Controlled Unclassified Information: Labeling Requirements for CMMC and NIST 800-171

As the Department of Defense’s (DoD) Cybersecurity Maturity Model Certification (CMMC) framework begins rolling out and working its way into DoD contracts, one of the most common questions we get are: “What is Controlled Unclassified Information (CUI)” and “How do you label CUI appropriately?”

In the Federal Government’s own words: “CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” The other part of information being considered CUI is that it is not meant for public release without proper authorization, but does not warrant a Confidential, Secret, or Top Secret classification from the Federal Government.

CUI is further broken into 24 categories and 83 subcategories. Each subcategory then provides a designation as either CUI Basic or CUI Specified. These categories and subcategories can be found here: https://www.archives.gov/cui/registry/category-list. Information that is designated as CUI Specified contains specific marking, handling, and dissemination requirements that must be followed. But what about CUI Basic?

CUI Basic has a general handling, dissemination, and marking requirement that must be applied to every record containing information which is considered CUI Basic. To start, all records must have a header that reads: “CUI”. This header cannot contain anything else. Then on the first page or cover page of every CUI containing record, the following information must be annotated:

  • Line 1: the name of the DoD Component (not required if identified in the letterhead)
  • Line 2: identification of the office creating the document
  • Line 3: identification of the categories contained in the document
  • Line 4: applicable distribution statement or limited dissemination control (LDC)
  • Line 5: name and phone number or email of POC

This marking requirement applies to every CUI containing record, whether that is a document, presentation, email, or any other type of record designated as containing CUI. Both NIST 800-171 and CMMC, have a control that directly requires these markings.

In NIST 800-171, this is Control 3.8.4 and in CMMC, this is Practice MP.3.122 which reads:

“Mark media with necessary CUI markings and distribution limitations.”

There are two simple questions to determine if information is CUI:

  1. Does the information meet the standards for classification? If yes, it is not CUI, it is classified information.
  2. Does the information fall within a law, regulation, or government-wide policy? If no, then it cannot be considered CUI.

If the information is considered CUI, the next steps are to determine which category and subcategory of CUI the information falls into. If the subcategory is CUI Specified, follow the listed marking requirements. If it is CUI Basic, apply the required header and annotation listed above.

CMMC and NIST 800-171 both require a policy and procedures document for meeting the labeling requirements for CUI, and individuals handling CUI must be trained on how to label CUI appropriately. This training is provided by the DoD, who also provide a CUI Marking Job Aid with this training that lists out the specific CUI marking requirements. This Job Aid can be found through the link below.

If you would like to learn more about CUI, the purpose of establishing the CUI designation, or CUI marking requirements, the DoD’s CUI training is the best place to start: https://securityhub.usalearning.gov/index.html.

How Can Schneider Downs Help?

Schneider Downs currently offers CMMC readiness and consulting services as a Registered Provider Organization (RPO). Our team includes a Certified CMMC Provisional Assessor, and several other members currently in process of applying for CMMC Certified Assessor status who plan on completing training in Q2 of 2021. OSCs should note that a single firm cannot perform both consulting and audit services for a single client per the CMMC-AB standards. In the meantime, until such requirements are made public, we can help your organization prepare for CMMC by performing an assessment against the NIST 800-171 framework. For more information visit www.schneiderdowns.com/cmmc or contact us to get started. 

You’ve heard our thoughts… We’d like to hear yours

The Schneider Downs Our Thoughts On blog exists to create a dialogue on issues that are important to organizations and individuals. While we enjoy sharing our ideas and insights, we’re especially interested in what you may have to say. If you have a question or a comment about this article – or any article from the Our Thoughts On blog – we hope you’ll share it with us. After all, a dialogue is an exchange of ideas, and we’d like to hear from you. Email us at [email protected].

Material discussed is meant for informational purposes only, and it is not to be construed as investment, tax, or legal advice. Please note that individual situations can vary. Therefore, this information should be relied upon when coordinated with individual professional advice.

© 2021 Schneider Downs. All rights-reserved. All content on this site is property of Schneider Downs unless otherwise noted and should not be used without written permission.

our thoughts on
TSA Issues Second Cybersecurity Directive for Pipeline Owners and Operators
Benefits of a Purple Team Assessment
Understanding Windows 11 TPM Support Requirements
Jen Easterly Named Director of the Cybersecurity and Infrastructure Security Agency
Summertime, Learning Strides, and Cybersecurity
Register to receive our weekly newsletter with our most recent columns and insights.
Have a question? Ask us!

We’d love to hear from you. Drop us a note, and we’ll respond to you as quickly as possible.

Ask us
contact us
Map of Pittsburgh Office
Pittsburgh

One PPG Place, Suite 1700
Pittsburgh, PA 15222

[email protected]
p:412.261.3644     f:412.261.4876

Map of Columbus Office
Columbus

65 East State Street, Suite 2000
Columbus, OH 43215

[email protected]
p:614.621.4060     f:614.621.4062

Map of Washington Office
Washington, D.C.

1660 International Drive, Suite 600
McLean, VA 22102

[email protected]
p:571.380.9003

This site uses cookies to ensure that we give you the best user experience. Cookies assist in navigation, analyzing traffic and in our marketing efforts as described in our Privacy Policy.

×