Unclassified vs Classified Data Types

Executive Orders (EO) 12356 and 13526 established the foundation for what "classified" data is. EO 13556 established the foundation for Controlled Unclassified Information (CUI).

unclassified vs classified - UUI vs CUI vs confidential vs secret vs top secret

Unclassified Data

There are two (2) types of Unclassified data from the US Government's perspective:

  1. Controlled Unclassified Information (CUI)
    • CUI Basic
    • CUI Specified
  2. Uncontrolled Unclassified Information (UUI)
    • General UUI (not publicly released or FCI)
    • Federal Contract Information (FCI)
    • Information that has been cleared for public release

Classified Data

There are three (3) types of Classified data from the US Government's perspective:

  1. Confidential;
  2. Secret; and
  3. Top Secret.

A common question is “What is Controlled Unclassified Information (CUI)?”

ANSWER: Controlled Unclassified Information (CUI) is difficult to provide a simple answer to. The authoritative source that defines CUI is the US National Archives with the CUI Registry. However, for most businesses that have to address NIST 800-171 and/or Cybersecurity Maturity Model Certification (CMMC), the focus is on a subset of CUI, Controlled Technical Information (CTI). "Technical Information" means technical data or computer software. Examples of technical information include:

Understanding Requirements For CUI

The best place to start is with understanding Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, since that establishes the definitions and need to protect CUI.

For Official Use Only (FOUO) & Sensitive But Unclassified (SBU)

There are two (2) legacy data types that are replaced by CUI:

  1. For Official Use Only (FOUO); and
  2. Sensitive But Unclassified (SBU).

Per US Government guidance, "legacy documents" do not need to be remarked until and unless the information is re-used, restated, or paraphrased. When new documents are derived from legacy documents, they must follow the new CUI marking standards.

Browse Our Products

  • Digital Security Program (DSP)

    Policy, Standards, Controls & Metrics Template - DSP / SCF

    Secure Controls Framework (SCF)

    Secure Controls Framework (SCF) "Premium Content" - Expertise-Class Policies, Control Objectives, Standards, Guidelines, Controls & Metrics. Product Walkthrough Video This short product walkthrough video is designed to give a brief overview about...

    $10,400.00 - $15,200.00
    Choose Options
  • NIST 800-171 Compliance Program (NCP). This is a bundle of products that are specific to NIST 800-171 and CMMC 2.0 compliance - policies, standards, procedures, SSP & POA&M templates. Editable CMMC 2.0 Level 2 (old Level 3) policies, standards, procedures, SSP & POA&M templates. CMMC policies & standards. NIST 800-171 policies & standards.

    NIST 800-171 Compliance Program (NCP): CMMC Level 2

    ComplianceForge - NIST 800-171 & CMMC

    NIST 800-171 R2 & R3 / CMMC 2.0 Editable & Affordable Cybersecurity Documentation This short product walkthrough video is designed to give a brief overview about what the NCP is to help answer common questions we receive. Includes...

    $5,300.00 - $10,100.00
    Choose Options

Learn More About Cybersecurity & Data Privacy

!