CMMC - What is controlled unclassified information (CUI)?

Official definition: “Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.”

CUI encompases a broad range of information. This includes controlled technical information, budgetary information, health related information, and information on patents. An exhaustive list of CUI categories is available at archives.org.

CUI standards for controlled UNCLASSIFIED information. Key word, unclassified. Some security professionals I have interacted with like to treat it as if it is classified. This is completely incorrect and will cause companies to spend more resources than required. CUI does not require the same security controls and procedures required by classified information. This is precisely why the DoD created the NIST SP 800-171 framework and has the current CMMC framework. You do not need a federal security clearance to access CUI. All you need to do is protect CUI in accordance with your contract requirements.

Companies that are in possession of controlled unclassified information (CUI) are responsible for protecting it. This includes limiting access to CUI to authorized persons, properly marking CUI, and properly destroying CUI.

Companies handling CUI will likely have a CMMC requirement of level 3 or higher. They will need to implement security controls to protect their CUI. The implementation of those controls will be assessed by a third party auditor. If the company correctly implemented the controls to protect CUI they will receive their CMMC certification for the level they were targeting.