Much like organizations and businesses, government agencies frequently create, share, and store information that requires protection. Some of these agencies handle information that is so sensitive that it’s deemed “classified,” or perhaps even “secret” or “top-secret.” On the other hand, other agencies handle information that is considered “unclassified,” albeit still sensitive enough to remain outside of the public domain. Due to the nature of such unclassified information, while its protection may not be quite as critical compared to classified information, it does still require some protection. Because the U.S. government’s separate agencies developed separate methods to protect their data over time, though, ensuring the security of that data as it was shared across agencies became increasingly convoluted. The Controlled Unclassified Information (CUI) Program is a means of standardizing data classification and protection across these separate agencies.
What is Controlled Unclassified Information (CUI)?
CUI is best understood by first knowing what does not qualify as CUI. Put simply, any information classified under Executive Order No. 13526 and the Atomic Energy Act cannot be considered CUI. In other words, any classified information labeled “classified,” “secret,” or “top-secret” cannot be designated as CUI. Furthermore, CUI cannot be any information possessed by a non-executive branch entity or any information that is lawfully or publicly available without restrictions.
Controlled unclassified information is unclassified information possessed by an entity of the executive branch requiring safeguarding and dissemination controls, consistent with applicable law, regulation, or government-wide policy.
Who is responsible for applying CUI markings?
The first step in designating information as CUI is to correctly identify and mark it as such. The original authorized holder (the creator) of the information is always the one tasked with determining whether a piece of information falls into a CUI category, and then applying the proper CUI markings and dissemination instructions if it does qualify. An “authorized holder” of CUI is an individual, agency, organization, or group of users legally permitted to designate or handle CUI.
Who is responsible for protecting CUI?
After a piece of information is designated as CUI and given the proper markings and dissemination instructions, the information can then be shared across agencies and authorized holders. When CUI is being stored, it always requires a controlled environment. Whether this means the offices and/or buildings have security measures in place to restrict access to CUI or that the CUI is stored in locked cabinets, it is imperative that only those with a lawful government purpose can freely access the information.
With this in mind, anybody intending to transmit or store CUI is responsible for its handling and protection. The sender must ensure that only authorized holders will be able to access the information once it is transmitted and that it will be kept in a controlled environment once it is in the hands of the recipient. CUI should only be sent through secure channels, whether it be through mail, approved secure communication systems, or other systems using transport layer security.
On a higher level, the Information Security Oversight Office (ISOO) oversees and enforces the CUI Program to ensure its proper implementation and compliance by executive branch agencies.
What are some examples of CUI?
Being that CUI is an umbrella term for information with a range of markings across several agencies, it encompasses several varieties of sensitive information including the following:
- For Official Use Only (FOUO) Information
- Law Enforcement Sensitive (LES) Information
- Personally Identifiable Information (PII)
- Proprietary Business Information (PBI)
- Sensitive but Unclassified (SBU) Information
- Sensitive Personally Identifiable Information (SPII)
- Unclassified Controlled Technical Information (UCTI)
For an even more detailed look into what types of information can be designated as CUI, take a look at the categories outlined in the CUI Registry.