Safeguarding Our Information: Protecting Classified and Controlled Unclassified Information (CUI)
In today’s digital environment, information is one of our most valuable assets. It is also the most targeted. Protecting classified information and controlled unclassified information (CUI) is not just an IT responsibility; it is a shared obligation that applies to every employee, contractor, and partner within your organization.
Understanding What We Protect
Classified Information includes data formally designated as Confidential, Secret, or Top Secret and requires the highest levels of protection due to national security implications.
Controlled Unclassified Information (CUI) is sensitive information that is not classified but must be safeguarded under applicable laws, regulations, and government-wide policies. This includes personally identifiable information (PII), export-controlled data, proprietary information, certain technical or research data, and more.
Correctly identifying and marking information is the first step in ensuring it is protected appropriately.
Why Protection Matters
Threat actors are constantly seeking to exploit weak points—whether through phishing emails, unsecured devices, or improper data handling. A single lapse can result in:
- Legal and regulatory consequences
- Loss of trust with partners and stakeholders
- Operational disruptions
- Damage to national security or organizational mission
Regulatory Frameworks That Guide Our Security Practices
- 32 CFR Part 117 (NISPOM): Establishes requirements for safeguarding classified information within cleared contractor facilities, including personnel security, physical security, and information systems security.
- NIST: NIST Special Publication 800-171 defines the security requirements for protecting CUI in non-federal systems and organizations.
- CMMC: Cybersecurity Maturity Model Certification builds upon NIST 800-171 and is required for many Department of Defense contracts.
- EAR (Export Administration Regulations): Controls the access, transfer, and dissemination of certain commercial and dual-use technologies, software, and technical data.
- ITAR (International Traffic in Arms Regulations): Governs the handling of defense-related technical data and restricts access to authorized U.S. persons.
Everyday Actions That Make a Difference
- Think before you click: Phishing remains one of the most common attack methods. Be cautious of unexpected emails, links, or attachments.
- Use approved systems: Store, transmit, and process Classified and CUI data only on authorized networks and devices.
- Limit and control access: Share information strictly on a need-to-know basis.
- Secure physical and digital workspaces: Lock screens when away, safeguard physical documents, and properly dispose of sensitive materials.
- Report incidents promptly: If you suspect a data spill, phishing attempt, or security incident, report it to your FSO immediately.
Why Reporting is Critical & How to Report Concerns
Report to your FSO, immediately, any actual or suspected incident involving Classified Information or Controlled Unclassified Information (CUI), including:
- Suspected or confirmed data spills or unauthorized disclosures
- Phishing emails, suspicious links, or social engineering attempts
- Lost, stolen, or compromised devices (laptops, mobile devices, removable media)
- Unauthorized access to systems, files, or facilities
- Improper storage, transmission, or marking of sensitive information
- Any situation where ITAR-controlled data may have been accessed by an unauthorized person
When in doubt, report the incident. Reporting a concern that turns out to be benign is always preferable to failing to report a real issue.
Resources and Additional Learning
- Information Protection Security Shorts
- Suspicious Emails
- Information Security Toolkit
- 32 CFR Part 117 (NISPOM Rule)
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO!