Save the Date: CUI Marking class (Webex)

CUI Marking Handbook Cover Image

The CUI Program Office will be hosting another

CUI Marking class

Date: May 19, 2020

Time: 11:00 am – 1:00 pm (EST)

You do not have to rsvp for this class, the information  will be posted as soon as it becomes available.

If you have any questions or concerns, please feel free to email us at


NOTE: If you attended the CUI Marking class on April 23, 2020; your completion certificate will be emailed to you by the end of this week. 



Agency Considerations when allowing employees to telework with Controlled Unclassified Information (CUI) during the COVID-19 pandemic

The CUI program has a lot of flexibility built in to allow agencies to accomplish their mission, including while employees are teleworking.

Agencies must ensure CUI is safeguarded in accordance with 32 CFR 2002 (the CUI Program’s implementing directive) and the applicable laws, regulations, and government-wide policies. In doing so agencies must establish controlled environments where CUI can be effectively safeguarded. 

Telework agreements can be used to spell out whether or not CUI is permitted, as well as, which categories of CUI employees can use while teleworking. The agreement should also outline what controls (physical or electronic) need to be in place to ensure adequate protection.

Here are some common issues agencies may encounter as they allow employees to telework with CUI:

1. Increased potential for CUI to be overheard or observed with more people likely to be in the home

2. Difficulty securing devices used for telework (computers, cell phones, tablets, routers, modems)

3. Ensuring compliance with current policies and limiting use of unauthorized equipment and media

4. Enabling employees to accomplish their tasks and adjusting expectations limit use of unauthorized workarounds

Agencies, in consultation with CUI Program Officials, should develop additional guidance that addresses each of the issues described above.  Front-line supervisors should initiate discussions with their employees to assist and determine the best ways to ensure the protection of CUI while teleworking.

Banner Markings now on the CUI Registry!

In response to stakeholder requests and to enhance the usability of the CUI Registry, ISOO recently updated the CUI Registry to reflect the banner markings that can be applied to the various categories of CUI. You can find this change on individual category pages, directly below the category name. This change should assist authorized personnel in the proper application of CUI Markings.  ISOO has also developed a number of resources that should assist with the proper marking of CUI.  The CUI Marking Handbook, training videos (Introduction to Marking & Marking Commingled Information), and the CUI Coversheet are great resources as you implement and begin marking CUI.

SLIDES: CUI Program Update to Stakeholders Nov 13 (1-3 EST)

Thank you to all those who attended the CUI Stakeholder meeting today. Please see the attached set of slides from the briefing. The next meeting will be February, 12th (1-3 EST).

CUI Stakeholders Briefing Nov 13

For those that did not attend topics included:

  • An update on New and Future CUI Notices
  • An update on agency implementation efforts
  • CUI and Metadata Plans/Discussion
  • The status and plans for a CUI Federal Acquisition Regulation Rule
  • The Upcoming CUI Industry Day:  February 11, 2020
  • Time for Questions and Answers

FY 2018 ISOO Annual Report Release

The Information Security Oversight Office (ISOO) released its Fiscal Year (FY) 2018 Annual Report to the President today and posted it here.  In his Letter to the President, ISOO Director Mark A. Bradley highlighted the challenges the Government faces in trying to safeguard and manage petabytes of electronic data using antiquated systems meant for paper. He also stressed the need for the Government to modernize its information security and information management policies, and to adopt a technology and investment strategy to accomplish it.

The report featured both an update on ISOO’s efforts to implement recommendations from its FY 2017 Annual Report to the President and a high-level assessment of the various programs in ISOO’s portfolio, including the Controlled Unclassified Information (CUI) Program.  The first page of the FY 2018 report is dedicated to an evaluation of agency CUI implementation efforts and ISOO’s work supporting implementation. The report noted that agencies have made significant progress since last year, but work remains to be done.

Specifically, many agencies still have not submitted CUI budget estimates to the Office of Management and Budget (OMB). To aid agencies, ISOO worked with OMB to modify section 31.15 of Circular A-11, Preparation, Submission, and Execution of the Budget. This guidance now includes details meant to inform what agencies need to include in submitting their CUI implementation budget estimates: hiring staff to implement and manage the program; developing and deploying automated marking tools; and creating training programs for agency staff. ISOO also worked with the Departments of Homeland Security and Defense, the National Aeronautical and Space Administration, and the General Services Administration to draft standard safeguarding requirements for inclusion in a Federal Acquisition Regulation (FAR). ISOO and its partners hope to finalize these requirements in FY 2019 so it is ready for use by agencies.

We hope you take time to read both the Director’s Letter to the President as well as the full report.

CUI Program Update to Stakeholders


The next CUI Program update to Stakeholders will be held on

               November 13 from 1-3.

The following information that will be discussed:

Topics include:

  • A brief overview of the CUI program;
  • An update on agency implementation efforts;
  • The status and plans for a CUI Federal Acquisition Regulation Rule;
  • CUI Training session that will be held on August 29 from 1-3;
  • Time for Questions and Answers.

Hosted by: Devin Casey and Charlene Wallace

The phone in information will be posted in the upcoming weeks.

Protecting Controlled Unclassified Information: Comment on Draft NIST SP 800-171 Rev. 2 and Draft NIST SP 800-171B (comment period ends July 19, 2019)

NIST is seeking comments on Draft NIST Special Publication (SP) 800-171 Revision 2Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets.

The public comment period for both publications ends on July 19, 2019. See the publication details for SP 800-171 Rev. 2 and SP 800-171B for document files and instructions on submitting comments.


Draft NIST SP 800-171 Revision 2 provides minor editorial changes in Chapters One and Two, and in the Glossary, Acronyms, and References appendices. There are no changes to the basic and derived security requirements in Chapter Three. For ease of use, the Discussion sections, previously located in Appendix F (SP 800-171 Revision 1), have been relocated to Chapter Three to coincide with the basic and derived security requirements.

Draft NIST SP 800-171BProtecting Controlled Unclassified Information in Nonfederal Systems and Organizations: Enhanced Security Requirements for Critical Programs and High Value Assets, was developed in the spring of 2019 as a supplement to NIST SP 800-171. This new document offers additional recommendations for protecting Controlled Unclassified Information (CUI) in nonfederal systems and organizations where that information runs a higher-than-usual risk of exposure. When CUI is part of a critical program or a high value asset (HVA), it can become a significant target for high-end, sophisticated adversaries (i.e., the advanced persistent threat (APT)). In recent years, these critical programs and HVAs have been subjected to an ongoing barrage of serious cyberattacks, prompting the Department of Defense to request additional guidance from NIST.

The enhanced security requirements are to be implemented in addition to the basic and derived requirements in NIST SP 800-171, since the basic and derived requirements are not designed to address the APT. The enhanced security requirements apply only to components of nonfederal systems that process, store, or transmit CUI or that provide protection for such components when the designated CUI is contained in a critical program or HVA. The enhanced security requirements are only applicable for a nonfederal system or organization when mandated by a federal agency in a contract, grant, or other agreement.