What You Need to Know About the ISOO CUI Registry

Managing Controlled Unclassified Information
Facebook
Twitter
Pinterest
LinkedIn

We’ve written a lot about various security frameworks, from CMMC to ISO 27001, and throughout all of them, one of the core elements is the need to protect CUI. Information that is controlled at a very high – SECRET, Classified, or other – level is tightly bound by specific rules and can only be handled by select individuals. Completely base, public information is freely available and completely uncontrolled. But there’s a lot of information somewhere in the middle. Information that needs to be controlled because of how sensitive it is, but that isn’t sensitive enough to be classified.

The question is, what is CUI?

This isn’t an abstract question. We can give you broad definitions of CUI all day, sure. But, if you comb through your home office and put together a list of documentation, emails, files, and other information used as part of your operations, which of those documents are CUI, and which are in other categories?

Knowing the specifics isn’t optional. You need to know what is and isn’t CUI. If you don’t, you might waste a lot of time and effort securing and performing excess access control on completely irrelevant information – or worse, grow lax in the security surrounding CUI. Videos like this one help go into detail about what is and isn’t CUI, but it’s always helpful to go to the original source as well.

Fortunately, the government is way ahead of you on this one. Much like how the NIST maintains documentation that breaks down every individual security family into individual controls, the definition of CUI is expounded upon all the way down into specific documents. This is all handled by the ISOO through the ISOO CUI Registry. So, let’s talk about it!

BLUF - Bottom Line Up Front

Controlled Unclassified Information (CUI) requires specific handling to protect sensitive but unclassified data. The ISOO CUI Registry, managed by the Information Security Oversight Office, outlines these requirements. It categorizes CUI into 20 groups like Defense, Intelligence, and Privacy. Contractors must ensure CUI is secured properly. The Department of Defense has a similar CUI registry, mainly for DoD personnel. Platforms like Ignyte assist in compliance with security frameworks such as CMMC and FedRAMP.

What is the ISOO?

The ISOO is the Information Security Oversight Office. The Office is part of the National Archives and is made up of three groups.

The first group is the Classification Management Staff. These people develop the security classification policies for how to classify, declassify, and safeguard information generated by both government and industry entities.

A Team Developing Security Classification Policies

The second group is the operations staff. These people are responsible for evaluating the effectiveness of the security classification programs developed by the government and throughout industry with regards to protecting information and national security.

Finally, the third group is the CUI Staff. The CUI staff handle the CUI policies and procedures, determining how to appropriately maintain both protection and access to controlled unclassified information through data control and access measures.

The ISOO was first created in 1978 as a replacement for the Interagency Classification Review Committee, which itself had been created in 1972. It has since grown in scope and responsibility through numerous executive orders, and today, it handles all things CUI.

What is the ISOO CUI Registry?

One of the most significant aspects of the ISOO’s duties is to determine and maintain the list of what is and isn’t CUI. In order to do that, they created and maintained the CUI Registry. This registry was first developed and published in 2011 and represents a compendium of laws, executive orders, directives, and other commands to secure specific kinds of information.

The registry is just that: a list of all of the organizational categories and information types that fall under the heading of CUI. The overall purpose is to create a central resource that provides uniform and consistent definitions of what CUI is and the responsibilities of anyone who comes into contact with that CUI. When in doubt, check the registry for guidance.

An Employee Accessing Controlled Unclassified Information

There are, currently, 20 different overall categories of CUI, each of which can have anywhere from one to 18 different sub-groups. These are:

  • Critical Infrastructure, which includes information about Ammonium Nitrate, Chemical-terrorism Vulnerability Information, Critical Energy Infrastructure Information, Emergency Management, General Critical Infrastructure Information, Information Systems Vulnerability Information, Physical Security, Protected Critical Infrastructure Information, SAFETY Act Information, Toxic Substances, and Water Assessments.
  • Defense, which includes Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, Privileged Safety Information, and Unclassified Controlled Nuclear Information – Defense.
  • Export Control, which includes Export Controlled information and Export Controlled Research.
  • Financial, which includes Bank Secrecy, Budget, Comptroller General, Consumer Complaint Information, Electronic Funds Transfer, Federal Housing Finance Non-Public Information, Financial Supervision Information, General Financial Information, International Financial Institutions, Mergers, Net Worth, and Retirement.
  • Immigration, which includes Asylee, Battered Spouse or Child, Permanent Resident Status, Status Adjustment, Temporary Protected Status, Victims of Human Trafficking, and Visas.
  • Intelligence, which includes Agriculture, Foreign Intelligence Surveillance Act, Foreign Intelligence Surveillance Act Business Records, General Intelligence, Geodetic Product Information, Intelligence Financial Records, Internal Data, and Operations Security.
  • International Agreements, which includes only International Agreement Information.
  • Law Enforcement, which includes Accident Investigation, Campaign Funds, Committed Person, Communications, Controlled Substances, Criminal History Records Information, DNA, General Law Enforcement, Informant, Investigation, Juvenile, Law Enforcement Financial Records, National Security Letter, Pen Register/Trap & Trace, Reward, Sex Crime Victim, Terrorist Screening, and Whistleblower Identity.
  • Legal, which includes Administrative Proceedings, Child Pornography, Child Victim/Wellness, Collective Bargaining, Federal Grand Jury, Legal Privilege, Legislative Materials, Presentence Report, Prior Arrest, Protective Order, Victim, and Witness Protection.
  • Natural and Cultural Resources, which includes Archaeological Resources, Historic Properties, and National Park System Resources.
  • NATO, which includes NATO Restricted and NATO Unclassified information.
  • Nuclear, which includes General Nuclear, Nuclear Recommendation Material, Nuclear Security-Related Information, Safeguards Information, and Unclassified Controlled Nuclear Information – Energy.
  • Patent, which includes Patent Applications, Inventions, and Secrecy Orders.
  • Privacy, which includes Contract Use, Death Records, General Privacy, Genetic Information, Health Information, Inspector General Protected, Military Personnel Records, Personnel Records, and Student Records.
  • Procurement and Acquisition, which includes General Procurement and Acquisition, Small Business Research and Technology, and Source Selection.
  • Proprietary Business Information, which includes Entity Registration Information, General Proprietary Business Information, Ocean Common Carrier and Marine Terminal Operator Agreements, Ocean Common Carrier Service Contracts, Proprietary Manufacturer, and Proprietary Postal.
  • Provisional, which includes Homeland Security Agreement Information, Homeland Security Enforcement Information, Information Systems Vulnerability Information – Homeland, International Agreement Information – Homeland, Operations Security Information, Personnel Security Information, Physical Security – Homeland, Privacy Information, and Sensitive Personally Identifiable Information.
  • Statistical, which includes Investment Survey, Pesticide Producer Survey, Statistical Information, and US Census.
  • Tax, which includes Federal Taxpayer Information, Tax Convention, Taxpayer Advocate Information, and Written Determinations.
  • Transportation, which includes Railroad Safety Analysis Records and Sensitive Security Information.

As you can see, this is all a very comprehensive selection of categories and information types. Each one will lead you to a page such as this one, which gives you a description of what that information includes, how it is labeled, how it is controlled, and where the authority to control it is derived from.

What About the Department of Defense CUI Registry?

The Department of Defense also maintains its own CUI registry, which can be found here. It is nearly identical to the ISOO CUI Registry, though the design of the webpage is a bit more dated, and the individual pages can be quite different. For example, here’s the page on water assessments. It has a little less information than the ISOO version, but the descriptions are identical. This is broadly the case across the board. There are a few subtle differences, though. The DoD Registry does not contain Immigration information, and it includes some extra information and guidance relevant to DoD but not non-DoD personnel.

Which do you use? If you’re part of the DoD or a DoD subcontractor, you would refer to the DoD registry primarily. Everyone else should refer to the ISOO registry instead.

An Employee Using a Computer

All of this is part of a comprehensive push by the government to establish broad, consistent, and most importantly, effective cybersecurity and information security procedures, in response to modern information threats.

How Do You Use the ISOO CUI Registry?

In most cases, you don’t necessarily need to know how to use the CUI registry. It’s designed for the high-end personnel and entities who are creating the information to know what information has the label applied to it and what label needs to be applied to it, such as whether it’s CUI Basic or CUI Specified.

If you are a member of a federal agency and you have already implemented the groundwork of the CUI program, then the CUI registry serves as a reference material to validate policies you already implemented. You should know what information you generate should be marked as CUI and how. This is especially important for any time when you have to share this information with non-federal entities.

If you are a member of a federal agency and you are still working on implementing the CUI program, the CUI registry helps you determine the rules and policies that will govern what is and isn’t marked throughout your agency. By referencing what your agency creates and how it is shared, you can determine what needs to be labeled and how, as well as what controls need to be in place to handle it.

A Contractor Working With Controlled Unclassified Information

If you are a contractor that is working with CUI, all you really need to know is that CUI needs to be properly secured and handled appropriately.

Similarly, if you are a subcontractor generating information, you generally don’t need to label that information as CUI unless you’re working with a government partner who instructs you to do so. Without such instruction, there’s not generally a need to label information as CUI. That is not to say it shouldn’t be secured; it’s just that CUI may not be the required way to do so.

Essentially, any time you are generating information, and you’re concerned that it should be marked and handled as CUI, you can use the CUI Registry to cross-reference and determine if that information falls under that banner or not. Then, you can mark it and handle it appropriately.

What happens if information that should be marked CUI is not properly marked? Generally, you will want to escalate the question up the chain until it is satisfactorily addressed. Sometimes, information slips through a system, and that means more than just the need to correct the document; it means identifying why the information slipped through the cracks and fixing those cracks.

Alternatively, it may mean that the information isn’t actually CUI, even if it feels like it should be. Some information is sensitive but hasn’t been explicitly called out; others seem more sensitive than they actually are. The ISOO spends a lot of time determining what is and isn’t part of this program.

Can Ignyte Help with CUI?

Here at Ignyte, we’re deeply familiar with CUI and can help with all manner of compliance with security frameworks. We’re experienced with CMMC, FedRAMP, HITRUST, SOC2, DFARS, and many more. Further, as a 3PAO, we’ve helped numerous clients make their way through the certification and auditing necessary to achieve certification, and can do the same for your contractor.

A Person Achieving a Security Certification

There are several ways we can help. First and foremost, the Ignyte Platform was designed from the ground up as a centralized and effective tool for going through the entire auditing and assessment process to achieve certification with one of the many security frameworks available. We saw too many CSPs struggling with siloed software and other roadblocks and inefficiencies, so we developed our platform to help. You can book a demo today to see how it can work for you.

Another option is to read through our blog and other resources. Simply choose the category that best fits your needs, such as FedRAMP information, and browse the resources we’ve created to help you. We’re also available if you have questions to ask, and in some cases, those questions end up becoming new resources. Just send us a message with your questions, and we’ll get back to you as soon as possible with any answers!

And, as a 3PAO, if you’re seeking a partner to help your CSP achieve FedRAMP or another framework certification and need a third-party assessor to help, you can reach out to us as well.

Whatever your needs, we look forward to hearing from you! We may not be the people defining CUI, but we can help you know how to handle it.

Stay up to date with everything Ignyte