Getting Started with Controlled Unclassified Information (CUI) – Part 1 of a 3 Part Series

CUI appears to be the new buzzword for the end of 2017, especially for companies who are struggling with compliance to the Defense Federal Acquisition Regulations (DFARs) requirements and NIST SP800-171.  All is not lost, nor is it difficult to get started at this late date.  Over the next month, I will discuss CUI a little more in-depth and cover three major topics in a multi-part series starting with “Getting started with CUI”.

Getting started with Executive Order 13556 – Controlled Unclassified Information, is easier than you might think.  Although, not every company needs to concern themselves with the CUI today, for those that do business under the Defense Federal Acquisition Regulation Supplement (DFARs) there is a deadline looming of December 31, 2017 to be compliant.  If your organization started or has a program in place, great!  Most organizations have not, and some are just unsure of how to start.

To support the identification and protection of business information, as well as to adhere to contractual requirements of in-progress and future Federal Government contracts.  DFARs stipulates that Federal Contractors must be in compliance with the National Institute for Standards and Technology, or NIST, Special Publication 800-171 – Protecting Controlled Unclassified Information in Non-Federal Systems and Organizations – by the end of December this year.  Contractors will be required to provide notice of NIST SP 800-171 compliance to agency and department contracting officers sometime in 2018.  This compliance requirement impacts your vendors and supply chain as well in the form of contract flow downs.

Executive Order 13556 set in motion the effort to standardize unclassified, but sensitive information across all agencies and contractors.  The Executive Order assigns responsibility for implementing this standard to the National Records and Archiving Administration, NARA.  Government agencies have until the end of 2018 to implement these changes.

In the immortal paraphrased words of Franklin Covey, “you need to begin with the end in mind.”  For CUI or any data classification program, determining the various types of information you have in the organization and where it goes is the real starting point.  Many organizations have a hard time understanding all the nuances of information flow in and out of the company and which users are creating, touching or moving this information.  To make things little more complicated, users need to clearly understand the company’s definition of information, both internal and external, and how they, the user, should handle that information on behalf of the company.  Organizations typically have a data classification or information classification and handling policy.  This policy should be part of a larger governance program within the organization and should be one of the top five policies to start your governance program.

The data classification policy defines the types of information used by the organization.  These types are then broken into classification categories so information security controls can be applied.  For example, an organization may have information of no strategic value, such as a public facing website or publicly available information; information with some strategic importance, such as internal documents and emails which the organization would not want released publicly, such as internal memos or contractual information; or information with a defined strategic value, such as proprietary information, trade secrets, or other confidential information all of which would need greater security controls to ensure it is protected.

The policy should discuss the appropriate handling measures for each data type and classification category.  You will notice the controls become more restrictive as the strategic value for the data categories increase.  By title definition, controlled unclassified information, should be controlled and as such falls into the highest category for protected information.  Several organizations we work with are using restricted or highly restricted as the highest data classification in place of confidential due to the uniqueness of confidential within the federal government and Department of Defense.  This is to avoid confusion when transmitted or receiving CUI information.

To get started with CUI, a company must first realize they handle sensitive information as part of a federal contract or as a vendor or supplier of a federal contractor.  Next, the organization must put some structure around the information they create, obtain, or receive as a part of their normal business.  Last, the company must get the word out to the users, so they can understand the changes surrounding controlled unclassified information, what the company defines for handling this information, and finally, how to recognize this information within the organization.

In part II of this series, we will discuss how organizations manage CUI information through the use of metadata and visual markings, which enhance the capabilities of your security infrastructure.

For more information on CUI, please visit

More on Controlled Unclassified Information from Sienna Group

Wayne Selk, CISSP