CUI: What you need to know

An Information security reform

Controlled Unclassified Information (CUI), is sensitive information that laws, Federal regulations, or Government-wide policies require or permit executive branch agencies to protect – protection that agencies have undertaken for decades, but on an ad hoc and inconsistent basis.  The legacy of inconsistent agency policies, procedures, and markings that arose to safeguard sensitive unclassified information, has spurred the ongoing drive for reform by the past three Presidential administrations.

The CUI Program is an information security reform that took the best of what agencies have been doing to protect sensitive information, turning those practices into standards that form a baseline for protection.

An agent for change

The Information Security Oversight Office (ISOO) acts as the Executive Agent (EA), responsible for oversight of the CUI Program, monitoring its implementation by executive branch agencies. 

Standards and best practices

The CUI Program establishes standards and best practices built on existing agency policies and programs to replace the legacy of inconsistencies in safeguarding and handling sensitive information – for the entire lifecycle of the information, from marking through decontrol (see 32 CFR 2002.18 and destruction.  The CUI Program establishes consistent protections, while facilitating timely authorized information sharing across the executive branch.

Training

The CUI Executive Agent has a wide variety of training resources available on its training website, including an 11 minute overview of the CUI program and a CUI Markings Training. These and other videos are also available on the training website, can be downloaded, and used to supplement agency/organization CUI training.  To record completions  the modules must be delivered through an Electronic Learning Management-type system.

Markings Handbook and other resources

The CUI Markings Handbook is available on the CUI Executive Agent website along with additional resources, such as CUI Coversheet (SF 901), link to how to purchase Media Labels (SF 902 and SF 903) from GSA, and Destruction Equipment Labels. Here is a direct link to the Marking Handbook.

Budgeting for implementation

Initially agencies utilized existing resources for the initial phases of CUI implementation.  In 2016, 2017, 2018, 2019, 2020 OMB Circular A-11, recognizing that continued implementation and reform will require additional resources, requested agencies to include CUI program and implementation costs in their estimates.

Section 31.15 Controlled Unclassified Information states that:

“Agency estimates should reflect consideration of Executive Order 13556, Controlled Unclassified Information (CUI), and the policies issued by the National Archives and Records Administration (NARA), 32 CFR 2002, “Controlled Unclassified Information,” and CUI Notice 2020-01, “CUI Program Implementation Deadlines” (and any successor CUI notices on implementation). The Information Security Oversight Office within NARA was designated as the Executive Agent to implement the CUI program that will eventually replace all existing Sensitive-But-Unclassified (SBU) information handling regimes (e.g., “For Official Use Only,” etc.) across the Executive Branch. Agency estimates should reflect:

  • The hiring of full-time employees and/or contractor support to implement and manage the CUI Program at headquarters, regional locations, and within component agencies;
  • The development and deployment of automated marking tools that will ensure the uniform application of CUI Markings as well as ensure the timely dissemination of CUI to authorized recipients;
  • Development of internal policies to phase-in and transition to the CUI program;
  • The modification of agency incident reporting mechanisms and systems to include CUI categories and requirements;
  • The modification and issuance of contracts and agreements to reflect the standards of the CUI Program;
  • Development and implementation of training and awareness programs to inform affected employees of their responsibilities when handling CUI basic and specified categories;
  • Assessment and any transition of information systems which handle or are used to process CUI to the moderate confidentiality impact value;
  • Assessment and transition of physical environments as required for CUI;
  • Development of an internal agency CUI self-inspection program; and
  • Costs to align and integrate the agency’s Insider Threat Program with the agency’s CUI Program.

Implementation timeline

CUI Notice 2020-01 sets out deadlines for the different stages of executive branch-wide implementation of the CUI Program. These deadlines are based on agency projections provided in their annual report to ISOO. Some agencies may implement earlier and some agencies might experience delays on some of these stages.

The timeline is:

  • By June 30, 2020: Awareness Campaign
    • Agencies must initiate an awareness campaign that informs their entire workforce of the coming transition to the standards of the CUI Program.
  • By December 31, 2020: Policy
    • Agencies must issue policies that implement the CUI Program.
    • If an agency has sub-agencies, all those subordinate components must develop and publish implementing policies and/or modify or rescind all affected policies by June 30, 2021.
  • By December 31, 2020: Classification Marking Tools (CMTs)
    • Agencies that manage, own, or control Classification Marking Tools (CMT) used to mark Classified National Security Information must have initiated any modification of such CMTs as necessary to begin accounting for CUI markings.
    • Agencies that that depend on modification of any CMTs to achieve full CUI implementation must start reporting progress on modifying CMTs.
    • Agencies, whose documents might contain commingled CUI and Classified National Security Information (CNSI), should follow CUI Notice 2018-05 on marking CUI as CMTs are being updated.
  • By December 31, 2021: Training
    • Agencies must deploy training to all affected employees.
  • By December 31, 2021: Physical Safeguarding
    • Agencies must implement or verify that all physical safeguarding requirements are in place.
  • By December 31, 2021: Information Systems
    • Agencies (including any sub-agencies or components) must modify all Federal information systems to the standards in 32 CFR 2002.14.

Contractors timeline

Contractors should continue to follow the terms of existing contracts and send any questions regarding implementation to the contracting officer for their contract. Agencies will update contracts as part of implementation, but the timeline may vary depending on the agency.

Federal Acquisition Regulation (FAR) clause

A FAR clause for CUI is currently being developed and will help standardize how contracts between executive agencies and non-Federal partners address safeguarding and handling of CUI in compliance with the CUI Program.

Estimated public comment period is 10/2020 to 12/2020.

Metadata standards

An optional CUI metadata standard is in development using the National Information Exchange Model (NIEM). The draft standard s are available here and are expected to be issued by December 2020.

The CUI Registry

Originally published by ISOO in 2011, the CUI Registry presents the first compendium of all laws, Federal regulations, and Government-wide policies requiring or permitting agencies to protect sensitive information across the executive branch. The CUI Registry includes approved markings for categories divided into two types of CUI – CUI Basic and CUI Specified. 

The CUI Registry entry for each category links to the laws, Federal regulations, and Government-wide policies that authorize that category and lists the markings that can be applied.

CUI Basic vs CUI Specified

CUI Basic and CUI Specified are not different levels of protection. The difference between the two is on whether the laws, Federal regulations, and Government-wide policies that authorize that category requires safeguards different from the safeguards established for CUI Basic in 32 CFR 2002.14(c), if so, then the information is CUI Specified. More information on this is in 32 CFR 2002 and the CUI Registry. CUI Basic and CUI Specified markings requirements that can be found in the CUI Markings Handbook.

Information Systems

CUI should be safeguarded at no less than the Moderate Confidentiality Impact level. The CUI Program draws on National Institute of Standards and Technology Special Publication 800-53 (NIST SP 800-53) to establish the standards to safeguard CUI on Federal information systems.

NIST SP 800-171 establishes the standards to safeguard CUI on non-Federal information systems, such as those owned by contractors, universities, research labs, state and tribal governments, and other partners that receive or use CUI under contracts or agreements with the executive branch. Additional policy guidance can be found in 32 CFR 2002.14 (g).

Optional Non-Disclosure Agreement

CUI Notice 2020-03 provides an optional  template for non-disclosure agreements covering CUI. Here is the template.