Skarp
US Government Data Classifications for IT Service Providers
This course explains how the US government classifies information (from unclassified to Top Secret and CUI) and what that means in practice for IT service providers and contractors. You will learn the main classification schemes, key regulations, and how to align your services and controls with federal requirements.
Course Content
10 modules · 2h 20m total
Module 1: The US Federal Information Landscape
Introduce the main ways the US government categorizes and protects information, and where IT service providers fit into that ecosystem.
Module 2: National Security Classification Levels
Explain the traditional US classification system (Confidential, Secret, Top Secret) and why most IT service providers still need to understand it, even when handling only unclassified data.
Module 3: Controlled Unclassified Information (CUI) Basics
Introduce Controlled Unclassified Information (CUI), why it was created, and how it differs from both classified and general unclassified data.
Module 4: Impact Levels and Information Types (FIPS 199 & NIST SP 800‑60)
Connect data classification to impact levels and information types that drive technical and procedural safeguards for federal systems.
Module 5: NIST SP 800‑171 Rev. 3 – Core Requirements for CUI
Walk through the structure and intent of NIST SP 800‑171 Revision 3, the primary standard for protecting CUI in nonfederal systems used by IT service providers.
Module 6: Enhanced Protection – NIST SP 800‑172 and High‑Value CUI
Introduce the enhanced security requirements in NIST SP 800‑172 for critical programs and high‑value CUI assets, and when IT service providers may be expected to implement them.
Module 7: Contract Clauses – FAR, DFARS, and CUI Obligations
Translate data classification concepts into concrete contractual obligations for IT service providers under FAR, DFARS, and related rules.
Module 8: FedRAMP and Cloud Data Classifications
Explain how federal data classifications and impact levels map into FedRAMP requirements for cloud service providers and managed services built on cloud platforms.
Module 9: Practical Handling – Marking, Access, and Lifecycle of CUI
Provide a practical view of how CUI is marked, accessed, stored, transmitted, and disposed of in IT environments, and what controls IT service providers must support.
Module 10: Designing IT Services Around Federal Data Classifications
Bring all concepts together by showing how to design or adapt IT services, architectures, and processes to meet classification‑driven requirements, with a focus on CUI and moderate‑impact systems.
Read the Textbook
Read every chapter for free, right here in your browser.
In this module, you’ll map out the **US federal information landscape** and see where **IT service providers** (like cloud vendors, SaaS platforms, and integrators) fit.
**Key idea:** The US government separates information into two broad worlds:
1. **National security information** - Tied to defense, intelligence, and foreign relations. - Can be **classified** (Confidential, Secret, Top Secret) under **Executive Order (EO) 13526** and related directives.