This is an open issue with the DoD. They are currently refining the CMMC Model and CMMC Assessment Guides for Maturity Levels 4 and 5. We expect to see additional guidance on the types of CUI that will need to be handled by systems certified above Maturity Level 3 when those are released. In the interim, we reviewed the DoD CUI Registry and the list below includes guess as to what the required CMMC certification will be to handle that particular category of CUI. Do you agree? Disagree? Weigh in over in our Communities.

Critical Infrastructure:
4 Ammonium Nitrate
5 Chemical-terrorism Vulnerability Information
5 Critical Energy Infrastructure Information
4 Emergency Management
3 General Critical Infrastructure Information
3 Information Systems Vulnerability Information
4 Physical Security (PHYSEC)
5 Protected Critical Infrastructure Information
3 SAFETY Act Information
4 Toxic Substances
4 Water Assessments

Defense:
4 Controlled Technical Information (CTI)
5 DoD Critical Infrastructure Security Information
5 Naval Nuclear Propulsion Information
5 Unclassified Controlled Nuclear Information – Defense (USNI)

Export Control:
3 Export Controlled
3 Export Controlled Research

Financial:
3 Bank Secrecy
3 Budget
3 Comptroller General
3 Electronic Funds Transfer (EFT)
3 Financial Supervision Information
3 General Financial Information
4 International Financial Institutions
4 Mergers
4 Net Worth
3 Retirement

Intelligence:
5 Foreign Intelligence Surveillance Act (FISA)
5 Foreign Intelligence Surveillance Act Business Records
4 General Intelligence
4 Geodetic Product Information
5 Intelligence Financial Records
4 Internal Data
5 Operations Security (OPSEC)

International Agreements:
4 International Agreement Information

Law Enforcement:
3 Accident Investigation
3 Campaign Funds
3 Committed Person
4 Communications
3 Controlled Substances
3 Criminal History Records Information
5 DNA
3 General Law Enforcement
5 Informant
5 Investigation
5 Juvenile
3 Law Enforcement Financial Records
5 National Security Letter
4 Pen Register/Trap & Trace
3 Reward
4 Sex Crime Victim
5 Terrorist Screening
4 Whistleblower Identity

Legal:
3 Administrative Proceedings
4 Child Pornography
4 Child Victim/Witness
3 Collective Bargaining
3 Federal Grand Jury
4 Legal Privilege
3 Legislative Materials
3 Presentence Report
3 Prior Arrest
4 Protective Order
4 Victim
5 Witness Protection

Natural and Cultural Resources:
3 Archaeological Resources
3 Historic Properties

North Atlantic Treaty Organization:
5 NATO Restricted
4 NATO Unclassified

Nuclear:
4 General Nuclear
5 Nuclear Recommendation Material
5 Nuclear Security-Related Information
5 Safeguards Information
5 Unclassified Controlled Nuclear Information – Energy (UCNI)

Patents:
3 Patent Applications
3 Inventions
5 Secrecy Orders

Privacy:
3 Contract Use
3 Death Records
3 General Privacy
4 Genetic Information
4 Health Information
4 Inspector General Protected
4 Military Personnel Records
3 Personnel Records
3 Student Records

Procurement and Acquisition:
3 General Procurement and Acquisition
3 Small Business Research and Technology
3 Source Selection

Proprietary Business Information:
3 Entity Registration Information
3 General Proprietary Business Information
3 Ocean Common Carrier and Marine Terminal Operator Agreements
3 Ocean Common Carrier Service Contracts
3 Proprietary Manufacturer
3 Proprietary Postal

Provisional:
4 Operations Security Information (OPSEC)
4 Personnel Security Info (PERSEC)
4 Privacy Information <– Not sure why this is here when there is a privacy category
4 Sensitive Personally Identifiable Information (PII)

Statistical Tax:
3 Statistical Information
4 Federal Taxpayer Information
3 Tax Convention
3 Written Determinations

Transportation:
4 Railroad Safety Analysis Records
4 Sensitive Security Information