Determining what types of data your organization possesses is one of the offset steps you need to take when starting efforts to enact cybersecurity controls. This nomenclature of data dictates how the data must be controlled and protected.

Hither are the different categories of information.

FCI – Federal Contract Information

As defined by 48 CFR 52.204-21, this is, "Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, just non including information by the Government to the public (such as public websites) or simple transactional data, such as necessary to procedure payments."

National Athenaeum and Records Administration (NARA) specifies, "Non-federal systems that shop, process, or transmit FCI that does not also qualify equally CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21."

Information technology is of import to note that FCI (CMMC Level 1) is the minimum if you accept a Federal contract.

CUI – Controlled Unclassified Information

According to 42 CFR 2002.4, CUI is, "Information the Authorities creates or possesses, or that an entity creates or possesses for or on behalf of the Authorities, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

"CUI does not include classified information or data a not-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an bureau."

Boosted Safeguards / Classifications:

  • CUI Basic: Requiring or permitting agencies to control or protect the data merely providing no specific controls.
  • CUI Specified: Requiring or permitting agencies to control or protect the information and providing specific controls for doing then.
  • CUI Specified, with basic controls where not specified by authority: Requiring or permitting agencies to control the information and specifying simply some needed controls.

NARA states that, "NIST SP 800-171 will be the minimum standard for protecting CUI in not-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16)."

CUI categories for the defence industrial base of operations (DIB)

Refer to this chart to run across how to classify your CUI.

Banner Marking CUI Category Organization Grouping
CUI//SP-CTI Controlled Technical Information Defense
CUI//SP-CEII Critical Free energy Infrastructure Information Disquisitional Infrastructure
CUI//SP-EXPT Export Controlled Consign Control
CUI//SP-FISA(B) Foreign Intelligence Surveillance Human action (Business Records) Intelligence
CUI//SP-PRVCY Privacy Privacy
CUI//SP-PROCURE General Procurement & Acquisition Procurement & Acquisition
CUI//SP-PROPIN General Proprietary Business Information Proprietary Business Data
CUI//SP-NNPI Naval Nuclear Propulsion Information Defense
CUI//SP-SRI Nuclear Security Related Data Nuclear
CUI//SP-PERS Personnel Records Privacy
CUI//SP-MFC Proprietary Manufacturer Proprietary Business Information
CUI//SP-PCII Protected Critical Infrastructure Information Critical Infrastructure
CUI//SP-DCNI Unclassified Controlled Nuclear Data – Defense Defence force
CUI//SP-UCNI Unclassified Controlled Nuclear Information – Energy Nuclear

Larn More than

  • Explore the above classifications
  • Read more about categorizing non-public data

While this blog can get you started on determining how to classify your data, the experts at CyberSheath would exist happy to assist your company identify your FCI and CUI and create plans for safeguarding it. Contact us to take the next pace in learning how to protect your sensitive data.