Recommended security requirements for protecting the confidentiality of CUI:
(1) when the CUI is resident in a nonfederal system and organization;
(2) when the nonfederal organization is not collecting or maintaining information on behalf of a federal agency or using or operating a system on behalf of an agency; and
(3) where there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category listed in the CUI Registry.
The requirements apply to components of nonfederal systems that process, store, or transmit CUI, or that provide security protection for such components.
Security and Privacy: risk management