Identifying Controlled Unclassified Information (CUI)

September 22, 2019

If your organization works on a government contract, you must comply with the Defense Federal Acquisition Regulation Supplement (DFARS). When following the security controls within NIST’s SP 800-171, you must report your level of compliance to the government. This became a requirement at the end of the 2017 calendar year.

It may seem overwhelming but if you can identify Controlled Unclassified Information (CUI), it will help with mapping out how your organization will satisfy the identified security controls. You must first determine if your organization is even in scope. If the organization holds a federal contract, then you must comply with SP 800-171. You can review this website to help identify the type of data elements that are covered.

After the determination has been made the organization is required to comply, you will need to identify where the data lives and if it has been tagged and controlled. This step is critical and will help drive the roadmap to being successful with protecting the data that has been identified.

Once the data is located and tagged, you will need to evaluate whether the data is monitored, audited, alerts are setup to track the location and path of your data elements. You will then identify whether the appropriate controls are in place from the technical evaluation. Your organization will evaluate each control listed within the fourteen (14) families that have been identified as a requirement. This gap analysis will provide a delta of what controls are deficient and which ones are satisfied.

Following these first three steps will help with the initial evaluation and provide the initial information required to help your organization. Taking the time at the start of this project and making sure that the data is properly identified will help when implementing additional security controls. If your organization skips the crucial first steps, you may incorrectly identify controls as being deficient when they are actually implemented properly; then finding yourself with competing security controls.


Please reach out with any questions and let us help with your DFARS assessments! Remember, Slate is a Qualified Maryland Cyber Seller – providing tax credits to small businesses.