By Payam Pourkhomami, President & CEO of OSIbeyond
Controlled unclassified information, or CUI, is of paramount importance to government contractors because their ability to achieve compliance with regulations often hinges on how it is handled, stored and protected.
However, many contractors struggle to navigate the complexities surrounding CUI, especially when it comes to the difference between the Information Security Oversight Office, or ISOO, CUI Registry and the Department of Defense CUI Registry.
What Is Controlled Unclassified Information?
CUI refers to sensitive information that, while not secret enough to be classified, still needs special handling and protection. In other words, it represents the middle ground between publicly available records and top-secret data.
This category of information was established to standardize the way the executive branch handles sensitive information that doesn’t meet the criteria for classification under Executive Order 13526 or the Atomic Energy Act, but still requires protection from unauthorized disclosure.
The importance of properly handling CUI cannot be overstated, as any failure to do so can lead to serious consequences, including compromised national security, violations of individual privacy and loss of competitive advantage. That’s why the federal government created two registries to define, categorize and guide the protection of CUI.
The Information Security Oversight Office CUI Registry
Before the establishment of the CUI Program under EO 13556 in 2010, agencies used various markings like “for official use only,” a.k.a. FOUO, or “sensitive but unclassified,” or SBU, without any uniform standards. This patchwork of labels led to inconsistent protection and sharing practices, which created security risks and communication barriers.
ISOO, an entity within the National Archives and Records Administration, was tasked with implementing and overseeing the CUI Program established by Executive Order 13556. As part of this responsibility, ISOO created and maintains the CUI Registry.
At the heart of the ISOO’s CUI-related responsibilities is the ISOO CUI Registry. The main purpose of the ISOO CUI Registry is to standardize the way executive branch agencies handle unclassified information that requires protection.
The registry is essentially a comprehensive reference guide that lists and defines all the approved categories and subcategories of CUI across the federal government. These categories range from personally identifiable information, or PII, and health records to financial data, proprietary business information, law enforcement data and defense-related information.
The registry also provides detailed guidance on how to properly mark CUI documents using banner markings, portion markings, designation indicators, etc. in the ISOO CUI Marking Handbook (Version 1.1).
However, contractors must also be aware that while the ISOO Registry sets the general framework for CUI management, specific agencies, such as the DOD, will impose additional requirements. This is where the distinction between the ISOO Registry and the DOD CUI Registry becomes significant.
The DOD CUI Registry
The DOD CUI Registry is the Pentagon’s tailored implementation of the ISOO CUI program. It is largely built upon and mirrors the ISOO CUI Registry — covering essentially the same CUI categories — but with additional information that aligns each category to DOD-specific authorities and needs.
In practice, the DOD CUI Registry contains all the relevant CUI categories (with one notable omission being the immigration category, which does not apply to DOD) and incorporates DOD policy references and examples for each one. This means the fundamental definition of each CUI category is the same as the ISOO registry, but the DOD registry adds notes on how that category is handled within DOD (such as citing DOD directives or giving defense-related examples).
For anyone working under DOD contracts, the DOD CUI Registry is the authoritative source for CUI requirements. DOD personnel and contractors must follow DOD’s registry and marking rules when dealing with CUI on a DOD program. By contrast, those who are not contracting with DOD, should follow the ISOO registry.
The DOD CUI Registry also supports the Department’s cybersecurity initiatives, particularly the Cybersecurity Maturity Model Certification program, a comprehensive framework designed to protect sensitive unclassified information that resides on the Department of Defense’s industry partners’ networks.
The CMMC program requires defense contractors to implement and maintain specific cybersecurity practices and processes based on the type of information they handle. The level of certification required depends on the sensitivity of the information involved, with CUI being a key factor in determining the necessary CMMC level.
How to Determine If You Are Handling CUI
Determining whether information you possess is CUI is an important step for compliance. However, not all unclassified information is CUI—it must fall into a defined category and be designated as such by the government. Below are steps and best practices to help you figure out if you are handling CUI:
- Check for CUI markings on the information: The most straightforward indicator is the presence of CUI markings on documents or files. If the government (or a prime contractor) provides you with a document that contains CUI, it is required to be marked clearly as “CUI.” For example, a cover page or header might say “CUI” and may include a category label and dissemination controls. In DOD documents, you will often see a banner like “CUI” at the top and bottom. According to DOD rules, if you receive information from a DOD source without any CUI markings or labels, then that information is not considered CUI.
- Review your contract and related documentation: Your contract is a key source of information about CUI handling requirements because agencies are obligated to notify contractors in the contract when CUI is involved. In DOD contracts, look for specific clauses like DFARS 252.204-7012 (Safeguarding Covered Defense Information) and related clauses 252.204-7019, -7020, -7021. If your contract includes one or more of these clauses, it is a strong sign that you will handle CUI.
- Consult with your prime contractor (if applicable): If you are a subcontractor, or part of a supply chain under a prime contractor, then your prime contractor is responsible for flowing down CUI requirements and should know exactly what information is considered CUI in the project. Don’t hesitate to ask your prime whether the data you’re working with is CUI. In many cases, a prime or a higher-tier contractor will proactively inform subcontractors about CUI content or provide marking guidance to them.
- Ask the contracting officer or agency representative: When in doubt, go straight to the source. It is absolutely acceptable—and often encouraged—to ask your government contracting officer, or CO, for clarification about CUI in your contract. Getting a definitive answer will protect you from making wrong assumptions as it’s far better to get official clarification than to risk mishandling sensitive data due to uncertainty.
Remember to always verify CUI status early on so that you can implement the necessary security controls (such as those in NIST SP 800-171) and comply with all CUI handling rules.
We at OSIbeyond have extensive experience in this area and are happy to provide assistance. Our team of experts can help you conduct thorough assessments of your information systems and processes to identify CUI, develop and implement robust CUI handling procedures that align with the latest requirements, and even prepare your organization for CMMC certification.
Conclusion
Proper identification and handling of CUI is essential for national security and the protection of sensitive information. While the ISOO CUI Registry provides a comprehensive framework for handling CUI across all executive branch agencies, the DOD CUI Registry offers specific guidance tailored to the defense sector’s unique requirements. With the help of these resources, contractors can better meet their compliance requirements and ultimately contribute to a more secure and efficient GovCon ecosystem.
For more information on CMMC compliance and how OSIbeyond can support your organization, contact us today or download the DOD Contractor’s Guide to CMMC Compliance to get started.
