Insights | Sanctum Federal

What Is Controlled Unclassified Information (CUI)?

Written by Ashley Neu | Apr 21, 2022 1:24:11 PM

The United States Department of Defense (DoD) defines Controlled Unclassified Information (CUI) as "Government created or owned UNCLASSIFIED information that must be safeguarded from unauthorized disclosure." The idea of CUI was established by Executive Order 13556 on November 4, 2010. It was a product of the realization that across all levels of mission areas, DoD personnel and Federal Contractors will receive, create, handle or disburse information that, while labelled UNCLASSIFIED, provides value to the United States and may be targeted by strategic competitors and/or adversaries.

Prior to establishing CUI, individual agencies used their own unique labels to identify UNCLASSIFIED information in need of safeguarding. Such labels included:

  • Confidential Business Information (CBI),
  • Personally Identifiable Information (PII),
  • Procurement Sensitive,
  • Sensitive But-Unclassified (SBU),
  • For Official Use Only (FOUO)

Under EO 13556, these labels were standardized under the single Controlled Unclassified Information (CUI) label.

 

What Is CUI Basic And CUI Specified?

Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

CUI Registry

Simply put, information designated as CUI Basic does not have to be labeled in any specific way, while CUI Specified information includes a clear process for signifying it as CUI. CUI Specified data may be required to use unique markings, increased physical safeguards and even limits on who can access the data.

Each CUI Category is designated a Safeguarding and/or Dissemination Authority; this authority determines whether or not information related to their category should be labeled as Basic or Specified.

Controlled Unclassified Information Categories & Marking Procedure

As stated previously, CUI Specified markings are determined based on the category's Safeguarding and/or Dissemination Authority. There are 125 CUI categories organized under 20 organizational index groupings:

  1. Critical Infrastructure 
  2. Defense 
  3. Export control 
  4. Financial 
  5. Immigration 
  6. Intelligence 
  7. International Agreements 
  8. Law Enforcement 
  9. Legal 
  10. Natural and cultural resources 
  11. North American Treaty Organization 
  12. Nuclear 
  13. Patent 
  14. Privacy 
  15. Procurement and acquisition 
  16. Proprietary Business Information 
  17. Provisional 
  18. Statistical 
  19. Tax 
  20. Transportation 

The CUI Registry outlines for each category:

  • The correct banner marking
  • Category description
  • Category marking
  • Banner format and marking notes
  • Links to the category's Safeguarding and/or Dissemination Authority or Authorities if multiple are assigned
  • Whether each Authority labels the data under their responsibility as Basic or Specified and the related banner marking

All documents need to be labeled with their appropriate banner markings to alert those who access them of their CUI nature. CUI markings MUST appear at the top of the page and use the following format:

"CUI" or "CONTROLLED" // [CUI Category Marking, If Required] // [Limited Dissemination Controls, If Applicable]

Limited Dissemination Controls and Markings Include:

  • NOFORN: No foreign dissemination
  • FED ONLY: Federal employees only
  • FEDCON: Federal employees and contractors only
  • NOCON: No dissemination to contractors
  • DL ONLY: Dissemination list controlled
  • RELIDO: Releasable by information disclosure official
  • REL TO [USA, LIST]: Authorized for release to certain nationals only
  • DISPLAY ONLY [USE, LIST]: Display only
  • Attorney-Client: Attorney-client
  • Attorney-WP: Attorney work product

Need Hands-On Help In Understanding The Federal Market?

Register for our OnDemand Federal Sales Certification Training Course and gain the tactical skills you need to effectively sell to the Federal Government!