FORT LEONARD WOOD, Mo. — Controlled Unclassified Information, or CUI, is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government. It requires safeguarding or dissemination controls consistent with applicable laws, regulations and government-wide policies, but it is not classified under Executive Order 13526 “Classified National Security Information,” or the Atomic Energy Act, as amended. CUI replaces “FOR OFFICIAL USE ONLY” designations.
CUI was created to safeguard many types of unclassified information. Examples of CUI include:
- personally identifiable information, or PII;
- building drawings and blueprints with sensitive information;
- contract data, such as bids, source selection and customer data;
- information technology information, such as network diagrams and IP addresses; and
- legal administrative proceedings or witness protection information.
Mandatory CUI markings
The mandatory marking for all Department of Defense CUI is the CUI banner and footer with the CUI designation indicator. This is the main marking which appears at the top and bottom of all documents containing CUI.
The banner and footer markings must appear as bold, capitalized text and be centered at the top and bottom of every page. Even if there is CUI only on one page, the entire document must be marked as CUI. Pages not containing CUI may be marked as “UNCLASSIFIED” or “CUI” at the discretion of the authorized holder or originator.
All documents containing CUI must have a CUI designation indicator to notify the recipient about information related to who originated the document. This may be accomplished through the use of letterhead. The CUI DI block is placed in the lower right-hand corner or footer of the first page only. Best practice is to also include contact information, such as a group email address or central phone number.
If you need to share CUI with certain parties, the option exists. Limited Dissemination Control markings can prevent a document from being shared with certain parties or notify others only certain parties should view it. LDCs should only be used to further an authorized, lawful government purpose or when required by CUI authorities. For example, the LDC “NOFORN” prevents the information from being shared with non-U.S. citizens and governments, while “REL TO USA, (list)” allows sharing with specific foreign partners. “DL ONLY” is used when you have a specific organization or list of individuals authorized to receive the document and none of the other LDCs apply. The list must be on or attached in the document, or a link to the list should be annotated on the document. It is recommended to use the “DL” option and identify specifically who will be authorized access to the CUI.
More information on LDC markings for CUI can be found on the DOD’s CUI Program website.
Most of us will send CUI information by email in the form of PII. This may be transmitted electronically via approved secure communications systems or systems utilizing other protective measures such as Public Key Infrastructure or transport layer security. If the body of the email contains CUI, it must be encrypted. If the CUI is in an email attachment, it must be identified and encrypted. The applicable CUI marking must be included at the top and bottom of each email. The email must also have the CUI designation indicator after the sender’s signature block. The name of the attached file may contain a CUI indicator.
A CUI coversheet may be used instead of markings, when it is deemed impractical to individually mark each page or when a limited CUI marking waiver has been granted. Due to space limitations, it may not be possible to include CUI category or LDC markings on electronic media, such as USB sticks, hard drives and CDs, but they must be marked to alert holders to the presence of CUI stored on the device. At a minimum, mark media with as CUI. The CUI coversheet (Standard Form 901) is available here or through the General Services Administration’s forms library, and labels are available for purchase from GSA Advantage.
When a transmittal document accompanies CUI, the transmittal document must indicate CUI is attached or enclosed. The transmittal document must include, on the first page, the following or similar instructions, as appropriate:
“When enclosure is removed, the document is Uncontrolled Unclassified Information,” or, “When the enclosure is attached, this document is CUI (include CUI category markings as applicable); upon removal, this document is uncontrolled unclassified information.” A CUI coversheet may also be included immediately after the transmittal document.
Handling and storing CUI
To minimize the risk of access by unauthorized personnel, steps must be taken when handling and storing CUI. During working hours, do not read, discuss or leave CUI information unattended, where unauthorized personnel are present. After working hours, CUI Information must be stored in unlocked containers, desks or cabinets, if the government or government-contract building provides security for continuous monitoring of access. If building security is not provided, the information must be stored in locked desks, file cabinets, bookcases, locked rooms or similarly secured areas.
A controlled environment means there is sufficient internal security measures in place to prevent or detect unauthorized access to CUI, and for the DOD, an open-storage environment meets these requirements. When transporting CUI outside the normal workspace, there needs to be at least one layer of protection over the item.
The DOD CUI registry provides an official list of the indexes and categories used to identify the various types of CUI, and can be found here.