Data Classification Matrix

The information on this page is especially important for US-based businesses. The US Government has a "classification spectrum" that has very specific meanings and handing requirements. This is where word choice for internal data categorization / classification terminology is important to avoid misunderstandings. For example, while the term "trade secrets" is common to refer to Intellectual Property (IP), it would be more advisable to refer to that as RESTRICTED or SENSITIVE, as compared to SECRET or CONFIDENTIAL, due to the legal implications associated with classified data and the possible misunderstandings with partners/vendors from conflating the terminology.

data classification spectrum

Classified vs Unclassified Data Types

There are UNCLASSIFIED and CLASSIFIED data types, per the US Government. Specifically, Executive Orders (EO) 12356 establishes the foundation for what "classified" data is, while EO 13556 establishes the foundation for Controlled Unclassified Information (CUI).

Defining "Unclassified" Data

There are two (2) types of Unclassified data from the US Government's perspective:

  1. Controlled Unclassified Information (CUI)
    • CUI Basic
    • CUI Specified
  2. Uncontrolled Unclassified Information (UUI)
    • General UUI (not publicly released or FCI)
    • Federal Contract Information (FCI)
    • Information that has been cleared for public release

Defining "Classified" Data

There are three (3) types of Classified data from the US Government's perspective:

  1. Confidential;
  2. Secret; and
  3. Top Secret.

Defining Controlled Unclassified Information (CUI)

The authoritative source that defines CUI is the US National Archives with the CUI Registry. Many businesses having to address NIST SP 800-171 and/or Cybersecurity Maturity Model Certification (CMMC) focus is on a subset of CUI called Controlled Technical Information (CTI). "Technical Information" means technical data or computer software. Examples of technical information include:

  • Research and engineering data
  • Engineering drawings
  • Associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and
  • Computer software executable code and source code.

The concept behind CUI is that it is meant to foster consistency and accountability across the federal ecosystem.