Controlled Unclassified Information (CUI) is data that is created or possessed by or on behalf of the federal government which is not classified, but is either required or allowed to be protected by law, regulation or policy.
The US government’s Archives and Records Administration (NARA) has released details of its regulation for the protection of controlled unclassified information (CUI) and is designed to safeguard government data that has not been assigned as confidential or secret, but which should not necessarily be made public, as it is shared between different government and commercial entities.
At the heart of the framework is a requirement for all CUI to be labelled with appropriate visual markings that indicate to downstream parties how it should be treated.
Organizations can position themselves for compliance by taking steps to master the principles of data classification, and implement the tools and training that will enable them to accurately and consistently enforce a labelling policy. By doing this they will be ready to show to federal government they have the capabilities in place to recognize and handle any type of marking, and also produce them where necessary.
It will normally be down to the originating agency or department to mark CUI, but partners and contractors need to understand how data classification works to treat it appropriately and operate in line with the policy set by the relevant federal organization.
Organizations that do not take steps to comply with the rule risk losing existing contracts or missing out on being disqualified from a future opportunitiesy. Failing to adequately protect CUI also has its implications – a data leak that exposes a client or breached regulation could lead to a damaged reputation and brand, and the possible loss of business.
By choosing to adopt the framework, organizations will demonstrate the ability to protect federal government information, enhancing their ability to respond to new opportunities to work with the US government.