2103.1 CIO Controlled Unclassified Information (CUI) Policy
GENERAL SERVICES ADMINISTRATION
Washington, DC 20405
May 16, 2017
SUBJECT: Controlled Unclassified Information (CUI) Policy
1. Purpose. To establish General Services Administration (GSA) policy and framework for Controlled Unclassified Information (CUI). CUI is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or Government-wide policy, as listed in the CUI Registry (https://www.archives.gov/cui) by the National Archives and Records Administration (NARA).
a. Executive Order (EO) 13556, Controlled Unclassified Information, establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended (hereinafter described as Controlled Unclassified Information (CUI)).
b. In the past, agencies employed ad hoc, agency-specific policies, procedures, and markings to safeguard and control this information and there was no Government-wide direction on what information should or should not be protected. EO 13556 established a uniform program for managing CUI. Under the CUI program, only the categories and subcategories of information listed in the CUI Registry (https://www.archives.gov/cui) will be marked and handled as CUI.
c. On September 14, 2016 NARA issued a final rule amending 32 C.F.R. § 2002 to establish a uniform policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the program.
d. The CUI Program covers any information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that is required to be protected under law, regulation, or Government-wide policy. This information does not include classified information or information a non-executive branch entity possesses or maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Specific details about the types of information considered to be CUI can be found in NARA’s final rule, 32 C.F.R. § 2002, as amended.
a. CUI Executive Agent.
(1) EO 13556 designates the National Archives and Records Administration (NARA) as the CUI Executive Agent (EA) to implement the CUI Program, oversee agency actions, and ensure compliance with the EO.
(2) The Information Security Oversight Office (ISSO), a NARA component, performs the duties assigned to NARA as the EA for the CUI Program.
(3) The CUI Advisory Council consists of representatives from each executive branch agency who work with the EA on CUI-related matters.
b. The GSA CUI Program Office.
(1) GSA’s Senior Agency Official (SAO) for CUI has overarching responsibility for the CUI Program within GSA. SAO duties are assigned within GSA IT to the Associate CIO for the Office of Enterprise Planning and Governance (IDR).
(2) GSA’s CUI Program Manager is accountable to the SAO and is responsible for coordinating all aspects of the CUI Program, supported by the CUI Executive Steering Committee and CUI Working Group.
(3) All questions concerning CUI may be addressed to the SAO or CUI Program Manager via email@example.com.
4. Applicability. This policy applies to:
a. All GSA employees;
b. As required by the amended 32 C.F.R. § 2002.4(c), all persons or entities that handle GSA CUI under agreements and arrangements that include CUI provisions, to include contracts, grants, licenses, certificates, memoranda of agreement/arrangement or understanding, and information-sharing agreements or arrangements.
c. Anyone responsible for GSA-controlled space or for managing or procuring Government owned or leased space on behalf of GSA, as required in PBS 3490.2 Document Security for Sensitive But Unclassified Building Information; and
d. The Office of Inspector General (OIG) to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act, and it does not conflict with other OIG policies or the OIG mission.
a. This Order establishes GSA’s CUI Program and authorizes the GSA CUI Guide which, when published, will establish GSA policy for the handling, marking, protecting, sharing, destroying, and decontrolling of CUI in accordance with the amended 32 C.F.R. § 2002.
b. This Order is consistent with the GSA IT Security Policy and the GSA Privacy Act Program. Any perceived conflicts with these policies should be addressed to the CUI Program Manager who will coordinate with the GSA Chief Information Officer to resolve any conflict.
c. PBS P 3490.2 Document Security for Sensitive But Unclassified Building Information is a specific policy pertaining to the handling of PBS building information that is sensitive. This policy will remain separate due to its unique nature, but is considered part of the CUI Program at GSA.
6. Responsibilities. Below are the responsibilities of the CUI-specific roles established to implement the CUI program under EO 13556.
a. Senior Agency Official (SAO) for CUI. The SAO must be at the Senior Executive Service level or equivalent, and is responsible for:
(1) Establishing and overseeing the CUI Program in GSA;
(2) Ensuring the agency has CUI implementing policies and plans;
(3) Implementing a CUI education and training program and ensuring agency personnel, including if applicable contractors, receive appropriate CUI awareness training;
(4) Providing updates on CUI implementation efforts to the CUI Executive Agent;
(5) Notifying authorized recipients, the EA, and the public of any waivers granted by GSA, including a description of all waivers in the annual report to the CUI EA;
(6) Developing and implementing the agency's CUI self-inspection program;
(7) Establishing a process to accept and manage challenges to CUI status (including improper or absence of marking), in accordance with existing processes based in laws, regulations, and Government-wide policies;
(8) Establishing processes and criteria for reporting and investigating improper handling of CUI;
(9) Ensuring GSA’s compliance with laws, regulations and GSA policy in collaboration with the GSA CIO and Senior Agency Official for Privacy (SAOP);
(10) Establishing processes for handling CUI decontrol requests; and
(11) Appointing and overseeing the activities and responsibilities of the GSA CUI Program Manager (PM).
b. CUI Program Manager. The CUI PM is responsible for:
(1) Managing the day-to-day operations of GSA’s CUI program as directed by the SAO;
(2) Coordinating CUI policy development and updates;
(3) Carrying out the responsibilities of the SAO that are delegated to the CUI PM; and
(4) Interacting directly and officially with the Executive Agent on CUI matters including submission of required reports.
c. The CUI Executive Steering Committee (ESC). The ESC is comprised of assigned SSO representatives and is responsible for the overall direction of GSA’s CUI Program. The ESC will meet regularly and follow the direction outlined in the ESC Charter.
d. The CUI Working Group. This group of assigned SSO representatives will work together to research topics, coordinate plans, and provide recommendations to the ESC.
e. Other. For a full list of other roles and responsibilities, refer to the CUI Guide.
7. Training. Employees must receive initial training within 60 days of employment and at least once every 2 years after. The CUI Guide delineates the specifics of mandatory training.
8. Marking and safeguarding. All CUI documents must be protected according to applicable laws, regulations, and Government-wide policies. Specific procedures for marking are outlined in the CUI Guide. Authorized holders of CUI will be held accountable for knowing and following these procedures as described in the mandatory training and the CUI Guide.
9. Dissemination. In accordance with 32 C.F.R. § 2002.16, as amended, prior to disseminating CUI, authorized holders must properly label CUI. Prior to disseminating CUI to non-executive branch entities, GSA employees should enter into a formal agreement that includes the requirement to comply with EO 13556 and the CUI Registry. At a minimum, the agreement shall include the provisions at 32 C.F.R. § 2002.16(6), as amended.
10. Misuse. Misuse of CUI is subject to penalties established in applicable laws, regulations, or Government-wide policies. Refer to the CUI Guide for details.
a. GSA’s Senior Agency Official (SAO) for CUI is the Associate CIO, Enterprise Planning and Governance.
b. The CUI Program Manager is appointed by the SAO.
c. Contact with the SAO and Program Manager can be made via firstname.lastname@example.org.
Chief Information Officer
Office of GSA IT