January 23, 2023

Last Updated on January 12, 2024

Controlled Unclassified Information (CUI) is a major source of confusion for orgs in the US defense industrial base (DIB). Many are not even aware of the critical difference between CUI Basic and CUI Specified, and how this relates to data protection requirements and noncompliance penalties.

To answer top questions on CUI from around the DIB, Stephanie Siegmann, Partner and Chair, International Trade and Global Security Group and Cybersecurity, Data Protection, and Privacy Group at Hinckley Allen, joined a recent episode of The Virtual CISO Podcast. John Verry, Pivot Point Security CISO and Managing Partner, hosts the show.

All CUI is not created equal
Stephanie observes that DoD contract officers often tell SMBs to “just treat everything as CUI.”

“Well, that’s not really easy, and that’s a disservice to everyone,” Stephanie states. “Everything needs to be marked and stored appropriately.”

When it comes to CUI Basic versus CUI Specified, the latter is subject to a higher level of control. And a breach or other incident involving CUI Specified can result in much tougher sanctions than for “vanilla CUI.”

“If you can get a contracting officer to drill down with you as to what specific information is controlled, certainly if you’re working on a military contract and it relates to technical specifications, and it’s going into a submarine, for instance, then it’s likely going to fall under the International Traffic in Arms Regulations (ITAR),” explains Stephanie. “That would be CUI Specified, because a law actually requires that information to be controlled.”

CUI that is also subject to ITAR should be marked as “CUI SP EXPT,” meaning “specification export controlled.”


“And why that’s important is that if information is subject to export controls, the penalties for mishandling it are far worse than if you just violate contractual provisions [around CUI],” Stephanie cautions. “For instance, with ITAR data, that’s controlled on the US Munitions List. If you were to disclose that information somehow to a foreign person, or they were able to access that information on your network, if you didn’t have an export license that would constitute an export violation—which is a 20-year felony.”


Other CUI Specified categories
Besides ITAR, other CUI Specified data categories include:

  • Not Releasable to Foreign Nationals (NOFORN). Indicates controlled information that may not be released in any form to foreign governments, foreign nationals, foreign organizations, or non-US citizens. Like ITAR, NOFORN is export controlled information.
  • Export Administration Regulations (EAR). This is another type of export-controlled information, which generally would also be CUI. But instead of relating to the US Munitions List, EAR data is under the US Commerce Control List, managed by the US Department of Commerce.

Why are these markings a big deal? Items on the Commerce Control List generally are less tightly controlled, and penalties for mishandling EAR data are likely to be less than for ITAR or NOFORN data.
Stephanie clarifies: “This is why I think you really need to drill down when you’re talking to your prime contractor, if you’re a sub working on a contract for a prime, or if you are contracting [directly] with the DoD to understand, this is export controlled, but where is it controlled?”


What constitutes export?

Stephanie points out that “export” of data can occur without anything leaving the US:

“An export is not just a physical transmission from someone inside the United States to outside the United States, but also exports can occur within the United States. And that can happen as easily as a foreign person walking through your plant or your warehouse or your office, and they see a document that has defense technical data that’s controlled on the US Munitions List. Once they see the defense technical data an unlawful export has occurred. And it could mean your company is faced with criminal prosecution.”


What’s next?

To listen to this podcast episode with Stephanie Siegmann, click here.

If you think you might be handling ITAR data it’s vital you know for sure what and where that is. As this blog post explains: DIB Orgs—ITAR Can Impact Your Whole Compliance Picture

New CMMC V2 Certification Guide

A Simple Guide to Comply with the DoD's Cybersecurity Maturity Model Certification (CMMC) This NEW CMMC V2 Certification Guide will give you a quick and easily digestible introduction to the CMMC and the process we use to help our clients become CMMC compliant.