Questions and answers: CUI Program

1. What is the Controlled Unclassified Information (CUI) Program?

The CUI Program is a Government-wide program that standardizes the way the executive branch manages unclassified information that requires safeguarding or dissemination controls required by law, Federal regulation, and Government-wide policy. This Program replaces existing agency programs like For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Official Use Only (OUO), and others. The CUI Program addresses the current inefficient and confusing patchwork of over 100 agency-specific policies throughout the executive branch that lead to inconsistent marking and safeguarding as well as restrictive dissemination policies.

2. When can I start using the CUI markings and following the requirements of the CUI Program?

Until directed by your agency’s guidance, executive branch employees and contractors supporting Government agencies must not use CUI markings and other CUI requirements.

3. What do I do if I receive marked CUI and my agency has not yet implemented the program?

Follow your agency’s guidance in how to handle such marked information

4. How do I report CUI incidents/misuse?

Follow your agency guidance on incident reporting.

5. What is “CUI Specified?”

Categories of CUI where a law, Federal regulation, or Government-wide policy requires safeguarding or dissemination controls that differ from those used at the CUI Basic level are considered “CUI Specified.” These requirements will be incorporated into your agency’s implementation of the CUI Program so that all unclassified information handling policies will be brought under one program.

6. Are coversheets required for CUI? If not, can I use a coversheet if I would like to?

Coversheets are not a requirement for CUI, although some CUI Specified categories do require a coversheet, like Protected Critical Infrastructure Information (PCII). There are three authorized forms: OF 901, OF 902, and OF 903, which can be found on the CUI website ( and the GSA website ( To see if their use is permitted by your agency, please consult your agency’s CUI implementation policy.

7. If CUI is derived from different source documents (e.g., other agencies, organizations, or subcomponents of a host agency) is there a requirement to cite these sources?

While the CUI Program has no requirement to cite derivative source documents, in some instances, it may be beneficial to identify the sources that contain CUI. The inclusion of explanatory text, source documents, or reference sections in correspondence are all practices that may be used to alert holders of the origination. Follow your agency’s CUI guidance for any requirements that may have been deemed necessary.

8. Can CUI be subject to a Freedom of Information Act (FOIA) request?

The CUI program does not change agency policy and practice in responding to a FOIA request. Information must still be reviewed and applicable exemptions applied appropriately. Not all CUI is exempted from FOIA and not all information that falls under a FOIA exemption is CUI.

9. Does marking information as CUI preclude the information from being reviewed and potentially released if it is requested under the provisions of the Freedom of Information Act (FOIA) or otherwise considered for public release?

Marking and designating information as CUI does not preclude information from release under the FOIA or preclude it from otherwise being considered for public release.

10. Is CUI just a 4th level of classification?

No. CUI is a completely separate program from the Classified National Security Information program. While they share similar language and some similar requirements, CUI requirements for designating, protecting, accessing, sharing, and decontrolling information, as well as the repercussions for misuse, are all different from the classified program’s.

Leave a Reply