Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract. Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is one of the most significant risks to national security, directly affecting the lethality of our warfighters.
Federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, or other reasons pursuant to and consistent with law, regulation, and/or Government-wide policy. Historically, each agency developed its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch in which similar information might be defined and labeled differently, or where dissimilar information might share a definition and/or label, depending on the agency which originally created the information.
The Controlled Unclassified Information (CUI) program represents an unprecedented initiative to standardize practices across more than 100 separate departments and agencies; State, local, Tribal, and, private sector entities; academia; and industry, to enable timely and consistent information sharing, and to increase transparency throughout the Federal government and with non-Federal stakeholders. Sharing CUI is authorized for any lawful government purpose, defined as any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).
Purpose of the CUI Program
Federal agencies routinely generate, use, store, and share information that, while not classified, still requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, contractual protections, or other reasons.
Historically, each agency developed its own practices for sensitive information, resulting in a patchwork of processes across federal agencies. Similar information might be labeled differently, or different types of information might have the same markings with different meanings depending on each organization’s usage. The CUI Program is a unified effort between Executive Branch agencies to standardize these protections and practices across departments and agencies.
FCI Vs. CUI
Federal contract information (from 48 CFR 52.204-21) means information, not intended for public release, that is provided by or generated for the Government under a contract to develop or deliver a product or service to the Government, but does not include information provided by the Government to the public (such as on public websites) or simple transactional information, such as necessary to process payments.
Controlled Unclassified Information (from 32 CFR 2002.4) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify. [emphasis added]
When we look at both of these definitions, we find some similarities as well as a very important distinction. Both CUI and FCI include information created or collected by or for the Government, as well as information received from the Government. But, while FCI is any information that is “not intended for public release,” CUI is information that requires safeguarding.
In short: All CUI in possession of a Government contractor is FCI, but not all FCI is CUI.
So what does this mean for safeguarding in a non-federal system? Non-federal systems that store, process, or transmit FCI that do not also qualify as CUI must follow, at a minimum, the basic safeguarding requirements outlined in FAR clause 52.204-21.
Non-federal systems that store, process, or transmit CUI are required to meet any additional safeguarding requirements identified in the contract. As agencies implement the CUI program and incorporate the standards of this program into their contracts and agreements, the NIST SP 800-171 will be the minimum standard for protecting CUI in non-federal information systems and organizations (per 32 CFR 2002.14 and 2002.16).
History of CUI
A Presidential memorandum of May 9, 2008, signed by President George W. Bush, assigned responsibility to the National Archives (NARA) for overseeing and managing the implementation of the CUI framework. This memorandum was rescinded by Executive Order 13556 of November 4, 2010, and the guidelines previously outlined within it were expanded upon to improve uniformity across all Federal agencies and to develop a standard policy regarding the controlled unclassification process itself.
In a similar previous effort, the U.S. House of Representatives passed the Reducing Information Control Designations Act, (H.R. 1323), on March 17, 2009. The bill was referred to the Committee on Homeland Security and Governmental Affairs of the 111th Congress in the US Senate, but it was never passed by the Senate.
The doctrine, policy, and processes for Controlled Unclassified Information came out of a study and policy change proposal that originated within the Information Sharing and Collaboration Office of the Information Analysis and Infrastructure Protection Under the Secretariat of the Department of Homeland Security in 2004. The term Controlled Unclassified Information (CUI) was coined by the authors of the study which reviewed over 140 various forms of unclassified information in use throughout the federal government at the time. The authors of the study recommended a new doctrine and policy framework and recommended that ISOO, within the NARA, be charged with implementing and overseeing the new doctrine and policy. At the time of delivery of the policy framework, NARA voiced objections to undertaking the effort due to a lack of resources. The policy recommendation continued to be worked within DHS and the rest of the government as part of the Program Manager for the Information Sharing Environment, which moved from DHS to the ODNI. While the executive order, rescission of the order, and subsequent policy structure worked their way through the government, the timeline for the study/ analysis, creation of a draft policy and framework, the political processes, and the resulting policy implementation lasted from 2005 through 2017. The study was led by Grace Mastalli and Richard Russell.
The US Department of Defense has been handling "Controlled Unclassified Information" before the Presidential 2008 memorandum was published and NARA became the Executive Agent in 2010. The DoD term embraced a similar type of data category. However, the DoD and NARA differed then and now (2019) on specific categories of data defined as "CUI". DoDM 5200.01 Vol 4 defines DoD CUI policy until it is revised to align with NARA's definition. The Secretary of the Navy published SECNAV 5510.34 in November 1993 entitled Disclosure of Classified Military Information and Controlled Unclassified Information.
As of December 2020, the Director of National Intelligence at the time, John Ratcliffe, issued a memorandum to the Assistant to the President for National Security Affairs asking the President of the United States (President Trump) to rescind EO 13556. In the memo, Director Ratcliffe referred to the policies as "exponentially more complex", and "vastly overcomplicated". He continued to express concerns from the Intelligence Community about significant costs, unclear guidance and requested recision and a process for presidential action. DNI Ratcliffe stated that the following recision, support would be given to an executive branch review and replacement of the current FOUO and related markings to protect unclassified information. No extension of the previous December 31, 2020 timeline has been proposed, which has now passed, and it is currently unclear what action, if any, will be taken on this request.
- Information Assurance (IA) - The practice of managing information-related risks, often involving various forms of classified and unclassified information like CUI.
- Freedom of Information Act (FOIA) - U.S. legislation governing the full or partial disclosure of information controlled by the U.S. government. CUI is a form of information that may be subject to or exempted from FOIA requests.
- Information Security - The practice of preventing unauthorized access to information, including forms like CUI.
- Data Governance - The overall management of data availability, usability, integrity, and security, which includes types of information like CUI.