Controlled unclassified information (CUI) under CMMC is information the government determines necessitates safeguarding or dissemination controls. It does not have the legal protection of classified information, but instead is subject to regulations and requirements for safeguarding, control, and use. It includes information not specified as intelligence, law enforcement, or national security related and is typically labeled in the form of tags, markings, or legends. CUI is one of two primary information types that the CMMC exists to protect. The other is federal contract information (FCI).


What Is CMMC?

CMMC stands for the Cybersecurity Maturity Model Certification. Initially a five-level certification program initiated by the Department of Defense (DoD) to ensure the security of DoD’s supply chain and data, the framework was remodeled in 2021 to consolidate the levels into three and designated CMMC 2.0. The certification measures and validates implementation of security practices ranging from basic cybersecurity hygiene to advanced threat management. It also includes measures such as assessing organizational performance and capabilities.

CUI must be protected by statute or national policy. It includes government and business data that is sensitive but not classified. CUI includes information that is subject to restricted disclosure or dissemination, either because it is sensitive or because it is regulated in some other way. CUI includes any information that must be safeguarded to prevent unauthorized disclosure. A primary objective of CMMC is to protect the DoD against cyberattacks on its vast supply chain.

Types of Controlled Unclassified Information (CUI)

There are various types of CUI, and it can be classified into two categories:

  • Basic CUI: Basic CUI is a type of CUI that requires basic safeguarding measures to protect the information from unauthorized disclosure. Examples of basic CUI can include information about government contracts, sensitive but unclassified information, or information that requires protection under federal laws, regulations, or executive orders.
  • Specified CUI: Specified CUI is a type of CUI that requires additional safeguarding measures to protect the information from unauthorized disclosure. Specified CUI can include information related to national security, law enforcement, or any other information that requires protection under specific laws or regulations.

Some specific examples of CUI include:

  • Personally Identifiable Information (PII): Information such as names, addresses, Social Security numbers, and financial data that could be used to identify an individual.
  • Protected Health Information (PHI): Health information that is regulated by the Health Insurance Portability and Accountability Act (HIPAA).
  • Export-controlled or International Trade Data: Data related to exports, imports, and international trade.
  • Intellectual Property: Patents, copyrights, and trademarks.
  • Contractor-sensitive Information: Information related to contracts, subcontracts, and bids.
  • Proprietary Business Information (PBI), which also is referred to as Confidential Business Information (CBI).
  • Unclassified Controlled Technical Information (UCTI): Information that contains sensitive military information that is not classified but requires protection. Examples include operational plans, developing technologies, mission-essential equipment, surveillance methods, and other sensitive information.
  • Sensitive But Unclassified (SBU): Non-classified information that is still considered sensitive and requires special handling. Can include protected personal information, business information, and government information that require security and protection from unauthorized viewing and access.

Handling Requirements for Controlled Unclassified Information (CUI)

The handling of CUI requires specific measures to ensure its protection, including:

  • Access Control: Access to CUI should be restricted to individuals with the proper clearance and a need-to-know basis.
  • Storage: CUI should be stored in a secure location and protected with physical or electronic security measures.
  • Dissemination: CUI should be disseminated only to individuals with the proper clearance and a need-to-know basis.
  • Destruction: CUI should be destroyed when it is no longer needed or when it is required by law or regulation.

Why Is It Important to Protect Controlled Unclassified Information (CUI)

The protection of CUI is important for several reasons, including:

  • National Security: Unauthorized disclosure of CUI can cause significant harm to national security.
  • Privacy: Unauthorized disclosure of PII can cause harm to individuals’ privacy and can lead to identity theft.
  • Economic Interests: Unauthorized disclosure of proprietary business information can cause significant harm to a company’s economic interests.

Safeguarding CMMC CUI: CMMC 2.0 Levels 1, 2, and 3

The Cybersecurity Maturity Model Certification (CMMC) is a set of standards and best practices for protecting CUI. It is used by the United States Department of Defense (DoD) and other government agencies to ensure that contractors are taking CUI protection seriously. CMMC 2.0 consists of three levels of assessment on organizations seeking certification to protect CUI:

  • Level 1: Foundational. This level of protection requires the implementation of basic cybersecurity measures, such as identity management, access control, and data protection.
  • Level 2: Advanced. This level of protection includes more advanced security measures, such as system authentication and encryption.
  • Level 3: Expert. This level of protection includes the most advanced security measures, such as continuous monitoring and security incident response plans.

How Do I Know if I Have CUI in My Environment?

CUI can be found in many different places, including databases, networks, websites, and documents. To identify CUI in an environment, it’s important to understand where the data is stored and who has access to it. Common sources of CUI include customer lists, financial records, and business plans. Additionally, CUI can be found in emails, text messages, and other communications.

What Type of CUI Do I Have?

Once you’ve identified CUI in your environment, it’s important to determine what type of CUI it is. CUI is divided into several categories, including PII, PHI, export-controlled data, intellectual property, contractor-sensitive information, and sensitive national security information that is not classified. Each category of CUI requires its own set of protections.


How Do I Protect CUI and Meet Compliance Requirements?

CUI can contain confidential, sensitive, and/or proprietary information—data that must be protected at all costs. As noted above, it is critical to protect CUI and meet compliance requirements, as failure to do so may result in financial loss and, worse yet, loss of trust by customers, suppliers, and employees.

The first step to protecting CUI and meeting compliance requirements is to determine the laws and regulations applicable to data at your organization. It’s important to have a clear understanding of these standards, including the risks and vulnerabilities associated with your specific industry. Once you’ve identified applicable standards, organizations must implement appropriate measures to protect CUI. This process should include a range of technical, physical, and administrative security measures, such as encryption, malware protection, secure backup, and password protection. Additionally, access policies should be in place to control who can access and modify CUI, as well as to institute processes for tracking, recording, and reporting on CUI.

Organizations must also have a system in place for incident and vulnerability management to ensure that any security issues or exposure to CUI are addressed swiftly. Incident response plans should include processes for responding to incidents, gathering and analyzing evidence, and mitigating any damage. Regular security reviews and testing should also be conducted to validate the effectiveness of current security measures and identify any areas of improvement.

By taking the necessary steps to protect CUI and meet compliance requirements, organizations can ensure their data is secure and that their operations remain in compliance with applicable laws. Doing so is critical for an organization’s reputation and security of its information.

Additional steps to ensure that CUI is properly protected by organizations include:

  • Implementing robust cybersecurity measures, such as identity and access management, data encryption, and multi-factor authentication.
  • Establishing protocols for handling CUI, such as limiting access to authorized personnel and monitoring access logs.
  • Ensuring that all personnel with access to CUI are properly trained on CUI protection procedures.

Why Kiteworks Private Content Network Is Key to Protecting Sensitive Data Like CUI

Every day, organizations face increasingly higher challenges to keep sensitive data such as CUI safe from malicious third parties, cyberattacks, and data breaches. To ensure the safety of this sensitive data, Kiteworks offers a Private Content Network (PCN) that unifies, tracks, controls, and secures sensitive content communications with comprehensive security and compliance governance. Organizations can control who views content, who can edit it, who can send and share it, to whom and where it can be sent and shared, from what devices it can be viewed, edited, and sent and shared, and where it can be sent and shared.

Kiteworks uses a hardened virtual appliance to protect sensitive content communications from malicious cybercriminals and rogue nation-states. Its use of security layers that embrace double AES-256 encryption at the file and disk volume make it extremely difficult for a cyberattack to gain access to any content. Because of the level of security Kiteworks employs, the vulnerability and impact severity of vulnerabilities is dramatically reduced.

Kiteworks unifies file and email data communications into a single platform that delivers consolidated tracking and controls to manage content sends, shares, receives, collaboration, and stores. With email, secure file sharing, managed file transfer, web forms, and application programming interfaces (APIs) consolidated into one platform, organizations achieve dramatic improvements in operational compliance, efficiencies, and security.

Data encryption is a key element of the Kiteworks PCN. It protects sensitive data by encoding it so that only authorized individuals can access it. What’s more is that neither Kiteworks nor cloud providers have access to your key management and encryption. Kiteworks customers retain full ownership and access to their encryption keys. Government agencies, lawyers, and courts are unable to gain access to your sensitive content in Kiteworks through legal measures.

Learn How Kiteworks Delivers a Private Content Network by watching our explanatory video. Or simply request a custom-tailored demo to learn how you can protect CUI under CMMC Level 2 with Kiteworks—which supports nearly 90% of CMMC 2.0 Level 2 requirements out of the box.


Back to Risk & Compliance Glossary

Get started.

It’s easy to start ensuring regulatory compliance and effectively managing risk with Kiteworks. Join the thousands of organizations who feel confident in their content communications platform today. Select an option below.


Avec Kiteworks, se mettre en conformité règlementaire et bien gérer les risques devient un jeu d’enfant. Rejoignez dès maintenant les milliers de professionnels qui ont confiance en leur plateforme de communication de contenu. Cliquez sur une des options ci-dessous.

Jetzt loslegen.

Mit Kiteworks ist es einfach, die Einhaltung von Vorschriften zu gewährleisten und Risiken effektiv zu managen. Schließen Sie sich den Tausenden von Unternehmen an, die sich schon heute auf ihre Content-Kommunikationsplattform verlassen können. Wählen Sie unten eine Option.

Get A Demo