The DOD CUI Registry includes 105 categories of CUI. Which ones do you think are likely to need to be handled in environments certified above Maturity Level 3? I recognize that DoD has the final say on what maturity level will be required, but I think it will be interesting to compare industry consensus against their list, and hopefully this will help some companies as they begin their CMMC assessment preparation efforts.

I put my guesstimate as to the maturity level next to each CUI category. What changes would you make?

Critical Infrastructure:
4 Ammonium Nitrate
5 Chemical-terrorism Vulnerability Information
5 Critical Energy Infrastructure Information
4 Emergency Management
3 General Critical Infrastructure Information
3 Information Systems Vulnerability Information
4 Physical Security (PHYSEC)
5 Protected Critical Infrastructure Information
3 SAFETY Act Information
4 Toxic Substances
4 Water Assessments

Defense:
4 Controlled Technical Information (CTI)
5 DoD Critical Infrastructure Security Information
5 Naval Nuclear Propulsion Information
5 Unclassified Controlled Nuclear Information – Defense (USNI)

Export Control:
3 Export Controlled
3 Export Controlled Research

Financial:
3 Bank Secrecy
3 Budget
3 Comptroller General
3 Electronic Funds Transfer (EFT)
3 Financial Supervision Information
3 General Financial Information
4 International Financial Institutions
4 Mergers
4 Net Worth
3 Retirement

Intelligence:
5 Foreign Intelligence Surveillance Act (FISA)
5 Foreign Intelligence Surveillance Act Business Records
4 General Intelligence
4 Geodetic Product Information
5 Intelligence Financial Records
4 Internal Data
5 Operations Security (OPSEC)

International Agreements:
4 International Agreement Information

Law Enforcement:
3 Accident Investigation
3 Campaign Funds
3 Committed Person
4 Communications
3 Controlled Substances
3 Criminal History Records Information
5 DNA
3 General Law Enforcement
5 Informant
5 Investigation
5 Juvenile
3 Law Enforcement Financial Records
5 National Security Letter
4 Pen Register/Trap & Trace
3 Reward
4 Sex Crime Victim
5 Terrorist Screening
4 Whistleblower Identity

Legal:
3 Administrative Proceedings
4 Child Pornography
4 Child Victim/Witness
3 Collective Bargaining
3 Federal Grand Jury
4 Legal Privilege
3 Legislative Materials
3 Presentence Report
3 Prior Arrest
4 Protective Order
4 Victim
5 Witness Protection

Natural and Cultural Resources:
3 Archaeological Resources
3 Historic Properties

North Atlantic Treaty Organization:
5 NATO Restricted
4 NATO Unclassified

Nuclear:
4 General Nuclear
5 Nuclear Recommendation Material
5 Nuclear Security-Related Information
5 Safeguards Information
5 Unclassified Controlled Nuclear Information – Energy (UCNI)

Patents:
3 Patent Applications
3 Inventions
5 Secrecy Orders

Privacy:
3 Contract Use
3 Death Records
3 General Privacy
4 Genetic Information
4 Health Information
4 Inspector General Protected
4 Military Personnel Records
3 Personnel Records
3 Student Records

Procurement and Acquisition:
3 General Procurement and Acquisition
3 Small Business Research and Technology
3 Source Selection

Proprietary Business Information:
3 Entity Registration Information
3 General Proprietary Business Information
3 Ocean Common Carrier and Marine Terminal Operator Agreements
3 Ocean Common Carrier Service Contracts
3 Proprietary Manufacturer
3 Proprietary Postal

Provisional:
4 Operations Security Information (OPSEC)
4 Personnel Security Info (PERSEC)
4 Privacy Information <– Not sure why this is here when there is a privacy category
4 Sensitive Personally Identifiable Information (PII)

Statistical Tax:
3 Statistical Information
4 Federal Taxpayer Information
3 Tax Convention
3 Written Determinations

Transportation:
4 Railroad Safety Analysis Records
4 Sensitive Security Information