Controlled Unclassified Information (CUI)
Purpose of the CUI Program
Federal agencies routinely generate, use, store, and share information that, while not classified, still requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, contractual protections, or other reasons.
Historically, each agency developed its own practices for sensitive information, resulting in a patchwork of processes across federal agencies. Similar information might be labeled differently, or different types of information might have the same markings with different meanings depending on each organization’s usage. The CUI Program is a unified effort between Executive Branch agencies to standardize these protections and practices across departments and agencies.
Federally Mandated for Better Protections and Easier Sharing
Established by Executive Order 13556 [pdf], and implemented by 32 CFR part 2002, the CUI Program is now being implemented across Executive Branch agencies and departments. Sharing CUI is authorized for any Lawful Government Purpose, which is any activity, mission, function, or operation that the U.S. Government recognizes as within the scope of its legal authorities. The CUI Program will enable timely and consistent information sharing while better protecting sensitive information throughout the Federal government and with non-Federal stakeholders.
- Implementation of the CUI Program at GSA will begin Summer 2021.
- Awareness training for all employees has been deployed. Specialized training/briefings will be provided for those who create and manage CUI on a regular basis.
- A forthcoming Federal Acquisition Regulation (FAR) rule for CUI will require new contracts to include CUI terminology and practices.
CUI and Other Agencies
Executive Branch agencies will be moving to CUI at a different pace. During this transition time all agencies should follow these practices:
- If your agency has not yet implemented the CUI Program, but you receive CUI from an organization that has, then use your existing pre-CUI policies to safeguard according to the law, regulation, or government-wide policy that authorizes that CUI category.
- If your agency has implemented the CUI Program, but received CUI marked with Legacy Markings from an organization that has not yet implemented, then use your existing CUI policies to safeguard according to the law, regulation, or government-wide policy that authorizes that CUI category.
- GSA CUI Policy
- 32 CFR part 2002
- Training Tools on NARA's website
- NIST Special Publication (SP) 800-171 Revision 2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
For questions or additional information please contact the CUI Program Manager at email@example.com.