How Protecting CUI Leads to a More Resilient Defense Industrial Base

Thomas Graham, the VP and CISO at Redspin, explains how protecting CUI will lead to a more resilient defense industrial base. This article originally appeared in Insight Jam, an enterprise IT community that enables human conversation on AI.

To fully appreciate the importance of Controlled Unclassified Information (CUI), it’s essential to understand its origins and significance. Unlike classified information, CUI is a designation of unclassified information used across all federal agencies, not just the Department of Defense (DoD). The objective was to create a standardized system to protect sensitive but unclassified information, ensuring it is handled with the appropriate level of security.

With a foundational understanding of CUI’s purpose, it’s essential to explore the types of information classified under this designation. CUI is a broad category that includes a wide variety of information types. As identified by the Environmental Protection Agency (EPA), these can include:

• Personally Identifiable Information (PII): Examples include full names, Social Security numbers, and credit card numbers
• Sensitive Personally Identifiable Information (SPII): This includes more sensitive details such as bank information, health records, and citizenship or immigration status
• Proprietary Business Information (PBI), currently known within the EPA as Confidential Business Information (CBI): Examples of this include financial data, trade secrets, product research and development, and product designs
• Unclassified Controlled Technical Information (UCTI): This category covers information such as operational plans, developing technologies, mission-essential equipment, and surveillance methods
• Sensitive but Unclassified (SBU):
• For Official Use Only (FOUO): This is a document designation, not a classification, used to indicate information or material that, while unclassified, may not be suitable for public release
• Law Enforcement Sensitive (LES): This includes information about investigative techniques, operational procedures, and details of ongoing investigations

Given the broad scope of CUI, protecting this information becomes a priority—especially as mishandling it can have far-reaching consequences. Managing CUI within contracts can be particularly challenging due to its diverse nature. A complete list of CUI types is available in the National Archives and Records Administration (NARA) CUI registry. An organization has a DoD contract or a flow-down requirement from a Prime Contractor, and specifics on handling CUI are identified in DoDI 5200.48. Typically, if contracts include a DFARS 7012 clause or references NIST SP 800-171, CUI handling requirements apply.

Ensuring CUI is protected isn’t merely about adding layers of complexity—it’s a vital measure to protect sensitive information integral to national security. Although CUI is unclassified, it encompasses data that, if mishandled, could expose critical assets or operations to adversaries. In today’s landscape, where sophisticated nation-state actors and cyber threats constantly evolve, these protections act as essential safeguards. CUI cybersecurity prevents unauthorized entities from exploiting vulnerabilities, helping to secure our defense infrastructure and the broader federal ecosystem against potential threats.

To underscore the risks of mishandling CUI, real-world breaches reveal the impact that lapses in security can have on national security and financial stability. If CUI is mishandled, then this is a breach of information that could seriously affect operations, assets, or individuals from the federal government or those organizations that support the government.

Specifically, mishandling this type of information can directly impact national security. For example, in 2015, due to a breach, China could develop a version of the U.S. F-35 fighter before the U.S.The financial and tactical losses from the breach were significant. Another example is the 2015 OPM breach, which exposed the personnel files of over four million government employees and the security investigation background info of over 20 million. The notification cost alone exceeded $350 million.

Knowing that these breaches are possible and that their effects can be devastating, how can organizations working with the DoD/government ensure they take the proper steps to protect CUI? The short answer is to implement NIST SP 800-171r2 requirements. Start with an honest self-assessment of your scoped environment and objective implementation.

After addressing internal issues, engage a Registered Provider Organization (RPO) or Certified Third-Party Assessor Organization (C3PAO) for a true Gap Assessment to see if your implementation meets CMMC assessment scrutiny. A third-party assessment ensures that the organization’s Policies and procedures, Training, Enforcement Mechanisms, and Monitoring are adequately in place.

Understanding the type(s) of CUI in your environment is crucial. Basic CUI has different requirements than CUI Specified, such as “NOFORN” CUI, which restricts dissemination to non-U.S. persons or locations. Consult the NARA CUI Registry and implement NIST SP 800-171r2 to ensure you follow the proper CUI guidelines.

To identify and understand the information that needs to be protected, consult the CMMC Level 2 scoping guide. The CMMC Level 2 assessment guide is the most important document for an organization to use when validating its CUI protections. This document outlines objectives for each practice, providing granularity on meeting adequacy and sufficiency requirements.

While many contractors have already implemented these standards, CMMC is a program that validates compliance and ensures ongoing adherence to critical security measures. CMMC isn’t introducing new requirements; instead, it’s a validation that contractors adhere to standards they’ve been accountable to for years under DFARS and NIST 800-171.

Since 2017, contractors have followed these guidelines designed to secure CUI across the defense supply chain. While the full costs of CMMC compliance are still emerging and vary from organization to organization, the shift from self-attestation to third-party validation is already beneficial for many contractors. By addressing CMMC requirements early, organizations avoid potential disruptions and gain a competitive advantage as trusted partners prioritize cybersecurity within the defense industrial base. This proactive approach aligns them with national security standards, positions them favorably for future contracts, and primes them for long-term resilience in a market where compliance is rapidly becoming non-negotiable.

Organizations should use this CMMC L2 Assessment Guide Methodology for self-assessment as it is the “playbook” assessors will utilize. The guide’s Methods and Objects section suggests the specific evidence types assessors might request, using Examine, Interview, and Test modalities.

Ultimately, whoever is responsible for implementation should undergo Certified CMMC Professional (CCP) training to understand the CMMC Ecosystem, code of professional conduct, CMMC Assessment Process (CAP), scoping guide, and each of the 110 practices from an assessor and consultant perspective. They should also prioritize familiarizing themselves with the top 4 actionable steps that help to protect CUI, which include:

1. Utilize available information: Know the different guides (The CMMC Assessment Process (CAP), Level 1, 2, and 3 scoping and assessment guides, etc.) and their contents.
2. Be honest: Realistically assess your practices and report to leadership. It’s easier to address issues before failing an assessment.
3. Recognize that CMMC is not the implementation requirement: DFARS 7012 is, and you’ve been accountable for it for years. Not realizing this can lead to False Claims Act Allegations, regardless of your organization’s size and type.
4. Identify CUI: Determine where CUI exists in your environment. Correctly identifying CUI helps define dissemination requirements and scope the boundary.
5. Confine and protect CUI: Ensure that Controlled Unclassified Information (CUI) is confined within designated areas of your organization and that it is safeguarded according to established security protocols.

By thoroughly understanding and implementing the guidelines and requirements for protecting CUI, organizations can significantly enhance their security posture and ensure compliance with federal mandates. The importance of CUI protection cannot be overstated, as mishandling this information can lead to severe consequences, including national security threats and substantial financial losses. Ultimately, by embracing best practices and fostering a culture of security, organizations can meet compliance requirements and build trust with their federal partners and stakeholders, contributing to a more secure and resilient defense industrial base.