What CUI will need protection above ML3?

< All Topics
You are here:

What CUI will need protection above ML3?

This is an open issue with the DoD. They are currently refining the CMMC Model and CMMC Assessment Guides for Maturity Levels 4 and 5. We expect to see additional guidance on the types of CUI that will need to be handled by systems certified above Maturity Level 3 when those are released. In the interim, we reviewed the DoD CUI Registry and the list below includes guess as to what the required CMMC certification will be to handle that particular category of CUI. Do you agree? Disagree? Weigh in over in our Communities.

Critical Infrastructure:
4 Ammonium Nitrate
5 Chemical-terrorism Vulnerability Information
5 Critical Energy Infrastructure Information
4 Emergency Management
3 General Critical Infrastructure Information
3 Information Systems Vulnerability Information
4 Physical Security (PHYSEC)
5 Protected Critical Infrastructure Information
3 SAFETY Act Information
4 Toxic Substances
4 Water Assessments

4 Controlled Technical Information (CTI)
5 DoD Critical Infrastructure Security Information
5 Naval Nuclear Propulsion Information
5 Unclassified Controlled Nuclear Information – Defense (USNI)

Export Control:
3 Export Controlled
3 Export Controlled Research

3 Bank Secrecy
3 Budget
3 Comptroller General
3 Electronic Funds Transfer (EFT)
3 Financial Supervision Information
3 General Financial Information
4 International Financial Institutions
4 Mergers
4 Net Worth
3 Retirement

5 Foreign Intelligence Surveillance Act (FISA)
5 Foreign Intelligence Surveillance Act Business Records
4 General Intelligence
4 Geodetic Product Information
5 Intelligence Financial Records
4 Internal Data
5 Operations Security (OPSEC)

International Agreements:
4 International Agreement Information

Law Enforcement:
3 Accident Investigation
3 Campaign Funds
3 Committed Person
4 Communications
3 Controlled Substances
3 Criminal History Records Information
3 General Law Enforcement
5 Informant
5 Investigation
5 Juvenile
3 Law Enforcement Financial Records
5 National Security Letter
4 Pen Register/Trap & Trace
3 Reward
4 Sex Crime Victim
5 Terrorist Screening
4 Whistleblower Identity

3 Administrative Proceedings
4 Child Pornography
4 Child Victim/Witness
3 Collective Bargaining
3 Federal Grand Jury
4 Legal Privilege
3 Legislative Materials
3 Presentence Report
3 Prior Arrest
4 Protective Order
4 Victim
5 Witness Protection

Natural and Cultural Resources:
3 Archaeological Resources
3 Historic Properties

North Atlantic Treaty Organization:
5 NATO Restricted
4 NATO Unclassified

4 General Nuclear
5 Nuclear Recommendation Material
5 Nuclear Security-Related Information
5 Safeguards Information
5 Unclassified Controlled Nuclear Information – Energy (UCNI)

3 Patent Applications
3 Inventions
5 Secrecy Orders

3 Contract Use
3 Death Records
3 General Privacy
4 Genetic Information
4 Health Information
4 Inspector General Protected
4 Military Personnel Records
3 Personnel Records
3 Student Records

Procurement and Acquisition:
3 General Procurement and Acquisition
3 Small Business Research and Technology
3 Source Selection

Proprietary Business Information:
3 Entity Registration Information
3 General Proprietary Business Information
3 Ocean Common Carrier and Marine Terminal Operator Agreements
3 Ocean Common Carrier Service Contracts
3 Proprietary Manufacturer
3 Proprietary Postal

4 Operations Security Information (OPSEC)
4 Personnel Security Info (PERSEC)
4 Privacy Information <– Not sure why this is here when there is a privacy category
4 Sensitive Personally Identifiable Information (PII)

Statistical Tax:
3 Statistical Information
4 Federal Taxpayer Information
3 Tax Convention
3 Written Determinations

4 Railroad Safety Analysis Records
4 Sensitive Security Information

Click to rate this post!
[Total: 0 Average: 0]
Previous My organization passed an internal self-assessment under NIST SP 800-171, so we should be ready for our CMMC Maturity Level 3 assessment, right?
Table of Contents