Safeguarding Our Information: Protecting Classified and Controlled Unclassified Information (CUI)

In today’s digital environment, information is one of our most valuable assets. It is also the most targeted. Protecting classified information and controlled unclassified information (CUI) is not just an IT responsibility; it is a shared obligation that applies to every employee, contractor, and partner within your organization.
 
Understanding What We Protect
Classified Information includes data formally designated as Confidential, Secret, or Top Secret and requires the highest levels of protection due to national security implications.
 
Controlled Unclassified Information (CUI) is sensitive information that is not classified but must be safeguarded under applicable laws, regulations, and government-wide policies. This includes personally identifiable information (PII), export-controlled data, proprietary information, certain technical or research data, and more.
 
Correctly identifying and marking information is the first step in ensuring it is protected appropriately.
 
Why Protection Matters
Threat actors are constantly seeking to exploit weak points. Whether through phishing emails, unsecured devices, or improper data handling. A single lapse can result in:

• Legal and regulatory consequences
• Loss of trust with partners and stakeholders
• Operational disruptions
• Damage to national security or organizational mission

 
Strong information security practices help prevent these outcomes and ensure compliance with applicable requirements.
 
Regulatory Frameworks That Guide Our Security Practices
Our information security requirements are grounded in established federal standards and regulations, including:
 

• 32 CFR Part 117 (NISPOM - National Industrial Security Program Operating Manual): The NISPOM establishes requirements for safeguarding classified information within cleared contractor facilities, including personnel security, physical security, and information systems security.
• NIST (National Institute of Standards and Technology): NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal systems and organizations. These controls address access control, incident response, system security, and risk management.
• CMMC (Cybersecurity Maturity Model Certification): CMMC builds upon NIST 800-171 and is required for many Department of Defense contracts. It ensures that defense contractors implement and maintain cybersecurity practices appropriate to the sensitivity of the information they handle.
• EAR (Export Administration Regulations): EARs control the access, transfer, and dissemination of certain commercial and dual-use technologies, software, and technical data. EAR-controlled information must only be shared with authorized individuals and through approved methods. Unauthorized access or transfer, including to foreign persons, may constitute an export violation and must be reported immediately. When in doubt, stop and verify before sharing.
• ITAR (International Traffic in Arms Regulations): ITAR governs the handling of defense-related technical data and restricts access to authorized U.S. persons. Improper storage, transmission, or sharing of ITAR-controlled data can result in significant legal and financial penalties.

 
Understanding these frameworks helps ensure compliance and supports our broader mission.
 
Everyday Actions That Make a Difference
Protecting sensitive information doesn’t always require complex tools—often, it starts with simple, consistent habits:
 

• Think before you click: Phishing remains one of the most common attack methods. Be cautious of unexpected emails, links, or attachments, even if they appear to come from a trusted source.
• Use approved systems: Store, transmit, and process Classified and CUI data only on authorized networks and devices.
• Limit and control access: Share information strictly on a need-to-know basis.
• Secure physical and digital workspaces: Lock screens when away, safeguard physical documents, and properly dispose of sensitive materials.
• Report incidents promptly: If you suspect a data spill, phishing attempt, or security incident, report it to your FSO immediately. Early reporting helps limit impact.

 
Security Is a Shared Responsibility
Information security is not about slowing down operations, it is about protecting our mission, our partners, and our nation. Compliance with NIST, CMMC, ITAR, and NISPOM requirements depends on informed, vigilant individuals who understand their role in safeguarding sensitive information.
 
Every person in an organization plays a critical role in protecting the information entrusted to us. By staying alert, following established policies, remaining vigilant, and reporting concerns quickly, we each contribute to a stronger security posture and a safer information environment.
 
Together, we can strengthen our security posture and ensure that classified and controlled unclassified information remains protected—today and into the future.
 
Why Reporting is Critical & How to Report Concerns
Timely reporting is a critical component of information protection and is required under multiple security and regulatory frameworks, including NIST, CMMC, ITAR, and the NISPOM. Prompt reporting enables swift containment, reduces potential damage, and helps ensure regulatory compliance.
 
Report to your FSO, immediately, any actual or suspected incident involving Classified Information or Controlled Unclassified Information (CUI), including:

• Suspected or confirmed data spills or unauthorized disclosures
• Phishing emails, suspicious links, or social engineering attempts
• Lost, stolen, or compromised devices (laptops, mobile devices, removable media)
• Unauthorized access to systems, files, or facilities
• Improper storage, transmission, or marking of sensitive information
• Any situation where ITAR-controlled data may have been accessed by an unauthorized person

 
When in doubt, report the incident. Reporting a concern that turns out to be benign is always preferable to failing to report a real issue. Delays in reporting can significantly increase risk, impact investigations, and lead to compliance findings or penalties.
 
If you suspect an incident:

• Stop and contain – Do not attempt to fix the issue yourself unless directed.
• Report immediately to your Information Security, IT Security, or Facility Security Officer (FSO), following organizational procedures.
• Preserve evidence – Do not delete emails, files, or logs related to the incident.
• Cooperate fully with incident response and follow-up actions.

 
Reporting security concerns is not about blame; it is about protection. A strong security culture encourages early, honest reporting to safeguard information, support compliance obligations, and protect our mission.
 
Your awareness and prompt action play a vital role in keeping classified and controlled unclassified information secure.
 
Resources and Additional Learning
Information Protection Security Shorts
Suspicious Emails
Information Security Toolkit
Deliver Uncompromised Toolkit
Case Study Library
32 CFR Part 117 (NISPOM Rule)
32 CFR Part 147 (Adjudicative Guidelines)
 
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements. As security professionals, we are here to help you navigate things to ensure you fulfill all requirements.