Transitioning to CUI: When Organizations are Moving at Different Paces

Moving the entire Executive branch to change course is similar to getting an aircraft carrier battle group to turn. Each component element has unique specs and circumstances, but they must function as a unified whole.

Not surprisingly as agencies move forward with their implementation, we are getting questions about the interaction between organizations that are at different stages of implementation.

The simple answer is:

  • Follow any specific requirements as needed and apply your agency’s existing policies and practices that are in effect at the time you are taking your action.

The more complex answer is:

  • If you and the organization you receive the information from have an information sharing agreement in place, then follow the information sharing agreement.
  • If no information sharing agreement governs the situation, then follow the best practices below.
    • If your agency has not yet implemented, but you receive CUI from an organization that has, then use your existing pre-CUI policies to safeguard according to the law, regulation, or government-wide policy that authorizes that CUI category.
    • If your agency has implemented, but receive CUI marked with Legacy Markings from an organization that has not yet implemented, then use your existing CUI policies to safeguard according to the law, regulation, or government-wide policy that authorizes that CUI category.

Please note that since all CUI categories are based on requirements in law, regulation, or government-wide policy, those authorities and their requirements existed prior to CUI implementation and must be followed regardless of CUI implementation status.

Reminder: CUI Marking Webex (Tomorrow)

CUI Marking Handbook Cover Image

We will be offering a CUI Marking fundamentals webex on   July 23, 2020 from 11 am – 1 pm (EDT). Participants will receive a completion certificate for attending the webex. In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies. During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on July 23, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference. Dial-in: 888-251-2949 or 215-861-0694 Access Code: 1399154# Need an international dial-in number?

Step 2: Join the conference on your computer. Entry Link:

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.

***NOTE: You do NOT have to RSVP for this class, you may just dial in.***

July Marking class presentation

Optional Non-Disclosure Agreement Template issued

On June 3, 2020, ISOO issued CUI Notice 2020-03. This notice provides an optional Controlled Unclassified Information (CUI) non-disclosure agreement (NDA) template for executive branch agency use. Executive branch agencies may use the template when they determine that a CUI NDA is appropriate. The template is optional, and agencies can modify it if needed. A list of all CUI Notices can be found here

Using CUI while teleworking : Microphones and Cameras in Our Homes

When working with CUI, it is required you establish a controlled environment that will safeguard CUI.

This means not just using information systems that have the necessary safeguards in place, it also means being aware of the other potential risks to CUI such as the presence of microphones and cameras in our homes. The microphones and cameras on our computers and mobile devices (phones and tablets) could place CUI at risk.  If it is an electronic device it can be hacked, if it connects to the internet it can be hacked remotely. What level of safeguarding do you have on your devices with microphones and cameras?

Take a moment to think about how many internet connected microphones and cameras you have in your house.

Of course, we have our phones and computers, but what else are around?

Is the remote control to your TV voice controlled? What about your thermostat?

Do you have a voice activated personal assistant service?

How about devices other than your phone and computer that are voice activated and you can use WiFi to stream music on?

Some people even have appliances that are voice activated and connected to home WiFi, like refrigerators.

There are often more of these in our homes these days than we might realize at first glance.

Cyber criminals and foreign intelligence services know that with everyone at home they have rich and often less secured targets.

And it isn’t just these threats. If you read many application user agreements, they allow the application to collect data from device cameras and microphones even when the application isn’t in use.

These vary in how anonymized they are. Even if the user agreements say they are anonymized, there is a long history of business intelligence gathering to gain business advantage and contracts that were violated to obtain advantage.

To achieve a controlled environment it is important to be aware of your surroundings. If you have microphones in internet connected devices around, then take action to protect CUI. Keep conversations containing CUI to emails or other written communication on information systems that your agency approved to meet the requirements to handle CUI.

Though internet connected cameras are rare on anything other than phones, computers, baby monitors, and doorbells, if you have CUI on your computer screen or desk then make sure it isn’t visible to cameras on unsecured devices.

Some quick things you can do to make your home and devices more secure are:

  1. Make sure to change the default username and passwords for all internet connected devices .
  2. Make sure you update the firmware on your router, modem, and all connected devices regularly. Many of these updates are pushed out to address known security vulnerabilities. If you don’t know how, check the device website or call customer service.
  3. Turn off and unplug unused devices, consider disabling or covering cameras when not in use.
  4. Keep any security software or firewalls updated to the latest version.

There is a lot more you can do and some great information about how to do it found in the additional resources below:

Consult with your agency or organization’s security office if you have specific questions or concerns.

Using CUI while teleworking during Coronavirus social distancing common issues: Cohabitants

There is an increased potential for CUI to be overheard or observed with more people likely to be in the home.

Many people used to have the house to themselves while teleworking and now in many households’ spouses, kids, and housemates are home.

Even in homes with a room that can be used as an office, it might be a room shared by both spouses. In this situation, even if both spouses work for the government, one spouse may not have a lawful government purpose to have access to information the other spouse has access to. Special attention should be paid to dissemination controls, particularly FED ONLY, NOCON, DL ONLY, Attorney-Client, Attorney-WP, and Deliberative.

Other employees do not live in a home with even the option of an extra room to serve as an office. This might include a couple living in a studio apartment or just a very full house.

Some employees also might live with housemates that are not of their choosing because of financial constraints. Nearly all of us can think back to the days — at some point in our life — that we were in this situation.

So how do agencies and employees establish a controlled environment to effectively safeguard CUI when it is used during telework?

There are lots of deeply personal reasons an employee might have to make the judgment call they need to take extra precautions in order to achieve a controlled environment. Just to name a few examples: a kid who tells everything to their friends or random strangers they walk by, an untrustworthy roommate, a family member with mental illness, or a divorce in progress.

In most cases an employee will prefer not to go into these details with a supervisor, the same way they might be willing to say they “live in a studio apartment with a parakeet”…though some employees might not even be comfortable saying that. 

Though the personal situation can be generalized to protect employee personal privacy, there are three steps that should occur:

  1. the employee should notify their supervisor they feel a need to take extra precautions and what those precautions are,
  2. the employee acknowledges it is their responsibility to achieve a controlled environment that effectively safeguards the information and the supervisor recognizes that part of their own obligation to safeguard the information is to empower the employee with the work time and resources to do this,
  3. the agency provides supplemental training on the safeguarding needed to achieve a controlled environment is given before CUI is used.  

An employee knows their home environment best, so be a good listener when an employee says “I cannot talk about that now,” “Can I email you,” “I need to call you back about that,” etc.

Keeping the computer screen from being observed is a different set of challenges and depend greatly on the physical configuration of the work environment.

Different solutions will be right for different employees. Here a couple items supervisors might want to consider:

  • Providing flexible schedules (for example, to work at a time when others aren’t around)
  • Providing flexible range of assignments (so non-CUI work can be done if the environment changes)
  • Providing screen protectors (to limit the angles a computer screen is readable from)
  • Providing headphones (that can be used instead of speaker phones or laptop speakers; note: it remains the employee’s responsibility keep in mind people around them and be mindful of what information they are talking about)
  • Providing refresher training (particularly tailored to our new telework environment)

Employees also need to remember their obligation to report security and safeguarding incidents, even ones that happen at home. It is an essential security and safeguarding practice for agencies to foster a culture of self-reporting.

In addition, is a great resource to check out for additional information.

What are other solutions that you have found to be a best practice as we all adjust to teleworking with a full house? What topics would you suggest be included in refresher training about creating a controlled environment while teleworking with a full house?

”UNCLASSIFIED”, “(U)”, and “Unclassified”

  • “UNCLASSIFIED” in the banner marking indicates the absence of CUI and classified information.
  • “(U)” as a portion marking indicates the absence of CUI and classified information.
  • “Unclassified” when not used in a marking, indicates that the information being referred to is not classified, but does not indicate whether or not the information is controlled (CUI) or not.


Prior to the CUI Program, the term “unclassified” was used to describe information that did not meet the standards to be classified under Executive Order 13526. In classified environments, the banner marking of “UNCLASSIFIED” was placed at the top and bottom of pages to indicate the absence of classified information in documents. In portions of documents, a “(U)” indicated that a portion did not contain classified information.

In the absence of Government-wide guidance regarding the handling and marking of sensitive but unclassified information, Executive branch departments and agencies started applying additional indicators to convey the status of sensitive but unclassified information in classified documents. Markings such as “U//FOUO” and “U//LES” became commonly used in commingled documents (documents that contain both sensitive but unclassified, as well as classified information).

As agencies implement the CUI Program and modify marking standards to comply with those in 32 CFR Part 2002, the use of legacy markings, such as FOUO and LES, to describe sensitive but unclassified information will be phased out.

As part of this transition to the CUI Program, agencies should convey – through policy and training – that the term Unclassified (or Uncontrolled Unclassified Information, as described in 32 CFR Part 2002) refers to information that: is neither CUI nor classified, but is still subject to agency public release policies.

Reference: CUI Marking Handbook

Agency Considerations when allowing employees to telework with Controlled Unclassified Information (CUI) during the COVID-19 pandemic

The CUI program has a lot of flexibility built in to allow agencies to accomplish their mission, including while employees are teleworking.

Agencies must ensure CUI is safeguarded in accordance with 32 CFR 2002 (the CUI Program’s implementing directive) and the applicable laws, regulations, and government-wide policies. In doing so agencies must establish controlled environments where CUI can be effectively safeguarded. 

Telework agreements can be used to spell out whether or not CUI is permitted, as well as, which categories of CUI employees can use while teleworking. The agreement should also outline what controls (physical or electronic) need to be in place to ensure adequate protection.

Here are some common issues agencies may encounter as they allow employees to telework with CUI:

1. Increased potential for CUI to be overheard or observed with more people likely to be in the home

2. Difficulty securing devices used for telework (computers, cell phones, tablets, routers, modems)

3. Ensuring compliance with current policies and limiting use of unauthorized equipment and media

4. Enabling employees to accomplish their tasks and adjusting expectations limit use of unauthorized workarounds

Agencies, in consultation with CUI Program Officials, should develop additional guidance that addresses each of the issues described above.  Front-line supervisors should initiate discussions with their employees to assist and determine the best ways to ensure the protection of CUI while teleworking.

General guidelines for Handling Controlled Unclassified Information (CUI) as you Telework

As we all work to do our jobs in the changing work environment during the COVID-19 crisis, those who work with CUI should continue to make sure they safeguard CUI.

In many cases, CUI can be worked on, in a telework environment, as long as the proper controls are in place to achieve a controlled environment (physical and electronic) and agency policies allow it.

Make sure to follow any agency policy or guidance, especially interim guidance issued in response to COVID-19 as standard practices may have been changed to allow for greater telework participation. If needed, employees should consult their supervisor if they have any questions regarding the proper handling of sensitive information.

Here are some general guidelines to consider as you telework with CUI: 

  1. CUI should not be stored on personal systems. 
  2. Printing and hard copy storage should be kept to a minimum.  
  3. Agency sponsored/approved virtual desktops (or similar) should be used. 
  4. Personal email accounts should not be used to store or transmit CUI.