Thank you for joining me again. So far in this series, I have defined Federal Contract Information (FCI) and controlled unclassified information (CUI) and explained why CUI needs to be protected. In today’s article, I will provide examples of CUI.
As a federal prime or subcontractor, you may handle one or more types of CUI in one or more of your contracts. When you see some examples, it should help you understand how common it is for contracts to include CUI.
CUI Examples
CUI comes in many different varieties. Here are some of the most common types of CUI and some examples to help further clarify. This list is not all-inclusive.
- Privacy data
- Personally Identifiable Information (PII)
- Protected Health Information (PHI)
- Financial records
- DoD CUI
- Contract information
- Research/engineering data
- Proprietary technical information about tools or engineering solutions
- Technical reports
- Technical data sets
- Computer software code and programs
- Critical infrastructure data
- Power grid
- Communications networks
- Cutting edge technology
- Stealth
- Weapons systems
- Components of technology
Compartmentalized Secret And Top Secret Information
Now let me explain a nuance of CUI in relation to Secret and Top Secret data. Knowing this nuance is another secret ingredient to understanding NextGen federal contracting.
Secret and Top Secret data have stringent requirements for cybersecurity protection to prevent security breaches. However, when Secret and Top Secret data are compartmentalized, the classification often changes to CUI.
Let me provide an example of this, where we look at components of Secret or Top Secret data.
In this example, we will say that the Department of Defense (DoD) is going to build a new missile. Company X will develop launch software, Company Y will build the outer shell, and Company Z will develop rockets. The caveat is that since Companies X, Y, and Z are not combining information, they technically do not have Secret information. What each of them has is CUI. Companies X, Y, and Z are all working with CUI, rather than Secret data, because they are only developing a component of something Secret.
For this example, Companies X, Y, and Z are all prime contractors. If they sub-out any work, then the subcontractors will also need to comply with security standards for CUI.
The cybersecurity standards are less strict for Companies X, Y, and Z because they are not handling Secret information, which means they are easier targets. Threat actors could target Companies X, Y, and Z, or their subcontractors, trying to access the company systems. If the threat actors can gain access to all three companies then the components could potentially be combined to the full plans of the new missile.
I hope that I have painted a picture of the seriousness of the threats to national security and our Defense Supply Chain and why we must be stringent in protecting CUI.
If you are not sure if your company meets the requirements of protecting CUI, IBSS can assess this. Contact us today for a free estimate.
Next Up
My next article is going to discuss methods of controlling CUI. I hope to show you why controlling CUI is the secret ingredient that will help you win contracts, as more and more contracts and contract vehicles are requiring cybersecurity measures.
