CUI Marking Definition for STIX™ Version 2.1

Draft

04 March 2023

Editors:

Chris Lenk

Additional artifacts:

Marking Controlled Unclassified Information Version 1.1

This prose specification is one component of a Work Product that also includes:

STIX™ Version 2.1 – OASIS specification

Related work:

This specification replaces or supersedes:

Table of Contents

1. Data Markings in STIX
2. The Controlled Unclassified Information (CUI) Marking Object Type
3. Extension Definition Object for CUI
4. Examples

Abstract:

The Controlled Unclassified Information (CUI) Program standardizes the way the Executive branch of the U.S. Government handles information that doesn’t meet the criteria for classification but must be protected based on law, regulation, or Government-wide policy. This document defines the approach to express CUI using Structured Threat Information Expression (STIX™) language via the use of a marking definition object.

1. Data Markings in STIX

Data markings represent restrictions, permissions, and other guidance for how data can be used and shared. In STIX, data markings are specified using the marking-definition object. For general information on data markings in STIX, see section 7.2 of STIX™ Version 2.1 - OASIS specification.

2. The Controlled Unclassified Information (CUI) Marking Object Type

The Controlled Unclassified Information (CUI) marking definition type defines the STIX object types required to share CUI marked data. CUI was established to standardizes the way the Executive branch of the U.S. Government handles information that doesn’t meet the criteria for classification but must be protected based on law, regulation, or Government-wide policy.

Because CUI data markings are not part of the STIX 2.1 specification, they must be specified using the Extension Definition object as described in section 7.3 of the specification.

The tables below describe the properties of a STIX 2.1 CUI marking definition extension. The extension can be used on the marking-definition object type described in section 7.2 of the STIX 2.1 specification. As this is not a top-level object, fields such as identifier are not present.

Property Name Type Description

Property Name	Type	Description
extension_type (required)	string	The extension_type property indicates the type of extension is being used. The value of this property MUST be property-extension
control (required)	string	The CUI Control Marking. The value of this property MUST be one of the following: CONTROLLED, CUI
designator_ref (required)	identifier of identity	A reference to the `identity` object representing the designator’s agency. The `identity` object SHOULD also include contact information^[1].
categories (optional)	list of string	The CUI Category or Subcategory Markings. If a CUI Specified Category or Subcategory is used, it MUST include the “SP-“ prefix. Each of the values of this property MUST be one of the Category or Specified Category Markings listed in the National Archives CUI Markings Registry^[2]. Subcategory Markings MUST immediately follow the Category Marking they belong to. Categories MUST be ordered alphabetically within CUI type (Specified or Basic). Alphabetized Specified CUI categories and subcategories MUST precede alphabetized Basic CUI categories and subcategories.
disseminations (optional)	list of string	The CUI Limited Dissemination Control Markings. Each of the values of this property MUST be one of the values in the National Archives CUI Limited Dissemination Controls Registry^[3].
required_statements (optional)	list of string	Required indicators – including, informational, warning, or dissemination statements – as mandated by the law, Federal regulation, or Government-wide policy.
supplemental_administrative (optional)	list of string	Supplemental administrative markings (e.g., Draft, Deliberative, Pre-decisional, Provisional) used to inform recipients of the non-final status of documents. The values of this property MUST NOT duplicate any marking in the CUI Registry.

extension_type (required)

string

The extension_type property indicates the type of extension is being used.

The value of this property MUST be property-extension

control (required)

string

The CUI Control Marking. The value of this property MUST be one of the following:

CONTROLLED, CUI

designator_ref (required)

identifier of identity

A reference to the identity object representing the designator’s agency. The identity object SHOULD also include contact information^[1].

categories (optional)

list of string

The CUI Category or Subcategory Markings. If a CUI Specified Category or Subcategory is used, it MUST include the “SP-“ prefix.

Each of the values of this property MUST be one of the Category or Specified Category Markings listed in the National Archives CUI Markings Registry^[2].

Subcategory Markings MUST immediately follow the Category Marking they belong to. Categories MUST be ordered alphabetically within CUI type (Specified or Basic). Alphabetized Specified CUI categories and subcategories MUST precede alphabetized Basic CUI categories and subcategories.

disseminations (optional)

list of string

The CUI Limited Dissemination Control Markings. Each of the values of this property MUST be one of the values in the National Archives CUI Limited Dissemination Controls Registry^[3].

required_statements (optional)

list of string

Required indicators – including, informational, warning, or dissemination statements – as mandated by the law, Federal regulation, or Government-wide policy.

supplemental_administrative (optional)

list of string

Supplemental administrative markings (e.g., Draft, Deliberative, Pre-decisional, Provisional) used to inform recipients of the non-final status of documents. The values of this property MUST NOT duplicate any marking in the CUI Registry.

3. Extension Definition Object for CUI

{
    "id": "extension-definition--dff17fb3-edcb-4f99-ad1b-4b751c95738a",
    "type": "extension-definition",
    "spec_version": "2.1",
    "name": "CUI",
    "description": "This defines CUI as a STIX extension",
    "created": "2023-03-04T00:00:00.000Z",
    "modified": "2023-03-04T00:00:00.000Z",
    "created_by_ref": "identity--b3bca3c2-1f3d-4b54-b44f-dac42c3a8f01",
    "schema": "https://github.com/oasis-open/cti-stix-common-objects/tree/master/extension-definition-specifications/cui",
    "version": "1.0.0",
    "extension_types": [
        "property-extension"
    ]
}

4. Examples

Most basic CUI portion marking.

{
    "id": "marking-definition--331bc382-fcf1-43aa-8c04-732ff0b42c85",
    "type": "marking-definition",
    "spec_version": "2.1",
    "created": "2023-03-04T00:00:00.000Z",
    "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
    "extensions": {
        "extension-definition--dff17fb3-edcb-4f99-ad1b-4b751c95738a": {
            "extension_type": "property-extension",
            "control": "CUI",
            "designator_ref": "identity--c069bb9f-158a-405d-92b4-858a2536df9a"
        }
    }
}

CUI banner marking with a basic category.

{
    "id": "marking-definition--bd0e84ce-2df7-421b-8de9-d026a6390b43",
    "type": "marking-definition",
    "spec_version": "2.1",
    "created": "2023-03-04T00:00:00.000Z",
    "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
    "extensions": {
        "extension-definition--dff17fb3-edcb-4f99-ad1b-4b751c95738a": {
            "extension_type": "property-extension",
            "control": "CUI",
            "categories": ["ASYL"],
            "designator_ref": "identity--c069bb9f-158a-405d-92b4-858a2536df9a"
        }
    }
}

CUI marking with multiple categories, including Specified, as well as Dissemination Controls.

{
    "id": "marking-definition--934ad48b-e590-464e-a814-24df9d1ee002",
    "type": "marking-definition",
    "spec_version": "2.1",
    "created": "2023-03-04T00:00:00.000Z",
    "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
    "extensions": {
        "extension-definition--dff17fb3-edcb-4f99-ad1b-4b751c95738a": {
            "extension_type": "property-extension",
            "control": "CUI",
            "categories": ["SP-SSEL", "SBIZ"],
            "disseminations": ["NOFORN", "NOCON"],
            "designator_ref": "identity--c069bb9f-158a-405d-92b4-858a2536df9a"
        }
    }
}

CUI marking with required indicators and supplemental administrative markings.

{
    "id": "marking-definition--934ad48b-e590-464e-a814-24df9d1ee002",
    "type": "marking-definition",
    "spec_version": "2.1",
    "created": "2023-03-04T00:00:00.000Z",
    "created_by_ref": "identity--8ce3f695-d5a4-4dc8-9e93-a65af453a31a",
    "extensions": {
        "extension-definition--dff17fb3-edcb-4f99-ad1b-4b751c95738a": {
            "extension_type": "property-extension",
            "control": "CUI",
            "categories": ["SP-SSEL", "SBIZ"],
            "designator_ref": "identity--c069bb9f-158a-405d-92b4-858a2536df9a",
            "required_statements": ["MARKING REQUIRED BY AUTHORITY"],
            "supplemental_administrative": ["Draft"]
        }
    }
}

1. https://oasis-open.github.io/cti-stix-common-objects/Identity_Contact_Information.html

2. https://www.archives.gov/cui/registry/category-marking-list

3. https://www.archives.gov/cui/registry/limited-dissemination