The level of system required for Controlled Unclassified Information (CUI) protection is generally a moderate level of system and network configuration. This is based on guidance from the Department of Defense (DoD) and NIST standards:
- CUI must be safeguarded at no less than the Moderate Confidentiality Impact level , according to the CUI Program which aligns with NIST Special Publication 800-53 standards for federal information systems
- The National Institute of Standards and Technology (NIST) Special Publication 800-171 outlines 110 security requirements that organizations handling CUI must implement, covering areas such as access control, incident response, system and communications protection, and more. Organizations with moderate exposure to CUI must implement all these requirements and undergo third-party assessments every three years
- Defense Industrial Base (DIB) contractors handling CUI must be CMMC Certified Level 3 by a Certified Third Party Assessment Organization (C3PAO), reflecting the moderate confidentiality classification of CUI and compliance with DoD instructions like DoDI 8500.01 and 8510.01
- The Federal Information Systems Modernization Act (FISMA) also requires that CUI Basic be protected at the FISMA Moderate level
In summary, systems handling CUI require a moderate level of security controls and configuration , including comprehensive access controls, audit capabilities, incident response, and system integrity measures, consistent with NIST SP 800-171 and related DoD and federal mandates
