2103.2 CIO Controlled Unclassified Information (CUI) Policy

  • Posted Date: 04/10/2021
  • Status: Validated
  • Outdated on: 04/10/2028

                   Washington, DC 20405



CIO 2103.2
April 10, 2021



SUBJECT:  Controlled Unclassified Information (CUI) Policy

1.  Purpose. To establish a General Services Administration (GSA) policy and framework for Controlled Unclassified Information (CUI). CUI is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or Government-wide policy, as listed in the CUI Registry by the National Archives and Records Administration (NARA).

2.  Cancellation. This Order cancels and supersedes CIO 2103.1, Controlled Unclassified Information (CUI) Policy, dated May 16, 2017.

3.  Revisions. The following updates have been made:

     a.  Updated links and terminology;

     b.  Added policy-related sections that were previously in the CUI Guide;

     c.  Added responsibilities previously in the CUI Guide; and

     d.  Added additional policies in the References section.

4.  Background.

     a.  Executive Order (EO) 13556, Controlled Unclassified Information, establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, or Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended (hereinafter described as Controlled Unclassified Information (CUI)).

     b.  In the past, agencies employed ad hoc, agency-specific policies, procedures, and markings to safeguard and control sensitive information and there was no Government-wide direction on what information should or should not be protected. EO 13556 established a uniform program for managing CUI. Under the CUI Program, only the categories of information listed in the CUI Registry will be marked and handled as CUI.

     c.  On September 14, 2016, NARA issued a final rule amending 32 C.F.R. §  2002 to establish a uniform policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the program.

     d.  The CUI Program covers any information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that is required to be protected under law, regulation, or Government-wide policy. This information does not include classified information or information a non-executive branch entity possesses or maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an executive branch agency. Specific details about the types of information considered to be CUI are listed in the CUI Registry which can be found at archives.gov/cui.

Last Reviewed: 2021-04-13