ISOO Issues First CUI Notices of 2018

On January 24, 2018, ISOO issued two CUI Notices, one with recommendations for CUI Basic Training, and another regarding the agreements required for sharing CUI between Executive Branch entities and their non-Executive Branch partners.

The Notice on CUI Basic Training (CUI Notice 2018-02) recommends common learning objectives and curriculum design content, training delivery methods, and testing objectives, for Executive Branch entities to incorporate in their required basic-training courses on CUI.  The Notice presents these recommendations in the form of a table based on the first three levels of Bloom’s Taxonomy, a classification benchmark for learning objectives that is widely accepted by training professionals.

The Notice on Agreements (CUI Notice 2018-01) provides guidance and recommendations on how information-sharing agreements between Executive Branch entities and their non-Executive Branch partners must convey CUI Program requirements.  The Notice excludes reference to guidance for information-sharing with foreign entities.

The Notice explains that as Executive Branch entities implement their own CUI policies, they must negotiate modifications to existing agreements in compliance with the CUI Program.  When feasible, Executive Branch entities should enter into written agreements that include explicit CUI requirements.

Such agreements must require non-Executive Branch partners to handle CUI in accord with the CUI Program, subject to applicable penalties, while also stipulating that non-Executive Branch partners must follow methods approved by the Executive Branch entity in reporting any non-compliance with CUI requirements.

As a best practice, the Notice recommends that agreements between Executive Branch entities and their non-Executive Branch partners: 1) identify categories of CUI and specific handling, safeguarding, or dissemination requirements for CUI shared under the agreement; 2) state where the terms of the agreement will be performed; and, 3) indicate specific technical requirements for protecting the CUI, as well as whether a federal or non-federal information system will be used to process, store or transmit it.

Posted in General updates | Leave a comment

Controlled Unclassified Information (CUI) Symposium by the U.S. Department of Veterans Affairs

Please join the Department of Veterans Affairs (VA) for its Controlled Unclassified Information (CUI) Symposium to learn about the CUI Program, associated implementation efforts, and expected federal impact. The symposium will feature VA CUI subject matter experts, alongside panelists from the National Archives and Records Administration (NARA), the U.S. Department of State (DoS) and the Internal Revenue Service (IRS).

EventBrite Registration

Address: G.V. “Sonny” Montgomery Veterans Auditorium (RM 230), 810 Vermont Ave NW, Washington D.C. 20420

Controlled Unclassified Information (CUI) is information that the Government creates or possesses. CUI requires protection under laws, regulations, or Government-wide policies, and it can correspond to any of the following sources: privacy, health, military, information technology (IT), contract, and personnel data.

Within VA, the Office of Information and Technology’s (OIT) Department of Quality, Privacy, and Risk (QPR) hosts the Controlled Unclassified Information (CUI) Program, a consolidation of best practices that standardize how sensitive information is marked, handled, disseminated, decontrolled, and destroyed across federal agencies.


Are there ID or minimum age requirements to enter the event?

You must be a US government employee or contractor with a valid government ID to attend the VA CUI Symposium.

How can I contact the organizer with any questions?

Please send any questions about the VA CUI Symposium to

Do I have to bring my printed ticket to the event?

Yes, please print your ticket and bring it to the event.

Is my registration fee or ticket transferrable?

No, tickets are not transferrable.

Is it ok if the name on my ticket or registration doesn’t match the person who attends?

No, the name on your ticket must match the name on your valid government ID to enter the event.

Posted in Events & reviews | Leave a comment

Comment period extended for Draft NIST Special Publication 800-171A

The public comment period for Draft NIST Special Publication 800-171A, Assessing Security Requirements for Controlled Unclassified Information, has been extended to January 15, 2018.
Posted in Events & reviews | Leave a comment

CUI Program update to stakeholders

The next scheduled webinar will be February 15, 2018 (1-3 EDT).  All subscribers to the CUI Blog will receive links and call-in information to access the webinar prior to the event.

Posted in Events & reviews, General updates | Leave a comment

Agency review: Proposed category-subcategory list changes for easier use

In response to agency requests, we are proposing revisions to the CUI Registry’s list of categories and subcategories to make it easier to navigate and understand.  We’ve started with some small organizational changes that we hope will address confusion about the difference between categories and subcategories, clarify a few of the category names, and make it easier to find types of CUI on the Registry listing. These revisions are: Continue reading

Posted in CUI Registry, Events & reviews | Tagged , , , , , , , , , | Leave a comment

NIST issues update for NIST SP 800-171, Revision 1

NIST announces the release of an errata update for Special Publication 800-171, Revision 1Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. The errata update includes minor changes to the publication that are either editorial or corrective in nature.


nist sp 800-171.1 2.png

Posted in General updates | Tagged , , , , , | Leave a comment

NIST Special Publication 800-171A open for review

Today, NIST announced the release of draft Special Publication 800-171AAssessing Security Requirements for Controlled Unclassified Information. This publication is a companion tool for NIST Special Publication 800-171Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, and is intended to help organizations develop assessment plans and conduct efficient, effective, and cost- Continue reading

Posted in Events & reviews | Tagged , , , , , , , , | Leave a comment

Questions and answers: Marking

by Mark Riddle

Markings during phased implementation

  1. When can I start using the CUI markings and following the requirements of the CUI Program?

Continue reading

Posted in Marking & examples | Tagged , , , , , , , , , , , , , , , , , , | 2 Comments

CUI and re-marking legacy Information

Agencies can waive the requirement to re-mark legacy information with the new CUI markings while the CUI is in their control.  The CUI Program does not require the agencies to re-mark unless reusing and sharing the information with others outside of their agency.  In addition, because the CUI regulation also contains flexibility in handling such things as existing on-line databases with numerous PDF documents, a flash screen may suffice to alert users that a law, Federal regulation, or Government-wide policy requires safeguarding and dissemination controls.

Posted in Common questions, Marking & examples | Tagged , , | Leave a comment

The CUI Program and budget considerations

Under the FOUO (For Official Use Only) system (and multiple other protection schemes), agencies are already spending money on protecting the same (or even a greater) range of unclassified information as identified in the CUI Registry.  This includes marking, safeguarding measures, and training.  The CUI Program’s requirements were based on the baseline for current protection measures purposely.  In fact, Executive Order Continue reading

Posted in Common questions | Tagged , , , , | Leave a comment