CUI Guide for DoD Contractors-Manage & Protect Sensitive Information
Discover the essentials of Controlled Unclassified Information (CUI) with our in-depth guide tailored for DoD contractors and subcontractors. Learn how to manage, safeguard, and comply with CUI requirements effectively, ensuring your operations align with national security standards.
Introduction to Controlled Unclassified Information (CUI)
Federal agencies and their external service providers routinely generate, use, store, and share information that, while not meeting the standards for classified national security information nevertheless requires safeguarding and dissemination controls.
This Guide will discuss Controlled Unclassified Information (CUI) and how to protect it best. We will be covering:
- US Government’s document handling restrictions and control mechanism to safeguard protected unclassified information.
- Guidance on identifying, using, storing, and sharing CUI.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is a marking and control mechanism for all unclassified information or other data that meets standards for usage, safeguarding, and dissemination controls according to and consistent with applicable laws, regulations, and government-wide policies.
Types of data that fall under CUI includes, but is not limited to:
- Anything labeled “For Official Use Only” (FOUO)
- Anything labeled “Sensitive But Unclassified” (SBU)
- All information contained in the Department of Defense technical documents and related materials
- Anything referred to as "Limited Official Use"
- Anything defined as "Sensitive Information" by the Computer Security Act of 1987
- Any proprietary business information (PROPIN)
Important Information:
CUI refers to unclassified information that must be protected from public disclosure. CUI is not classification and should not be referred to as “classified as CUI.” A better way to phrase it is “designated as CUI.
Why is the CUI Program Necessary?
Before the CUI Program, there were over 100 different ways of characterizing unclassified information. Different rules for each Federal Agency created conflict on when and how to share information, making it difficult to collaborate and ensure the information was protected.
Established in Executive Order 13556, the CUI Program standardizes how the Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.
Important Information:
The CUI Program makes no changes to the Freedom of Information Act (FOIA) process. Standardized CUI markings help ensure that CUI is adequately protected by all agencies and facilitate timely information sharing to authorized recipients. Even the release of unclassified information can be damaging. Unclassified information can be pieced together to provide an adversary with a better understanding of classified information. The CUI Program helps mitigate and reduce threats of compromise or loss of information.
How to identify Controlled Unclassified Information (CUI)
Only information requiring protection based on law, Federal regulation, or government-wide policy can qualify as CUI.
Like classified information, CUI is marked with bold banners, i.e., Controlled or CUI, and may also include limited dissemination controls making it clear how the information should be shared or distributed as directed by the responsible agency.
In this guide, we will cover the two types of CUI: CUI Basic and CUI Specified, and the specific protections required for each.
| EXAMPLES: LIMITED DISSEMINATION CONTROLS | |
|---|---|
| No foreign dissemination | NOFORN |
| Federal Employees Only | FED ONLY |
| Federal Employees and Contractors Only | FEDCON |
| No dissemination to Contractors | NOCON |
| Dissemination List Controlled | DL ONLY |
| Authorized for release to certain nationals only | REL TO [USA, LIST] |
| Display Only | DISPLAY ONLY |
Lifecycle of Controlled Unclassified Information (CUI)
CUI follows a lifecycle similar to all protected information. While the designation of certain types of information requiring safeguarding and dissemination may be new, the process should be very familiar to DIB partners.
Create : CUI is created when recorded on paper or entered into an information system
Identify & Designate: Realize that the information is generated for or on behalf of an agency within the Executive Branch under a contract and determine if the information falls into one of the more than one hundred categories of CUI in the National and DOD CUI Registries. It is also important to realize what is not CUI.
Mark/Label: At a minimum, CUI markings for unclassified DOD documents will include the acronym “CUI” or “CONTROLLED” in the banner of the document. It is a best practice to include markings in both the banner and footer of the document, and it is imperative to reference the CUI Marking Guide to ensure correct markings.
Store: CUI can be stored in NIST 800-171 compliant information systems or controlled physical environments.
Disseminate: Only authorized holders may disseminate in accordance with distribution statements, dissemination controls, and applicable laws.
Destroy: Hard and soft copies of CUI should be appropriately destroyed, meaning they are rendered unreadable, indecipherable, and irrecoverable. Review clearing, purging, and destruction in NIST SP 800-88: Guidelines for Media Sanitization.
Decontrol: All holders must promptly decontrol CUI once the CUI owner has properly determined the information no longer requires safeguarding or dissemination controls, unless doing so conflicts with the related law, regulation, or government-wide policy in accordance with DoDI 5230.09.
Who can view Controlled Unclassified Information (CUI)
Access to CUI can be granted to individuals performing “any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes [as] within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement) on the need to know basis”.
| U.S. Citizen | U.S. Person | Foreign National | |
|---|---|---|---|
| Definition | Has citizenship in the United States through birth or naturalization. |
A legal resident of the United States. Includes: U.S. Permanent Resident U.S. Asylee/Refugee |
Is not a legal citizen/permanent resident of the United States, also referred to as a non-U.S. Person or Foreign Person. |
| Verification | U.S. Birth Certificate Naturalization Certificate |
Permanent Resident “green card” | Any type of employment visa |
| Access Rights |
Can hold a national security clearance Can view any type of CUI Can view CUI marked NOFORN with a valid need to know Can view International Traffic in Arms Regulations (ITAR) data |
Cannot view classified information Cannot view CUI marked NOFORN Can view CUI not marked NOFORN Can view ITAR data |
Cannot view classified information Cannot view any type of CUI Cannot view ITAR data Can view non-Defense and non-Federal data |
Types of Controlled Unclassified Information (CUI)
There are two types of CUI: CUI Basic and CUI Specified.
CUI Basic
CUI Basic is the type of CUI that a law, regulation, or government-wide policy says must be protected, but doesn’t provide any further instruction for its protection. CUI Basic contains basic handling and dissemination controls.
- CUI Basic has the same handling and sharing guidance across the entire Executive Branch and can be marked as either CUI or Controlled.
- The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level.
- Examples of CUI Basic Categories
| Agriculture | Comptroller General | Terrorist Screening |
| Ammonium Nitrate | Geodetic Product Information | Informant |
| Water Assessments | Asylee | Privilege |
| Emergency Management | Visas | Victim |
| Bank Secrecy and Budget | Information Systems Vulnerabilities | Death Records |
CUI Specified
CUI Specified is the type of CUI where the authorizing law, regulation, or policy puts more restrictive controls on the specific handling, marking, or sharing requirements to ensure adequate protection.
- Individual directors of Federal Agencies define guidance.
- Each Federal Agency has its additional handling and storing requirement(s) and may apply limited dissemination controls to the CUI content.
- Each Federal Agency has its own rules for CUI Specified.
- Export-controlled (ITAR and EAR-controlled information) are types of CUI Specified.
Important Points:
Since CUI Specified can call for different controls and protection than CUI Basic, it is mandatory to label the specific protection of the content in the banner (SP-)
Examples of CUI Specified Categories
| Sensitive Security Information | Safeguards Information | DNA |
| Student Records | NATO Restricted | Criminal History Records |
| Sensitive Security Information | Safeguards Information | Financial Records |
| Personnel | NATO Unclassified | Export Control |
| Source Selection | Federal Grand Jury | Protected Critical Infrastructure Information |
| Nuclear | Witness Protection | Controlled Technical Information |
Controlled Unclassified Information (CUI) Marking Guidance
CUI markings alert holders that the information must be protected. A cover sheet may also be used to identify CUI, alerting observers that CUI is present from a distance and serving as a shield to protect CUI from inadvertent disclosure. In the CUI program, there is a standard way to apply markings, as well as alternative methods to satisfy marking or identification requirements. Listed below are three components of marking CUI and an example of a CUI coversheet.
Designation Indicator
- Provides a complete view of the security A mandatory component for all CUI markings that identifies who originated the CUI.
Banner Markings
- For CUI Basic, it is mandatory to include the CUI Control banner marking “CUI” or “CONTROLLED”
- For CUI Specified, the category marking must appear in the banner and must be preceded by “SP-”.
- Use the same banner marking on every page, the top banner must apply to the entire document.
- If possible, apply markings to the bottom of the document.
- If feasible, make the text black, bold, capital, and centered.
Portion Markings
- Check Agency requirements to determine whether portion markings are required.
- Place abbreviations, in parentheses, at the beginning of the portion to which they apply, and throughout the document.
- It may include up to three elements:
- CUI Control Marking (“CUI”)
- CUI Category or Subcategory Markings (mandatory for CUI Specified)
- Limited Dissemination Control Markings - When a portion doesn’t contain “CUI”, put “(U)” to indicate that it contains unclassified information.
CUI Protection Barriers
CUI must always be secured using controlled environments, both physically and electronically, that ensure access to CUI is only by authorized users with a lawful government purpose.
PHYSICAL BARRIERS
The CUI Program requires that inside a controlled environment there is at least one physical barrier to prevent unauthorized access to CUI such as the following:
- Sealed envelopes
- Locked doors, overhead bins, drawers, file cabinets
- Area equipped with electronic locks
CUI safeguards must also prevent unauthorized individuals from observing or overhearing discussions containing CUI. Public areas such as break rooms, lobbies, or public transportation, are not acceptable for the storage, discussion, or review of CUI.
ELECTRONIC BARRIERS
The CUI program requires that some barrier or compartmentalization exists to prevent unauthorized users from accessing electronic CUI, such as the following:
- Dedicated network drives or SharePoint sites
- Protected file folders
- Intranet sites
Information stored on electronic systems and networks must be compartmentalized and protected according to the lawful government purpose for accessing that information. All projects should establish procedures to ensure that only authorized individuals have access to CUI, and its access is removed when it is no longer required.