What Is CUI?

As companies are learning more about the government’s new Cybersecurity Maturity Model Certification (CMMC) program, there’s a lot of uncertainty surrounding CUI or Controlled Unclassified Information. CMMC was designed to protect CUI, but what information is considered CUI?

CUI Is Defined As:

The problem with this explanation is that it’s complicated to understand. This definition states that for information to be considered CUI, it must be created or possessed on behalf of the government, meaning it has to have government access. The government must be asking you to retain this information, and it must be stated in a contract.  

How Do I Know If Information Is CUI?

Most businesses have to protect information such as employee and client personally identifiable information, but it’s only considered CUI if the government asks you to either create or possess it. The businesses with DoD contracts needing CMMC requirements will need to review the CUI registry – this is the closest you’re going to get to a guide. At this point, consulting a lawyer is a good idea when determining what is considered CUI.  Not all information is meant to be treated as CUI.  

 What This Means For You

 All businesses that handle, possess, use, share, or receive CUI require a CMMC Maturity Level 3. If your business falls into this category, you’ll want to get started as soon as possible on certification. Reaching a maturity Level 3 is going to take some work, even for those thoroughly prepared. As a government contractor, it’s your responsibility to make sure CUI is protected. The sooner your business implements these changes, the sooner you’ll be able to obtain the CMMC compliance certification.