{"id":1268,"date":"2023-08-04T13:45:54","date_gmt":"2023-08-04T13:45:54","guid":{"rendered":"https:\/\/www.jsums.edu\/jsu-cyber-awareness\/?page_id=1268"},"modified":"2025-09-23T16:34:54","modified_gmt":"2025-09-23T16:34:54","slug":"about-cui","status":"publish","type":"page","link":"https:\/\/www.jsums.edu\/jsu-cyber-security\/about-cui\/","title":{"rendered":"About CUI"},"content":{"rendered":"<p><strong>What is Unclassified Information?<\/strong><\/p>\n<p>Unclassified is a designation to mark information that does not have potential to damage national security (i.e., not been determined to be Confidential, Secret, or Top Secret). DoD Unclassified data:<\/p>\n<ul>\n<li>Must be cleared before being released to the public<\/li>\n<li>May require application of Controlled Unclassified Information (CUI) access and distribution controls<\/li>\n<li>Must be clearly marked as Unclassified or CUI if included in a classified document or classified storage area<\/li>\n<li>If aggregated, the classification of the information may be elevated to a higher level of sensitivity or even become classified<\/li>\n<li>If compromised, could affect the safety of government personnel, missions, and systems<\/li>\n<\/ul>\n<p><strong>What is CUI?<\/strong><\/p>\n<p>Controlled Unclassified Information (CUI) is Government information that must be handled using safeguarding or dissemination controls. It includes, but is not limited to, Controlled Technical Information (CTI), Personally Identifiable Information (PII), Protected Health Information (PHI), financial information, personal or payroll information, and operational information. It may contain information:<\/p>\n<ul>\n<li>Provided by a confidential source (person, commercial business, or foreign government) on condition it would not be released<\/li>\n<li>Related to contractor proprietary or source selection data<\/li>\n<li>That could compromise Government missions or interests<\/li>\n<\/ul>\n<p>CUI is NOT classified information and may only be marked as CUI if it belongs to a category established in the DoD CUI Registry.<\/p>\n<p><strong>PII\/PHI<\/strong><\/p>\n<p>Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual\u2019s identity, either alone or when combined with other information that is linked or linkable to a specific individual. PII includes, but is not limited to:<\/p>\n<ul>\n<li>Social Security Number<\/li>\n<li>Date and place of birth<\/li>\n<li>Mother\u2019s maiden name<\/li>\n<li>Biometric records<\/li>\n<li>Protected Health Information<\/li>\n<\/ul>\n<p><strong>Classified Data<\/strong><\/p>\n<p>Classified data are designated by the original classification authority as information that could reasonably be expected to cause a given level of damage to national security if disclosed:<\/p>\n<ul>\n<li>Confidential \u2013 damage to national security<\/li>\n<li>Secret \u2013 serious damage to national security<\/li>\n<li>Top Secret \u2013 exceptionally grave damage to national security<\/li>\n<\/ul>\n<p>Classified data:<\/p>\n<ul>\n<li>Must be handled and stored properly based on classification markings and handling caveats<\/li>\n<li>Can only be accessed by individuals with all of the following:<\/li>\n<\/ul>\n<p>o Appropriate clearance o Signed and approved non-disclosure agreement o Need-to-know<\/p>\n<p><strong>Protecting CUI<\/strong><\/p>\n<p>To protect CUI:<\/p>\n<ul>\n<li>Properly mark all CUI<\/li>\n<li>Store CUI data only on authorized information systems<\/li>\n<li>Don\u2019t transmit, store, or process CUI on non-approved systems<\/li>\n<li>Mark, handle, and store CUI properly o Reduce risk of access during working hours o Store after working hours:\n<ul>\n<li>Locked or unlocked containers, desks, cabinets, if security is present<\/li>\n<li>Locked containers, desks, cabinets if no security is present or is deemed inadequate<\/li>\n<\/ul>\n<\/li>\n<li>Follow policy in DoD Instruction 5200.48, \u201cControlled Unclassified Information (CUI)\u201d for retention or disposal<\/li>\n<li>Comply with the DoD Cyber Regulations outlined in the Defense Federal Acquisition Regulation<\/li>\n<\/ul>\n<p>Supplement (DFARS) for CUI and CTI handling requirements<\/p>\n<p><strong>Transmitting CUI<\/strong><\/p>\n<p>When transmitting CUI:<\/p>\n<ul>\n<li>Ensure all information receivers have required clearance and official need-to-know before transmitting CUI or using\/replying to e-mail distribution lists<\/li>\n<li>If faxing CUI:<\/li>\n<\/ul>\n<p>o Ensure recipient is at the receiving end o Use correct cover sheet o Contact the recipient to confirm receipt<\/p>\n<ul>\n<li>Use encryption when e-mailing Personally Identifiable Information (PII) or other types of CUI, as required by the DoD<\/li>\n<\/ul>\n<p><strong>Protecting PII\/PHI<\/strong><\/p>\n<p>To protect PII\/PHI:<\/p>\n<ul>\n<li>Avoid storing Controlled Unclassified Information (CUI) in shared folders or shared applications (e.g., SharePoint, Google Docs) unless access controls are established that allow only those personnel with an official need-to-know to access the information.<\/li>\n<li>Follow your organization\u2019s policies on the use of mobile computing devices and encryption<\/li>\n<li>Use only mobile devices approved by your organization<\/li>\n<li>Encrypt all CUI, including PII, on mobile devices and when e-mailed. The most commonly reported cause of PII breaches is failure to encrypt e-mail messages containing PII. The DoD requires use of two-factor authentication for access.<\/li>\n<li>Only use Government-furnished or Government-approved equipment to process CUI, including PII.<\/li>\n<li>Never allow sensitive data on non-Government-issued mobile devices.<\/li>\n<li>Never use personal e-mail accounts for transmitting PII. PII may only be e-mailed between Government e-mail accounts and must be encrypted and digitally signed when possible.<\/li>\n<\/ul>\n<p><strong>Protecting Classified Data<\/strong><\/p>\n<p>To protect classified data:<\/p>\n<ul>\n<li>Only use classified data in areas with security appropriate to classification level<\/li>\n<li>Store classified data appropriately in a GSA-approved vault\/container when not in use<\/li>\n<li>Don\u2019t assume open storage in a secure facility is authorized<\/li>\n<li>Weigh need-to-share against need-to-know<\/li>\n<li>Ensure proper labeling:<\/li>\n<li>Appropriately mark all classified material and, when required, sensitive material o Report inappropriately marked material<\/li>\n<li>Never transmit classified information using an unapproved method, such as via an unsecure fax machine or personal mobile device<\/li>\n<\/ul>\n<p><strong>Spillage<\/strong><\/p>\n<p>Spillage occurs when information is \u201cspilled\u201d from a higher classification or protection level to a lower classification or protection level. Spillage can be either inadvertent or intentional.<\/p>\n<p><strong>Preventing Inadvertent Spillage<\/strong><\/p>\n<p>To prevent inadvertent spillage:<\/p>\n<ul>\n<li>Always check to make sure you are using the correct network for the level of data<\/li>\n<li>Do NOT use a classified network for unclassified work. Processing unclassified information on a classified network:<\/li>\n<\/ul>\n<p>(FOIA) o Creates a danger of spillage when attempting to remove the information to an unclassified media or hard copy<\/p>\n<ul>\n<li>Be aware of classification markings and all handling caveats<\/li>\n<li>Follow procedures for transferring data to and from outside agency and non-Government networks, including referring vendors making solicitations to appropriate personnel<\/li>\n<li>Label all files, removable media, and subject headers with appropriate classification markings<\/li>\n<\/ul>\n<p>Never use or modify JSU CUI\/government equipment for an unauthorized purpose:<\/p>\n<ul>\n<li>Such use or modification could be illegal<\/li>\n<li>Misuse of equipment could have a significant mission impact<\/li>\n<li>Unauthorized connection to the Internet or other network could introduce malware or facilitate hacking of sensitive or even classified information<\/li>\n<li>Any unauthorized connection creates a high potential for spillage<\/li>\n<\/ul>\n<p><strong>Responding to Spillage<\/strong><\/p>\n<p>If spillage occurs:<\/p>\n<ul>\n<li>Immediately notify your security POC<\/li>\n<li>Do not delete the suspected files<\/li>\n<li>Do not forward, read further, or manipulate the file<\/li>\n<li>Secure the area<\/li>\n<\/ul>\n<p>If you find classified CUI data\/information not cleared for public release on the internet:<\/p>\n<ul>\n<li>Remember that leaked classified or controlled information is still classified\/controlled even if it has already been compromised<\/li>\n<li>Do not download leaked classified or controlled information because you are not allowed to have classified information on your computer and downloading it may create a new case of spillage<\/li>\n<li>Note any identifying information and the website\u2019s URL<\/li>\n<li>Report the situation to your security POC<\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>What is Unclassified Information? Unclassified is a designation to mark information that does not have potential to damage national security (i.e., not been determined to be Confidential, Secret, or Top Secret). DoD Unclassified data: Must be cleared before being released to the public May require application of Controlled Unclassified Information (CUI) access and distribution controls [&hellip;]<\/p>\n","protected":false},"author":131,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0},"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/pages\/1268"}],"collection":[{"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/users\/131"}],"replies":[{"embeddable":true,"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/comments?post=1268"}],"version-history":[{"count":4,"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/pages\/1268\/revisions"}],"predecessor-version":[{"id":1465,"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/pages\/1268\/revisions\/1465"}],"wp:attachment":[{"href":"https:\/\/www.jsums.edu\/jsu-cyber-security\/wp-json\/wp\/v2\/media?parent=1268"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}