Controlled Unclassified Information (CUI)
Purpose of the CUI Program
Federal agencies routinely generate, use, store, and share information that, while not classified, still requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, contractual protections, or other reasons.
Historically, each agency developed its own practices for sensitive information, resulting in a patchwork of processes across federal agencies. Similar information might be labeled differently, or different types of information might have the same markings with different meanings depending on each organization’s usage. The CUI Program is a unified effort between Executive Branch agencies to standardize these protections and practices across departments and agencies.
Federally Mandated for Better Protections and Easier Sharing
Established by Executive Order 13556 [pdf], and implemented by 32 CFR part 2002, the CUI Program is now being implemented across Executive Branch agencies and departments. Sharing CUI is authorized for any Lawful Government Purpose, which is any activity, mission, function, or operation that the U.S. Government recognizes as within the scope of its legal authorities. The CUI Program will enable timely and consistent information sharing while better protecting sensitive information throughout the Federal government and with non-Federal stakeholders.
- Implementation of the CUI Program at GSA will begin soon. Once begun we’ll start using CUI markings and processes across GSA.
- Awareness training for all employees has been deployed. Specialized training/briefings will be provided for those who create and manage CUI on a regular basis.
- A forthcoming Federal Acquisition Regulation (FAR) rule for CUI will require new contracts to include CUI terminology and practices.
- Full transition to CUI by all Executive Branch agencies is anticipated over the next couple of years.
In the meantime…
GSA will continue following current policies and procedures used for handling PII, SBU, financial, legal, and other sensitive information. Some guides, webpages, and documents have already been updated to reflect CUI in preparation for implementation. There will be a crossover time of using old and new processes as we begin converting to CUI markings and procedures.
- GSA CUI Policy
- 32 CFR part 2002
- Training Tools on NARA's website
- NIST Special Publication (SP) 800-171 Revision 1: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
For questions or additional information please contact the CUI Program Manager at firstname.lastname@example.org.