You may have been brought here because you are seeking to achieve NIST 800-171 or CMMC compliance. Perhaps this is the first time you have heard the terms Controlled Unclassified Information or “CUI”.
You may be wondering: What is CUI? Do I have any? If I do, what am I supposed to do with it? How should I handle CUI? And more…
Regardless of what brought you here, you have come to the right place! Here is what we cover in this article:
Executive Order 13556
In November 2010, President Barrack Obama issued Executive Order 13556 in order to, “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls.
The information requiring safeguarding or dissemination controls had been referred to several names in the past. Some agencies used terms like “Sensitive but Unclassified” or “For Official Use Only”.
Implementation of these naming conventions, the requirements for document handling, marking, dissemination, safeguarding, etc., were ad hoc and agency specific.
EO 13556 seeks to create efficiencies and reduce confusions by removing the patchwork system and doing two key things. One, EO13556 establishes the Controlled Unclassified Information (CUI) Program, and 2) it establishes the National Archives and Record Administration as CUI Executive Agent (EA).
Role of National Archives and Record Administration (NARA)
NARA, as the CUI EA, is responsible for the implementation of EO 13556 and as a result, has several roles and responsibilities related to CUI. These roles and responsibilities include, but are not limited to:
- Issuing policy, guidance, and other materials to establish and maintain the CUI Program
- Review, evaluate and oversee agencies’ actions to implement CUI program
- Establish management planning framework and associated deadlines for phased implementation
- Approve categories and subcategories
- Maintains and updates CUI registry
- Prescribes standards, procedures, and instructions for oversight and agency self-inspection
- Considers and resolves disputes, complaints, and suggestions
While NARA has ultimate authority over the CUI Program, executive agency heads have responsibilities as well. Among those responsibilities, a CUI senior agency official (SAO) must be designated and responsible for the oversight of the implementation, management, and compliance with the CUI Program.
In other words, NARA oversees the program and develops the high-level guidance, while implementation and specifics are ultimately left up to executive agencies, their heads, and their designated SAOs.
32 CFR Part 2002 defines CUI as, “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls”.
An important part of the definition to pay attention to is the, “or that an entity creates or possesses for or on behalf of the Government”. Information a non-executive agency creates that is not part of a contract or specifically for the government, cannot be considered CUI under 32 CFR Part 2002.
EO 13526 has similar requirements as it relates to classified information. To classify information in accordance with EO 13526, the information must be, “owned by, produced by or for, or is under the control of the United States Government;”.
In other words, the Government cannot unilaterally place safeguarding and handling procedures on information they do not own.
In addition, information, “a non-executive branch entity possesses and maintains in its own systems” is excluded as well, so long as that information does not come from, or was not created or possessed by or for, and executive branch agency or an entity acting for an agency.
Not necessarily precluded from disclosure under the Freedom of Information Act (FOIA)
CUI Registry, Categories, and Subcategories
The CUI registry is an online repository which outlines the categories and subcategories of CUI, as well as each category’s respective marking guidelines.
For those of you who have worked in classified environments, the CUI registry is equivalent to the Intelligence Community Authorized Classification and Control Markings Register and Manual – also referred to as the CAPCO Manual.
Categories of information considered CUI includes, but is not limited to information relating to:
Natural and Cultural Resources
|North Atlantic Treaty Organization (NATO) Nuclear|
Procurement and Acquisition
Proprietary Business Information
Each category of CUI also has associated subcategories. For example, the Defense category has subcategories for Controlled Technical Information, DoD Critical Infrastructure Security Information, Naval Nuclear Propulsion Information, and Unclassified Controlled Nuclear Information – Defense.
There is also what is referred to as “CUI specified”, which is information that is considered CUI, but is also required to be handled in a certain way due to other laws, regulations, and policies (e.g., International Traffic in Arms Regulations (ITAR), Sensitive Security Information, etc.).
For CUI specified information, not only does it have to be treated and handled as CUI, but it also must be handled in accordance with the other applicable regulations.
In the case of ITAR data, there may be restrictions on disseminating the information to foreign nationals or dual citizens.
Regulations related to the safeguarding, accessing, and dissemination of CUI are especially important when it comes to government compliance requirements such as CMMC and NIST 800-171.
32 CFR 2002 requires agencies to protect CUI under the control of an authorized holder. More specifically, authorized holders must:
- Establish controlled environments which to protect CUI from unauthorized access or disclosure
- Ensure unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI
- Keep CUI under the authorized holder’s direct control
- Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems.
CUI also must be protected when being shipped and/or mailed. To appropriately safeguard CUI during shipping or mailing, authorized holders must:
- Use the United States Postal Service or any commercial delivery service
- Use in-transit automated tracking and accountability tools
- May use interoffice or interagency mail systems
- Must mark packages that contain CUI according to guidelines published by NARA
CUI can also be reproduced by authorized holders, but the medium reproducing the CUI must not retain any of the data (e.g., a copier/printer). CUI also must be destroyed when the information is no longer needed using methods specifically required by law, regulation, policy.
If there is no law, regulation, or policy, then the information must be destroyed in accordance with methods found in NIST SP 800-53 or a method of destruction approved for Classified National Security Information.
The requirements described above essentially form the basis for policies and procedures needed to address security controls found in CMMC and NIST 800-171. For example, AM.3.036 requires organizations to, “define procedures for the handling of CUI data”.
At minimum, your organization’s procedures for handling CUI should address the above.
Accessing and Disseminating
CUI should only be disseminated and permitted access when it meets some key criteria. Dissemination and/or access must:
- Abide by any applicable laws, regulations, or policies
- Further a lawful Government purpose
- Not be restricted by an authorized dissemination control (e.g., NOFORN)
- Not be otherwise prohibited by law
When disseminating CUI, the information must be appropriately marked and labeled. In addition, authorized holders must reasonably expect that all intended recipients are authorized to receive CUI.
Appropriate markings must be used, in accordance with the guidelines provided in the CUI registry. While an entire manual could be written on markings, here are some of the highlights:
- Markings may not deviate from the methods prescribed by the CUI EA
- Recipients of unmarked CUI should notify the disseminating entity or their agency
- Must be marked prior to dissemination
- Must not be used to conceal illegality, negligence, ineptitude, etc.
- Unmarked information can still be CUI and may require appropriate safeguarding and handling
Last, but certainly not least, there are some additional requirements as part of the CUI Program. Requirements worth highlighting include:
- Training. Personnel with access to CUI must receive training and the training must cover how to designate CUI, CUI categories and subcategories, the CUI registry, markings, as well as how to appropriately safeguard, disseminate, and decontrol CUI.
- Cover sheets. Coversheets are not strictly required by NARA or in 32 CFR Part 2002. However, they may be used as a means for protecting CUI from inadvertent disclosure and to alert observers to its presence.
- Sanctions. Misuse of CUI could lead to sanctions, to the extent agency heads are authorized to take administrative action against personnel who misuse CUI.
Phew, complying with Government regulations can get complicated really quickly! We get it and we are here to help you navigate your organization’s efforts to understand what CUI is and the associated responsibilities that come with it.
If you could use some additional guidance, training, or assistance implementing the complicated Government regulatory requirements, please contact us!
 Executive Order 13556 established CUI on November 4, 2010.
 Part 2002 of 32 Code of Federal Regulations prescribed Government-wide implementation standards on September 14, 2016.
 DoD Instruction 5200.48, “Controlled Unclassified Information,” established DoD CUI policy on March 6, 2020.
About Tom Busillo
Tom brings over 13 years of experience working in leadership roles within the military, special operations, intelligence community, and commercial sector(s). Tom has a broad range of expertise and excels with information technology, cybersecurity, software development, regulatory compliance, risk management, cloud services, program management, and more.