive explains how organizations can properly mark CUI data. Summit 7 does not own the rights to this video.