AD HOC STAKEHOLDER UPDATE: CUI Metadata markings and NIEM 5.0 beta 1 Release (Presentation with Q&A)

Join us on Monday for a quick presentation and some Q&A!

The conference begins at 2:30 PM Eastern Time on July 13, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 2367572#

Step 2: Join the conference on your computer.
Entry Link:

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118

The Ad Hoc Stakeholder Update will have two parts followed by a short Q&A:

  • (10-15 min) An introduction to the CUI Program and how metadata markings can help support CUI Marking and Sharing Requirements. By Devin Casey, Program Analyst.

DEVIN CASEY is the lead for agency implementation and oversight activities for the Controlled Unclassified Information (CUI) Program. Since joining the CUI Program, Devin has authored numerous policies and guidance documents that have aided stakeholders, agencies and industry, in the implementation and management of the CUI Program.

  • (30 min) An overview of the CUI additions to the upcoming NIEM 5.0 as well as instructions on how to submit comments to NIEM 5.0 Beta 1. By Charles Chipman, Senior Research Scientist.

CHARLES “CHUCK” CHIPMAN is a senior research scientist working for Georgia Tech Research Institute (GTRI) supporting the Joint Staff J6 Data and Services Division, which serves as the NIEM Management Office and MilOps Domain steward. He is retired Air Force (C4ISR) and before GTRI spent 10 years as a contractor supporting the AF’s Joint Interoperability of Tactical Command and Control Systems (JINTACCS) program, primarily providing configuration management of the U.S. Message Text Format Program (MilStd6040), an XML-based exchange standard, which is where he was introduced to NIEM/GTRI.

  • (15-20 min) Q&A

CUI Marking Class Q&A (From May 19)

Q&A from May 19 class

Question: Will unclassified contracts have DD 254s issued to provide CUI Guidance or will unclassified contracts have simple attachments similar to the current FOUO for guidance??

Answer: DD 254’s are only to be used with contracts that include CNSI requirements. The CUI EA has been working to develop a FAR case(with GSA, DoD, NASA, DHS) that will be used to standardize the way Executive branch agencies convey safeguarding guidance for CUI.  This FAR case includes a draft standard form,similar to the DD 254,  that is intended to consolidate where contract related CUI requirements are conveyed).

Question: Will CUI Training be available through CDSE?

Answer: Likely. . It is our understanding that DoD is working to develop CUI Training and that some CUI Training may be included on CDSE, who will be required to take the training and what training requirements it will meet are still to be decided by DoD. Specific questions regarding DoD’s implementation can be directed to: Current information about CUI on the CDSE platform can be found at

Question: Who is the responsible party for issuing Legacy CUI marking waivers?

Answer: Per 32 CFR 2002.38  agency Senior Agency Officials (SAO) may issue marking waivers for CUI while it remains under agency control.

Question:  Can you point out the agency CUI POC list?


Question: who is responsible for marking CUI.  We have run into agencies failing to do so.  If we don’t generate the material what is contractor responsibility?

Answer: Upon implementation, agencies are responsible for marking or identifying any CUI shared with non-federal entities. Questions regarding the status of information (marked or unmarked) should be directed back to the contracting activity. Keep in mind, many agencies are not yet marking CUI and are still implementing the elements of the CUI program. Contractors should not follow CUI program requirements or markings until directed to do so in a contract or agreement.

Question: Define AGENCY when discussing Legacy Information

Answer: Agency (also Federal agency, executive agency, executive branch agency) is any “executive agency,” as defined in 5 U.S.C. 105; the United States Postal Service; and any other independent entity within the executive branch that designates or handles CUI.

Question: What do you consider reuse of CUI?

Answer: Re-use means incorporating, restating, or paraphrasing information from its originally designated form into a newly created document.

Question: What’s the difference between CUI and Controlled?

Answer: There is no difference, both are authorized CUI Control Markings and can be used interchangeably unless limited by agency policy

Question: You authorize “NOFORN” and “REL TO” as dissemination control markings. Why don’t we have a marking equivalent to “RELIDO” (which is an intelligence marking that allows authorized people downstream to further disseminate as needed without going back to the originator)?

Answer: The only authorized Limited Dissemination Control (LDC) markings that can be used with CUI are those found on the CUI Registry. CUI Notice 2018-07( describes the proper use of LDC and also the process for submitting new/additional LDCs for use with CUI. The dissemination of all CUI is governed by the principle of “Lawful Government Purpose” this means that any recipient of CUI be deemed to have a mission related purpose to receive the information and that there must be no prohibition to that dissemination in law, regulation, or governmentwide policy. If an agency wishes to communicate a restriction beyond this, any of the above mentioned dissemination controls can be applied as appropriate.

Question: Can you give a few examples of CUI Basic?

Answer: The CUI Registry lists all authorized CUI Categories (basic and specified). The categories on this page that do not have a marking with “SP-” are CUI basic categories, like the Agriculture category and the Asylee category.

Question: For Industry Contractors, do we ever mark CUI?

Answer: Yes, but only when instructed to do so in the contract or supporting documentation.

Question: Are we basically only concerned with protecting CUI that we actually receive from our government customer?

Answer: CUI must be safeguarded in accordance with the contract, whether it is created or collected for the government or shared from the government to the contractor.

Question: Especially when talking about Legacy information, do we just wait until the government agency sends us new documents that are marked CUI?

Answer:  Any information received or created as part of a current or previous contract should be protected in accordance with the terms of the contract under which it was received or created.As agencies implement, CUI requirements will be added to existing and new contracts.

Question: What do you do if you have your customer marking every document as CONTROLLED with no true banner marking. Is that considered Basic? The word Controlled is an authorized bannermarking for Basic CUI.

Answer: Under the CUI program, information marked “CONTROLLED” without additional markings would be CUI basic. Confirm with your customer and your contract that they are using CUI markings and ensure you follow any and all requirements in your contract or agreement.

Question: How do you navigate a situation where you feel you have CUI but it hasn’t been marked appropriately?

Answer: Questions regarding the status of CUI should be directed to the originator of the information or the contracting activity.

Question: What is the difference between U//FOUO and CUI?

Answer: U//FOUO is a legacy marking used to indicate sensitivity based on agency policy or practice. CUI is a marking that is used to indicate the presence of CUI basic information.  CUI Markings are applied only to those information types (categories) found on the CUI Registry and can be linked to laws, regulations, or Government wide policies calling for protection or control of the information. As the CUI Program is implemented U//FOUO will cease to be an authorized marking, but you may still see it on legacy documents as we transition to CUI.

Question: Banner Marking and document marking works for unstructured data? What about marking structured data such as databases?

Answer: For databases or applications, splash screens or banner marking can be used to satisfy the marking and identification requirements of the CUI Program.  System outputs can also be modified to apply markings upon printing or downloading from the application. The CUI office is working with NIEM to create a CUI Metadata standard that can be used to indicate CUI markings. Check the CUI blog for updates on this project,

Question: Do you mark/tag fields in the Database or categorize the system itself?

Answer: Individual fields can be marked or a general alert can be placed on entry into the database/system.  System outputs should be modified to include applicable CUI markings as needed.

Question: How would I mark/tag a system?

Answer: See the CUI Marking handbook, page 27

Question: What you’re saying is purple is recommended, but not required?

Answer:  The SF 901 is Purple.  If color printing is not available, the form can be printed using a black and white printer.

Question: To clarify Contractors only have to mark CUI if their contract requires it?

Answer:  Yes. Contractors need to follow whatever guidelines are in their contract, as the CUI program is an executive branch program CUI requirements do not bind the public, except as authorized by law or regulation or as incorporated into a contract or agreement.

Question: Are there reporting requirements and corrective actions for CUI spillage, similar to those present for Classified information?

Answer:  Agencies/organizations should develop reporting requirements/mechanisms for CUI incidents.  Certain categories of CUI (like Privacy) have special reporting requirements for loss or incidents.

Question: So CUI designation is replacing anything that we would have labeled FOUO//?

Answer:  Once agencies implement the CUI Program, legacy markings such as FOUO or SBU will no longer be used.  In many cases what was previously marked as FOUO would align and be able to be marked as CUI.  There are some information types currently marked as FOUO that may not qualify as CUI.

Question: How should industry label their computers or usb containing cui. what should the label contain?

Answer:  SF 902 and 903 can be used by industry to label hard drives or USBs (media) that contain CUI. They can be ordered from GSA here

Question: What about ITAR controls?

Answer:  Please see the Export Control Category of CUI.

Question: Do Industry personnel (FSO, etc) have authority to generate original CUI?

Answer:  Maybe. Depending on the terms of the contract, industry may have the authority to generate CUI on behalf of the USG.

Question: What’s the difference between CUI, FOUO, and the Privacy Act Coversheets and markings?

Answer:  The CUI Coversheet (SF 901) is authorized for use with CUI.  Upon the implementation of the CUI Program, coversheets (and markings) that are not required per underlying authorities, such as FOUO and Privacy Act, may no longer be used.

Question: As a subcontractor, doesn’t our customer have to flow down what is CUI?

Answer:  The Draft CUI FAR case will have strict flowdown requirements much like the DFARs 252.204-7012. Flowdown requirements should be reflected in the primary contract.

Question: Are you familiar with any solutions that can automate the process of email marking?

Answer:  We are aware of a number of efforts within industry and within agencies to develop automated/assisted marking solutions for CUI. There are no plans, by the CUI Executive Agent/ISOO, to publish an evaluated or approved list of vendors who have developed automated/assisted marking tools for CUI.

Question: Our activity uses the NOFORN marking for Naval Nuclear Propulsion Information category CUI, but we do not use the CUI//SP-NNPI for the marking, we use NOFORN.  Should we switch over to using SP-NNPI?

We also use a GREEN NOFORN Cover Sheet instead of the purple CUI one.

Answer:  Industry should continue to follow the terms of existing contracts.  As agencies implement the CUI Program, contacts will be modified to reflect CUI requirements.

Question: Can we use the coversheet instead of marking each page of the document or do we need to use both the cover sheet and also mark each page?

Answer:  A coversheet (SF 901) may be used in lieu of marking every page of a document. Be sure to list (on the SF 901) any Specified categories, limited dissemination controls, or requirements called for by underlying, related laws, regulations, or government wide policies.

Question: Is it required that CUI be stored in an GSA approved safe?

Answer:  No. CUI Must be stored behind a locking barrier inside of a controlled environment that prevents unauthorized access.  Organizations have some flexibility in determining what qualifies as a controlled environment.  CUI specified categories may have additional physical security requirements.

Question: Where can we access the CUI Marking Handbook?


Question: What is the mechanism for removing markings or lifting restrictions on documents if/when the restriction has expired or no longer applies?

Answer:  CUI Markings can be removed (or stuck through) when the information has been decontrolled. Decontrolling occurs when an authorized holder, consistent with 32 CFR 2002 and the CUI Registry,  removes safeguarding or dissemination controls from CUI that no longer require such controls. Decontrol may occur automatically or through agency action. See § 2002.18.

Question: If you use a Coversheet for a multipage document, do you still need to mark every page?

Answer:  No, if you use a CUI coversheet (SF 901) marking every page is not required.

Question: Are there specific/special Record Retention issues/timeframes specific to CUI?

Answer:  No. Records retention issues/timeframes are not impacted by a records status as CUI.

Question: (If you asked a DoD specific question your answer is here)what about DoD?

Answer:For answers about compliance with your dod contracts, the first place to check is the contract itself or the POC for the contract.

For questions about compliance with DFARs 7012 check out the DoD Procurement Toolbox at:

“” can be contacted for clarification on DFARS 252.204-7012 or NIST SP 800-171 in support of DFARS 252.204-7012. Emails sent to that address are reviewed frequently and distributed as appropriate to a cross-functional team of subject matter experts for action.

For questions about the planned CMMC program please see the CMMC website at:

Training specific information will likely be included on the CDSE CUI page at:



CUI Marking Class (Webex)

CUI Marking Handbook Cover Image

We will be offering a CUI Marking fundamentals webex on
July 23, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex.
In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on July 23, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 888-251-2949 or 215-861-0694
Access Code: 1399154#
Need an international dial-in number?

Step 2: Join the conference on your computer.
Entry Link:

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need technical assistance?
Audio Connection: 1-888-796-6118 or 1-847-562-7015
Web Connection: 1-888-793-6118


***NOTE: You do NOT have to RSVP for this class, you may just dial in, and the slides will be posted prior to the Webex***




Draft SP 800-172 (formerly Draft NIST SP 800-171B) is out for Public Comment

NIST SP 800-172 Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171 (Final Public Draft)

Comments are due by August 21, 2020.
Please see for more information, the draft publication, and directions for submitting comments.


“In certain situations, CUI may be associated with a critical program6 or a high value asset7. These critical programs and high value assets are potential targets for the advanced persistent threat (APT). An APT is an adversary or adversarial group that possesses sophisticated levels of expertise and significant resources that allow it to create opportunities to achieve its objectives by using multiple attack vectors, including cyber, physical, and deception. The APT objectives include establishing footholds within the infrastructure of the targeted organizations for purposes of exfiltrating information; undermining or impeding critical aspects of a mission, functions, program, or organization; or positioning itself to carry out these objectives in the future. The APT pursues its objectives repeatedly over an extended period, adapts to defenders’ efforts to resist it, and is determined to maintain the level of interaction needed to execute its objectives. While the category of CUI itself does not require greater protection, CUI associated with critical programs or high value assets is at greater risk because the APT is more likely to target such information and therefore requires additional protection.
6 The definition of a critical program may vary from organization to organization. For example, the Department of Defense defines a critical program as a program which significantly increases capabilities and mission effectiveness or extends the expected effective life of an essential system/capability [DOD ACQ].
7 See [OMB M-19-03] and [OCIO HVA].”

-NIST SP 800-172 (Daft) Lines 223-235

CUI Metadata standard available for review

The CUI Executive Agent has been working with the CUI Advisory Council and the National Information Exchange Model (NIEM) to develop a metadata standard for CUI categories and limited dissemination controls.  NIEM is a common vocabulary that enables efficient information exchange across diverse public and private organizations.

The draft standard can be found here and is available for comment until July 17, 2020.

​FCI and CUI, what is the difference?

Buckle up, this is a long one…

First, a disclaimer:

This blog post does not constitute CUI guidance.  This post is solely an effort to provide helpful information and context.

Then on to some definitions!

Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but not including information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.

Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]

When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.

In short:  All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.

So, what does this mean for safeguarding in a non-federal system?

Non-federal systems that store, process, or transmit FCI that does not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.

Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).

Reminder: CUI Marking Webex (Tomorrow)

CUI Marking Handbook Cover Image

We will be offering a CUI Marking fundamentals webex on
June 18, 2020 from 11 am – 1 pm (EDT).
Participants will receive a completion certificate for attending the webex.
In addition to providing an overview of the principles of marking in the unclassified environment, this class will provide an update on the CUI Program and its implementation among Executive Branch agencies.
During this class we will discuss the new CUI Notices 2020-01 (CUI Program Implementation Deadlines) and CUI Notice 2020-02 (Alternative Marking Methods)

The conference begins at 11:00 AM Eastern Time on June 18, 2020; you may join the conference 10 minutes prior.

Step 1: Dial into the conference.
Dial-in: 1-877-369-5243 or 1-617-668-3633
Access Code: 0449805##
Need an international dial-in number?
Step 2: Join the conference on your computer.
Entry Link:

When you access the entry link above, you will be provided a choice – to install the WebEx plug-in for your preferred browser or to join the web conference using a temporary path. Either option is acceptable.

Need assistance with your audio? Please dial 888-796-6118. Need assistance with your Webex? Please dial 888-793-6118.


June Marking class presentation




Optional Non-Disclosure Agreement Template issued

On June 3, 2020, ISOO issued CUI Notice 2020-03. This notice provides an optional Controlled Unclassified Information (CUI) non-disclosure agreement (NDA) template for executive branch agency use. Executive branch agencies may use the template when they determine that a CUI NDA is appropriate. The template is optional, and agencies can modify it if needed. A list of all CUI Notices can be found here

Using CUI while teleworking : Microphones and Cameras in Our Homes

When working with CUI, it is required you establish a controlled environment that will safeguard CUI.

This means not just using information systems that have the necessary safeguards in place, it also means being aware of the other potential risks to CUI such as the presence of microphones and cameras in our homes. The microphones and cameras on our computers and mobile devices (phones and tablets) could place CUI at risk.  If it is an electronic device it can be hacked, if it connects to the internet it can be hacked remotely. What level of safeguarding do you have on your devices with microphones and cameras?

Take a moment to think about how many internet connected microphones and cameras you have in your house.

Of course, we have our phones and computers, but what else are around?

Is the remote control to your TV voice controlled? What about your thermostat?

Do you have a voice activated personal assistant service?

How about devices other than your phone and computer that are voice activated and you can use WiFi to stream music on?

Some people even have appliances that are voice activated and connected to home WiFi, like refrigerators.

There are often more of these in our homes these days than we might realize at first glance.

Cyber criminals and foreign intelligence services know that with everyone at home they have rich and often less secured targets.

And it isn’t just these threats. If you read many application user agreements, they allow the application to collect data from device cameras and microphones even when the application isn’t in use.

These vary in how anonymized they are. Even if the user agreements say they are anonymized, there is a long history of business intelligence gathering to gain business advantage and contracts that were violated to obtain advantage.

To achieve a controlled environment it is important to be aware of your surroundings. If you have microphones in internet connected devices around, then take action to protect CUI. Keep conversations containing CUI to emails or other written communication on information systems that your agency approved to meet the requirements to handle CUI.

Though internet connected cameras are rare on anything other than phones, computers, baby monitors, and doorbells, if you have CUI on your computer screen or desk then make sure it isn’t visible to cameras on unsecured devices.

Some quick things you can do to make your home and devices more secure are:

  1. Make sure to change the default username and passwords for all internet connected devices .
  2. Make sure you update the firmware on your router, modem, and all connected devices regularly. Many of these updates are pushed out to address known security vulnerabilities. If you don’t know how, check the device website or call customer service.
  3. Turn off and unplug unused devices, consider disabling or covering cameras when not in use.
  4. Keep any security software or firewalls updated to the latest version.

There is a lot more you can do and some great information about how to do it found in the additional resources below:

Consult with your agency or organization’s security office if you have specific questions or concerns.