Social Security Numbers are CUI when your organization receives or possesses for or on behalf of the government. Let’s look at a basic example. Most organizations collect the social security numbers of their employees. Those social security numbers are collected for business operational reasons, and are not received or possessed for or on behalf of the government. Therefore, they are not CUI. By contrast, if your organization receives from the government social security numbers as part of a data set, then the social security numbers are CUI. Similarly, if your organization is hired by the government to collect information from individuals where that information includes social security numbers, then those social security numbers would be CUI. This is true even if some of the information you collect is from your own employees. So, even though you are analyzing the same information (i.e., the employees’ social security numbers), the reason why you have the information (i.e., internal business purposes vs. the fulfillment of a government contract) will influence whether the information is considered CUI.

Our FCI/CUI decision tree can help you understand when information is likely to be FCI or CUI, and the recording of our CUI Informed Event “Demystifying Controlled Unclassified Information” can also be helpful.