Is controlled unclassified information considered classified information?

There are more than 350,000 contractors currently doing business with the Department of Defense (DoD). They range in size from very large firms, like Raytheon, the missile manufacturer, which employs tens of thousands of employees, to a small, family-owned company with a dozen employees making uniform insignia.

Regardless of size and revenue, there is something a large segment of these firms all have in common: the management of Controlled Unclassified Information (CUI) — a basic fact of business life when handling contracts and doing business with the Department of Defense.

This requirement is an important part of the Cybersecurity Maturity Model Certification (CMMC) program, which introduces new cybersecurity requirements for firms that are part of the vast Defense Industrial Base (DIB).

In order to continue doing business with the DoD, all contractors need to be certified by a CMMC Third-Party Assessment Organization (C3PAO) by the end of 2025. The introduction of the CUI CMMC program and the new CUI requirements signal a new era of strict information security practices for companies working with the DoD.

CUI is defined as information the government owns or creates, or that a firm or organization possesses or creates for the government, which needs to be safeguarded and shared using the information security controls required under current government laws, regulations and policies.

In November 2010, the administration passed Executive Order 13556, which specified categories of nonclassified information to be safeguarded given vulnerability and risk.1 This was the legal basis that established the framework and procedures for control and protection of CUI within the government and throughout the DIB.

The categories include agriculture, copyright, critical infrastructure, emergency management, export control, financial, foreign government, geodetic product information, immigration, information systems, intelligence, law enforcement, legal, NATO, nuclear, patent, privacy, proprietary, the Safety Act, statistical, tax and transportation.

The term “Controlled Unclassified Information” was designed by the DoD as a safeguarding system for unclassified information. It is described not as a classification but as a category, with a preferred description of “controlled as CUI,” as opposed to “classified as CUI.”

Naturally, classified information tends to get a lot more attention than its lesser-known cousin, Controlled Unclassified Information. Given how often classified information is mentioned in movies and books on espionage and throughout popular culture, that’s probably not surprising.

Classified information covers three sensitive classifications — confidential, secret and top secret — across categories that include military plans, weapons systems, information on foreign governments, intelligence-gathering activities and valuable scientific, technical and economic information.

The government has mandated that CUI also be protected and shared only under strict guidelines in order to prevent potentially harmful releases. The DoD has made a serious effort in recent years to communicate the importance of safeguarding CUI by publishing standards to help contractors maintain information security best practices.

The Department of Defense has done this as part of an ongoing initiative to communicate with its network of suppliers what is required in terms of ensuring information security standards, and also in response to the sharp increase in data breaches and cybersecurity attacks in the last 10 years.

1 Designation and Sharing of Controlled Unclassified Information (CUI). White House Memorandum. (2008, May 7). National Archives. www.archives.gov/files/cui/documents/2008-WH-memo-on-designation-and-sharing-of-cui.pdf

2 Singel, R. (2009, October 1). Probe Targets Archives’ Handling of Data on 70 Million Vets. Wired. www.wired.com/2009/10/probe-targets-archives-handling-of-data-on-70-million-vets/

3 Executive Order 13556 -- Controlled Unclassified Information. (2011, December 12). Whitehouse.Gov. obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information

4 Vogel, S. (2011, November 24). Tricare military beneficiaries being informed of stolen personal data. Washington Post. www.washingtonpost.com/politics/tricare-military-beneficiaries-being-informed-of-stolen-personal-data/2011/11/23/gIQAcRNHtN_story.html

5 Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China’s Captain America. CSO Online. www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html

6 Executive Order -- Improving Critical Infrastructure Cybersecurity. (2013, February 12). Whitehouse.Gov. obamawhitehouse.archives.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurity

7 Fruhlinger, J. (2020, February 12). The OPM hack explained: Bad security practices meet China’s Captain America. CSO Online. www.csoonline.com/article/3318238/the-opm-hack-explained-bad-security-practices-meet-chinas-captain-america.html

8 Cybersecurity Incidents. (2015). U.S. Office of Personnel Management. www.opm.gov/cybersecurity/cybersecurity-incidents/

9 Committee on Oversight and Government Reform. (2016, September). The OPM Data Breach: How the Government Jeopardized Our National Security for More than a Generation. House Oversight and Government Reform. republicans-oversight.house.gov/report/opm-data-breach-government-jeopardized-national-security-generation

10 Chappell, B. (2015, July 10). OPM Director Archuleta Resigns In Wake Of Data Breaches. NPR. www.npr.org/sections/thetwo-way/2015/07/10/421783403/opm-director-archuleta-resigns-in-wake-of-data-breaches

11 NIST Releases Cybersecurity Framework Version 1.0. (2018, January 8). NIST. www.nist.gov/news-events/news/2014/02/nist-releases-cybersecurity-framework-version-10

12 Chappell, B. (2018, September 27). Uber Pays $148 Million Over Yearlong Cover-Up Of Data Breach. NPR. www.npr.org/2018/09/27/652119109/uber-pays-148-million-over-year-long-cover-up-of-data-breach

13 Nakashima, E., & Harris, S. (2018, July 13). How the Russians hacked the DNC and passed its emails to WikiLeaks. Washington Post. www.washingtonpost.com/world/national-security/how-the-russians-hacked-the-dnc-and-passed-its-emails-to-wikileaks/2018/07/13/af19a828-86c3-11e8-8553-a3ce89036c78_story.html

14 Newman, L. H. (2017, September 14). The Equifax Breach Was Entirely Preventable. Wired. www.wired.com/story/equifax-breach-no-excuse/

15 Barrett, B. (2020, March 31). Marriott Got Hacked. Yes, Again. Wired. www.wired.com/story/marriott-hacked-yes-again-2020/

16 Harwell, D., & Fowler, G. A. (2019, June 11). U.S. Customs and Border Protection says photos of travelers were taken in a data breach. Washington Post. www.washingtonpost.com/technology/2019/06/10/us-customs-border-protection-says-photos-travelers-into-out-country-were-recently-taken-data-breach/

17 Barrett, B. (2020b, December 19). Russia’s SolarWinds Hack Is a Historic Mess. Wired. www.wired.com/story/russia-solarwinds-hack-roundup/

18 Turton, W., & Mehrotra, K. (2021, June 4). Hackers Breached Colonial Pipeline Using Compromised Password. Bloomberg. www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password

19 Lewis, J. A. (2018, February 21). Economic Impact of Cybercrime. Center for Strategic and International Studies. www.csis.org/analysis/economic-impact-cybercrime

20 National Archives Issues Regulation on Controlled Unclassified. (2016, November 1). National Archives. www.archives.gov/press/press-releases/2016/nr16-90

What is the difference between controlled unclassified information and classified information?

Is unclassified still a classification?

Which category describes how controlled unclassified information should be classified?

Is classified information or controlled unclassified information is in the public domain?