How to Classify Information Types

By Donald DeWitt Jr. • January 11, 2022

Determining what types of information your organization possesses is one of the first steps you need to take when starting efforts to enact cybersecurity controls. This classification of information dictates how the data must be controlled and protected.

Here are the different categories of information.

 

FCI – Federal Contract Information

As defined by 48 CFR 52.204-21, this is, “Information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information by the Government to the public (such as public websites) or simple transactional information, such as necessary to process payments.”

National Archives and Records Administration (NARA) specifies, “Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.”

 

It is important to note that FCI (CMMC Level 1) is the minimum if you have a Federal contract.

 

CUI – Controlled Unclassified Information

According to 42 CFR 2002.4, CUI is, “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

 

“CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.”

 

Additional Safeguards / Classifications:

  • CUI Basic: Requiring or permitting agencies to control or protect the information but providing no specific controls.
  • CUI Specified: Requiring or permitting agencies to control or protect the information and providing specific controls for doing so.
  • CUI Specified, with basic controls where not specified by authority: Requiring or permitting agencies to control the information and specifying only some needed controls.

 

NARA states that, “NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).”

 

CUI categories for the defense industrial base (DIB)

Refer to this chart to see how to classify your CUI.

 

Banner MarkingCUI CategoryOrganization Grouping
CUI//SP-CTIControlled Technical InformationDefense
CUI//SP-CEIICritical Energy Infrastructure InformationCritical Infrastructure
CUI//SP-EXPTExport ControlledExport Control
CUI//SP-FISA(B)Foreign Intelligence Surveillance Act (Business Records)Intelligence
CUI//SP-PRVCYPrivacyPrivacy
CUI//SP-PROCUREGeneral Procurement & AcquisitionProcurement & Acquisition
CUI//SP-PROPINGeneral Proprietary Business InformationProprietary Business Information
CUI//SP-NNPINaval Nuclear Propulsion InformationDefense
CUI//SP-SRINuclear Security Related InformationNuclear
CUI//SP-PERSPersonnel RecordsPrivacy
CUI//SP-MFCProprietary ManufacturerProprietary Business Information
CUI//SP-PCIIProtected Critical Infrastructure InformationCritical Infrastructure
CUI//SP-DCNIUnclassified Controlled Nuclear Information – DefenseDefense
CUI//SP-UCNIUnclassified Controlled Nuclear Information – EnergyNuclear

 

Learn More

 

While this blog can get you started on determining how to classify your information, the experts at CyberSheath would be happy to help your company identify your FCI and CUI and create plans for safeguarding it. Contact us to take the next step in learning how to protect your sensitive information.

 

CyberSheath Blog

CyberSheath Opens Registration For CMMC CON 2022

RESTON, Va. — June 8, 2022 — Federal contractors have been searching for direction after seeing a flood of messaging about the future of Cybersecurity Maturity Model Certification (CMMC). The nation’s largest CMMC conference has returned to help contractors navigate their course through the evolving compliance landscape.   Hosted by…

5 Reasons to Partner with CyberSheath

The threat landscape is only becoming more complex. Offload the responsibility of navigating cybersecurity issues for your customers by taking advantage of CyberSheath’s new Partner Program.   As a pioneer and industry leader in the managed security service provider space, our new offering helps you achieve rapid results and deliver…

CMMC Compliance Training: How to Earn Your Black Belt

Contractors in the Defense Industrial Base (DIB) are looking for direction as Cybersecurity Maturity Model Certification (CMMC) 2.0 nears. Compliance with CMMC and Defense Federal Acquisition Regulation Supplement (DFARS) is your key to doing business with the Department of Defense (DoD) and we can help you navigate those requirements and…

Our Trusted Partners

Tenable Microsoft Siemplify KnowBe4 ConnectWise DUO

CMMC CON 2022 is here! Save your spot to hear the latest on CMMC from our expert speakers across the government and Defense Industrial Base.