What is the purpose of the ISOO CUI registry?

Controlled Unclassified Information (CUI) Specified is a subset of CUI where the underlying laws, regulations, or government-wide policies that make the information CUI stipulate or provide specific handling controls above and beyond those required for CUI Basic.

While CUI Basic includes all CUI that is not specified by an information type in the CUI Registry, CUI Specified pertains to data that is governed by specific regulations and requirements. These might include more stringent restrictions on who can access the information, requirements for special handling or storage, or other specific rules.

Examples of CUI Specified could include certain types of export-controlled information, nuclear information, patent information, or critical infrastructure information. The exact specifications will be provided in the specific law, regulation, or policy that designated the information as CUI.

It’s important to note that all CUI, whether Basic or Specified, must be properly safeguarded to avoid unauthorized disclosure.

The National Institute of Standards and Technology (NIST) provides guidelines for handling Controlled Unclassified Information (CUI) in NIST Special Publication 800-171. These guidelines are to be applied to all components of non-federal information systems and organizations that process, store, or transmit CUI, or that provide security protection for such components.

Here are some of the high-level requirements from the NIST SP 800-171 regarding system and network configuration:

1. Access Control: Limit system access to authorized users, processes acting on behalf of authorized users, or devices (including other systems).
2. Awareness and Training: Ensure that managers and users of organizational systems are made aware of the security risks associated with their activities and of the applicable policies, standards, and procedures related to the security of those systems.
3. Audit and Accountability: Create, protect, and retain system audit logs and records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful or unauthorized system activity.
4. Configuration Management: Establish and maintain baseline configurations and inventories of organizational systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles.
5. Identification and Authentication: Identify system users, processes acting on behalf of users, or devices.
6. Incident Response: Establish an operational incident-handling capability for organizational systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities.
7. Maintenance: Perform periodic and timely maintenance on organizational systems.
8. Media Protection: Protect system media, both paper and digital.
9. Physical Protection: Limit physical access to systems, equipment, and the respective operating environments to authorized individuals.
10. Risk Assessment: Periodically assess the risk to organizational operations, organizational assets, and individuals.
11. Security Assessment: Periodically assess the security controls in organizational systems to determine if the controls are effective in their application.
12. System and Communications Protection: Monitor, control, and protect communications (i.e., information transmitted or received by organizational systems) at the external boundaries and key internal boundaries of the information systems.
13. System and Information Integrity: Identify, report, and correct system and information flaws in a timely manner, provide protection from malicious code, and monitor system security alerts and advisories and take appropriate actions in response.
14. Personnel Security: Screen individuals prior to authorizing access to CUI and ensure that CUI access is terminated when individuals leave the organization or no longer require access.

The exact configurations and measures would be dependent on the specific systems and networks in question, as well as the nature of the CUI being processed, stored, or transmitted.

Controlled Unclassified Information (CUI) Basic is a designation that refers to information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526 or the Atomic Energy Act, as amended.

This type of CUI does not fall under the more specific handling requirements that some categories of CUI require (those would be called CUI Specified). For CUI Basic, standard safeguarding measures are put into place to protect this information from unauthorized access or disclosure.

These measures generally include controls like access controls (limiting who can view the information), training (making sure people know how to handle CUI), and physical protections (securing the locations where CUI is stored). In terms of handling, the guiding principle for CUI Basic is that it should be disseminated on a “lawful government purpose” basis, which means it can be shared as necessary to conduct official business, in compliance with laws and regulations.

The specific laws, regulations, and government-wide policies that outline what constitutes CUI Basic can be found in the CUI Registry maintained by the National Archives and Records Administration (NARA). The registry also provides guidance on how to handle and decontrol CUI.

The authority to decontrol, or remove the designation of Controlled Unclassified Information (CUI), typically rests with the controlling agency, which is the federal agency that originally classified the information as CUI. These agencies have the requisite knowledge and jurisdiction to determine whether the information no longer requires the safeguards and dissemination controls associated with CUI.

According to guidelines provided by the National Archives and Records Administration (NARA), which administers the CUI program, when deciding to decontrol information, agencies should take into consideration any applicable laws, Federal regulations, or Government-wide policies.

When it comes to the process of decontrol, agencies are obliged to inform recipients of the information’s decontrol, unless the information has already been publicly disseminated or is three or more years old at the time of its decontrol.

Even after the decontrol of CUI, an agency is still required to safeguard it until it has informed all known authorized holders, or until the CUI Registry marks the information as decontrolled. If unauthorized holders are informed of the decontrol, they are required to either destroy the information or return it to an authorized holder.

Controlled Unclassified Information (CUI) is a category of information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and government-wide policies, excluding information classified under Executive Order 13526 or the Atomic Energy Act, as amended.

CUI is not classified information, but it is sensitive in nature and requires protection. This can include a wide range of types of information such as personally identifiable information (PII), proprietary business information, law enforcement data, certain types of scientific research, and more.

The CUI program standardizes the way the executive branch handles this kind of sensitive but unclassified information. Before the establishment of the CUI program, agencies used various ad hoc markings and handled sensitive information in different ways, leading to confusion and inefficiencies. The CUI program was established to provide clarity and consistency.

The CUI program is managed by the National Archives and Records Administration (NARA), which maintains a CUI Registry of all the different categories and subcategories of information that can be designated as CUI. The CUI Registry provides guidance about the types of information that qualify as CUI and the appropriate handling procedures for each category.