CUI stands for Controlled Unclassified Information – this is part of a government program that standardizes how unclassified information is protected and shared.
Previously, CUI was known as FOUO – For Official Use Only – however, the use of FOUO became inconsistent due to confusing policies and applications.
The types of information that fall under the Controlled Unclassified Information category are varied.
However, just because it is not secret or top secret in designation doesn’t mean that the information doesn’t need to be protected. The information within a Controlled Unclassified Information file could harm the United States if it were to be accessed by the wrong people.
Most often, the information is created by the government and/or owns it, and as such is why it needs to be protected.
It is important to note that while the information is classified, it doesn’t mean that it is not Controlled Unclassified Information.
What is the Definition of CUI?
The formal definition of CUI is:
“Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.” – National Archives.
Why is it essential to identify CUI?
The Defense Security Cooperation Agency, DCSA, in May 2018 was tasked with creating a framework that could manage CUI. The main goal was to develop data prioritization and assignment procedures that span across the government and its related organizations.
The NARA was the designated agency to deal with the implementation and compliance, and they delegated the task to The Information Security Oversight Office.
They intend to create best practices for safeguarding this sort of information by adopting uniform assessment standards, a CUI data repository, and related training to boost national security.
The original system was messy, and each of the government offices would mark the pieces of information with its markings. Since nothing was standardized, this meant that fewer controls were in place for CUI.
Without the controls in place, the CUI was open to misuse and posed a threat to national security.
What are the types of data that are considered Controlled Unclassified Information?
There are many types of Controlled Unclassified Information, here are some of them:
- PHI – Protected Health Information
- PII – Personally Identidiable Information
- CTI – Controlled Technical Information
You will also find the following information within the Controlled Unclassified Information.
- Engineering drawings and lists
- Specifications and standards
- Technical reports and technical orders
- Data sets
- Studies and analysis with its related information
- Financial records
- Contract information
- Conformance reports
- Catalog-item identifications
- Process sheets
- Research and engineering data
The list covers almost all types of information that would be required by DoD prime and subcontractors.
How does Controlled Unclassified Information become Top Secret?
Controlled Unclassified Information can be secret or Top Secret information. For example, if two contractors are working on individual parts for a single machine for the DoD, these would be classed as Controlled Unclassified Information.
Once the technical drawings and associated data sets are compiled, they will still be Controlled Unclassified Information if they are still separate.
However, if the two pieces of information are combined into one file, this may be classed as Secret.
This is just one example of Controlled Unclassified Information becoming Secret or Top Secret.
How is Controlled Unclassified Information marked?
Controlled Unclassified Information can be created by those doing business with the government or the government itself. Often new contractors will create new Controlled Unclassified Information in the process of delivery.
The holder of the materials or document is the party responsible for deciding if the item should be under the Controlled Unclassified Information category. If the materials or document do fall under the category, the hold will be required to apply CUI markings and dissemination instructions.
Each of the organizations within the DoD will produce specific guidance for these.
What is Controlled Unclassified Information dissemination control markings?
The CUI can be given limited dissemination controls as well as the general Controlled Unclassified Information specifications and categories.
Here are some of the markings:
- FED ONLY – only federal employees
- NOFORN – no foreign dissemination
- FEDCON – Federal employees and contractors only
- NOCON – No dissemination to contractors
- ATTORNEY-Client dissemination only for the attorney and client
There are several other dissemination control markers too.
What is the difference between Controlled Unclassified Information and Classified?
Controlled Unclassified Information is a broader category and covers a wide range of sensitive information; however, the information is not considered classified. Classified information is handled differently from CUI.
The distinction is in the dissemination.