US Government Data Classifications for IT Service Providers

FISMA (Federal Information Security Modernization Act)

US law (updated in 2014) that requires federal agencies to develop, document, and implement information security programs for systems they operate **and** systems operated on their behalf by contractors.

National security information

Information related to national defense or foreign relations that is classified under authority such as Executive Order 13526 (e.g., Confidential, Secret, Top Secret).

Unclassified but protected information

Information that is not classified but still sensitive and requires protection (e.g., PII, PHI, tax data, law enforcement data); often managed as **CUI** in modern policy.

CUI (Controlled Unclassified Information)

A category of unclassified information that requires safeguarding or dissemination controls under laws, regulations, and government‑wide policies, standardized by EO 13556 and 32 CFR Part 2002.

Nonfederal system

An information system that is not owned or operated by a federal agency but processes, stores, or transmits federal information or provides a service to a federal agency (e.g., contractor‑owned cloud systems).

FIPS 199

Federal standard that defines security categorization of federal information and information systems using impact levels (Low, Moderate, High) for confidentiality, integrity, and availability.

Executive Order 13526

The current (as of 2025) US Executive Order governing classified national security information. It defines the three classification levels (Confidential, Secret, Top Secret) and rules for classification, safeguarding, and declassification.

Confidential

The lowest national security classification level under EO 13526. Unauthorized disclosure could reasonably be expected to cause damage to national security.

Secret

A national security classification level under EO 13526. Unauthorized disclosure could reasonably be expected to cause serious damage to national security.

Top Secret

The highest national security classification level under EO 13526. Unauthorized disclosure could reasonably be expected to cause exceptionally grave damage to national security.

Sensitive Compartmented Information (SCI)

Information concerning or derived from intelligence sources, methods, or analytical processes, handled within special compartments. It is a set of control measures applied on top of a classification level (often Top Secret), not a separate level itself.

Special Access Program (SAP)

A program established for a specific class of classified information that imposes safeguarding and access requirements exceeding those normally required for the classification level. Can exist at Confidential, Secret, or Top Secret.

Controlled Unclassified Information (CUI)

Unclassified information that the federal government (or entities working for it) must handle using safeguarding or dissemination controls because specific laws, regulations, or government-wide policies require or permit such protection (32 CFR Part 2002).

CUI Registry

The official online catalog maintained by NARA/ISOO that lists CUI categories, their markings, descriptions, and the laws, regulations, or policies that authorize their protection.

CUI Basic vs CUI Specified

CUI Basic is subject only to the general CUI requirements. CUI Specified has additional, more detailed or stringent requirements defined by the underlying law, regulation, or government-wide policy.

FIPS 199 Moderate (for CUI confidentiality)

The minimum confidentiality impact level assumed for CUI. A compromise of CUI is treated as having at least a moderate adverse effect, driving moderate-level security controls.

Non-CUI Unclassified Information

Unclassified information that is not subject to CUI safeguarding or dissemination controls because no specific law, regulation, or government-wide policy requires such protection.

Relationship between CUI and Classified Information

CUI is unclassified and does not meet the national security damage test for classification, but still requires protection. Classified information is protected under national security classification rules (e.g., Confidential, Secret, Top Secret).

FIPS 199

A federal standard that defines how to categorize information and information systems by assigning Low, Moderate, or High impact levels to confidentiality, integrity, and availability.

NIST SP 800‑60

NIST guidance that lists federal information types and provides typical Low/Moderate/High impact level mappings for confidentiality, integrity, and availability.

Confidentiality (FIPS 199)

The security objective that protects information from unauthorized disclosure. Loss of confidentiality means someone sees data they should not.

Integrity (FIPS 199)

The security objective that protects information from unauthorized or improper modification or destruction. Loss of integrity means data is corrupted, altered, or unreliable.

Availability (FIPS 199)

The security objective that ensures timely and reliable access to information and systems. Loss of availability means systems or data are not accessible when needed.

Low Impact

A loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, assets, individuals, or the nation.

NIST SP 800‑171 Rev. 3

The 2024 revision of NIST’s standard for protecting Controlled Unclassified Information (CUI) in **nonfederal systems and organizations**, widely used in contracts with IT and cloud providers.

Security Requirement Family

A group of related security requirements in SP 800‑171 (e.g., Access Control, Incident Response, Supply Chain Risk Management) that together support a particular security outcome.

Organization‑Defined Parameter (ODP)

A value that each organization must define for itself (e.g., time limits, frequencies, roles) within a SP 800‑171 requirement, based on its risk and environment.

Tailoring

The process of adapting SP 800‑171 requirements to a specific system or environment, including setting ODPs, choosing implementation approaches, and justifying any not‑applicable requirements.

Supply Chain Risk Management (SR)

A SP 800‑171 Rev. 3 family focused on identifying, assessing, and managing security risks introduced by suppliers, cloud providers, and other third parties that may affect CUI.

NIST SP 800‑172

A NIST publication that provides **enhanced security requirements** for protecting CUI in nonfederal systems when facing **advanced persistent threats**, especially for **critical programs and high‑value assets**. It **supplements** SP 800‑171, not replaces it.

Advanced Persistent Threat (APT)

A **sophisticated, well‑resourced, and targeted** adversary that maintains long‑term access to systems, often using custom tools and multi‑stage attacks to compromise high‑value targets.

High‑Value Asset (HVA)

An information system or data set that is **critical to an agency’s mission or national interests**, where compromise would have **serious or catastrophic impact**. High‑value CUI in HVAs often triggers SP 800‑172 requirements.

Relationship: SP 800‑171 vs SP 800‑172

SP 800‑171 Rev. 3 defines the **baseline** for protecting CUI. SP 800‑172 adds **enhanced, APT‑focused controls** on top of that baseline for **selected high‑risk environments**.

Service Design for 800‑172

Designing IT services with capabilities like **segmented CUI enclaves**, **strong identity and access control**, **advanced monitoring and analytics**, and **mature incident response**, so they can meet enhanced CUI protection requirements when invoked.

Federal Contract Information (FCI)

Information provided by or generated for the government under a contract that is not intended for public release. Typically triggers FAR 52.204‑21 basic safeguarding requirements.

Controlled Unclassified Information (CUI)

Unclassified information that requires safeguarding or dissemination controls under federal law, regulation, or government‑wide policy. Often protected under NIST SP 800‑171 via DFARS or FAR CUI clauses.

Covered Defense Information (CDI)

DoD term for certain CUI provided by DoD to the contractor or developed in performance of the contract that requires safeguarding. Central to DFARS 252.204‑7012.

FAR 52.204‑21

The Basic Safeguarding of Covered Contractor Information Systems clause. Imposes 15 baseline security requirements for systems that process, store, or transmit FCI.

DFARS 252.204‑7012

Safeguarding Covered Defense Information and Cyber Incident Reporting. Requires implementation of NIST SP 800‑171 for CDI and sets 72‑hour incident reporting and 90‑day log preservation requirements.

FAR CUI Clause (emerging)

A government‑wide FAR clause (under rulemaking as of late 2025) intended to require NIST SP 800‑171 Rev. 3 and standardized incident reporting for CUI across civilian agencies.

FedRAMP

The Federal Risk and Authorization Management Program – a government-wide program that standardizes security assessment, authorization, and continuous monitoring for cloud services used by U.S. federal agencies.

FIPS 199 Impact Levels

A standard for categorizing information systems as Low, Moderate, or High impact based on potential harm to confidentiality, integrity, and availability.

FedRAMP Low / Moderate / High Baselines

Standard sets of NIST SP 800‑53 controls tailored for cloud systems with Low, Moderate, or High FIPS 199 impact levels.

CUI (Controlled Unclassified Information)

Information that requires safeguarding or dissemination controls under laws, regulations, or government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act.

Shared Responsibility Model

The division of security responsibilities between the cloud service provider (infrastructure, core services) and the customer/integrator (configurations, data handling, application security).

3PAO (Third Party Assessment Organization)

An independent organization accredited to perform security assessments of cloud services for FedRAMP.

CUI Basic vs. CUI Specified

CUI Basic: Controlled by the general CUI rule and agency policies without additional specific requirements. CUI Specified: Has additional handling or dissemination requirements defined by a law, regulation, or government‑wide policy; often reflected in labels like CUI//SP-CTI or CUI//SP-EXPT.

Why markings matter for IT configuration

CUI markings (e.g., CUI, CUI//SP-CTI) drive technical controls such as access permissions, DLP rules, encryption requirements, and logging sensitivity. They tell systems *how* to protect the data.

Least privilege

A principle where users and processes are given only the minimum access necessary to perform their duties. For CUI, this means tightly scoped roles/groups and prompt removal of unused access.

Encryption at rest and in transit

At rest: Protects stored CUI on disks, databases, and backups (often using FIPS-validated crypto). In transit: Protects CUI moving across networks using protocols like TLS 1.2+ or VPNs.

CUI in backups and logs

CUI does not stop being CUI when copied to backups or logs. These must be encrypted, access‑controlled, and included in retention and disposal plans.

Media sanitization (NIST SP 800-88)

The process of rendering data on media irretrievable using methods like Clear (overwrite), Purge (e.g., cryptographic erase), or Destroy (physical destruction). Required when disposing of or repurposing media holding CUI.

System Boundary

The set of system components (hardware, software, networks, people, locations) that are in scope for security controls and assessment for a particular system.

CUI (Controlled Unclassified Information)

Information that requires safeguarding or dissemination controls under U.S. law, regulation, or government‑wide policy, but is not classified under Executive Order 13526 or the Atomic Energy Act.

System Security Plan (SSP)

A comprehensive document that describes the system, its environment, and how each required security control is implemented, monitored, and maintained.

POA&M (Plan of Action and Milestones)

A formal document listing identified security weaknesses, planned remediation actions, milestones, due dates, and status tracking.

FedRAMP Moderate Baseline

A standardized set of security controls, based on NIST SP 800‑53 Rev. 5, required for cloud services used by federal agencies to process moderate‑impact data.

NIST SP 800-171 Rev. 3

NIST guidance specifying security requirements for protecting CUI in nonfederal systems and organizations, often applied to contractors.