1
GSA Controlled Unclassified
Information (CUI)
Program Guide
(Although GSA implemented our CUI program, other agencies are moving to CUI at different paces. If we receive
CUI marked with Legacy Markings (SBU, FOUO, OUO, Confidential, etc.) from an organization then use necessary
protections and policies to safeguard according to the law, regulation, or government-wide policy that covers that as
protected information.)
2
Table of Contents
Purpose
Background
Implementation
Responsibilities
The CUI Registry
Identifying CUI
Types of CUI
Safeguarding CUI
Marking CUI
Sharing CUI (Accessing and Disseminating)
CUI as Records
Destroying CUI
Training
Self-Inspection
Misuse
Incident Management
Waivers of CUI Requirements
Appendix A - References
Appendix B - Definitions
3
Purpose
GSA’s CUI policy and this CUI Guide implement Executive Order 13556, Controlled Unclassified
Information (CUI), the requirements of 32 CFR 2002, and establish policy and framework for the
CUI Program at GSA. CUI is defined as unclassified information that requires safeguarding and
dissemination controls pursuant to law, regulation, or Government-wide policy, as listed in the
CUI Registry. The CUI Program and the CUI Registry are managed by the CUI Executive Agent
(EA), the Information Security Oversight Office (ISOO) within the National Archives and Records
Administration (NARA).
The CUI Program is designed to address several deficiencies in managing and protecting
unclassified information, including inconsistent markings, inadequate safeguarding, and
needless restrictions, by standardizing procedures and providing common definitions through a
CUI Registry.
This Guide sets forth the framework for incorporating CUI requirements into GSA’s processes
for handling unclassified information that requires safeguarding and dissemination controls as
required by law, regulation, and Government-wide policy. It furthers GSA Order CIO 2103
Controlled Unclassified Information (CUI) Policy by providing specific details concerning the
implementation, operation, and maintenance of the CUI Program at GSA. This Guide does not
apply to uncontrolled unclassified information or to classified information.
Background
Executive Order 13556 Controlled Unclassified Information establishes an open and uniform
program to standardize the way executive branch agencies handle information that requires
protection but is not classified. In the past, this information was not handled nor marked
consistently by all executive branch agencies, and there was no Government-wide direction on
what information should be protected. The CUI Program reduces confusion by establishing
uniformity across the executive branch in how sensitive information that is not classified will be
identified, marked, accessed, disseminated, safeguarded, decontrolled, and destroyed.
Under the CUI Program, the only types of information that may be marked and handled as CUI
are those identified in the CUI Registry and covered by applicable laws, regulations or
Government-wide policies. The CUI Program regulates the type of information that can and
should be protected as shown in the CUI Registry. The CUI Program also incorporates a
process that all executive branch agencies will utilize to protect and share sensitive information.
Part 2002 of Title 32 of the Code of Federal Regulations (CFR) defines how the CUI Program
will be implemented in the executive branch. The CUI Executive Agent (EA) has established a
CUI Registry at archives.gov/cui that serves as the authoritative reference for all CUI categories,
authorities, markings, and other information.
4
Implementation
GSA began implementation on July 1, 2021. Throughout the implementation period, legacy
markings and associated safeguarding practices will exist at the same time in all agencies. As
this transition progresses, legacy markings and associated safeguarding practices will be
phased out.
Responsibilities
CUI responsibilities for specific positions and organizations are defined in CIO 2103 GSA CUI
Policy. Anyone working for or with GSA must be aware of required CUI protections and
complete all mandatory training in GSA Online University (OLU).
The CUI Registry
The CUI Registry serves as the Government-wide central repository for all information,
guidance, policy, and requirements on handling CUI, including authorized CUI categories,
associated markings, handling, and decontrolling procedures.
Existing policies for managing unclassified information that is sensitive (e.g., Sensitive But
Unclassified (SBU), For Official Use Only (FOUO), Personally Identifiable Information (PII), etc.)
remain in effect. See “Sending and Receiving CUI During the Implementation Process” later in
this Guide for dealing with other agencies who are at different stages of CUI Program
implementation.
National Archives and Records Administration (NARA), the CUI EA, maintains the CUI
Registry and the associated website, archives.gov/cui.
The CUI categories explain the types of information for which laws, regulations, or
Government-wide policies require or permit agencies to exercise safeguarding or
dissemination controls, and which the CUI EA has approved and listed in the CUI
Registry and shall serve as exclusive designations for identifying CUI.
All unclassified information that qualifies as CUI must be handled within the parameters
of the CUI Program and marked appropriately per the CUI Registry.
Only items that fall under the purview of the CUI Registry may be marked as CUI. Items
can only be marked according to CUI Markings identified in the CUI Registry.
The CUI Registry includes citations to laws, regulations, or Government-wide policies that
form the basis for each category and notes any sanctions or penalties for misuse of each
category. No uncontrolled unclassified information may be labeled as CUI. If there is a
need to add a CUI category to the CUI Registry, there must be a corresponding authority
that says the item will and should be protected. Contact the GSA CUI Team at
cui@gsa.gov for assistance.
5
Identifying CUI
CUI is information the Government creates or possesses that a law, regulation, or
Government-wide policy requires or specifically permits an agency to handle by means of
safeguarding or dissemination controls. CUI also includes data created by contractors
operating Federal Information Systems on behalf of the Government. A Federal
Information System is defined in GSA Order CIO 2100 IT Security Policy as “an
information system used or operated by an executive agency, by a contractor of an
executive agency, or by another organization on behalf of an executive agency". A GSA
information system is an example of a federal information system.
Examples of sensitive or protected information that are now being replaced by CUI
markings and will no longer be allowed once CUI is fully implemented, include Sensitive
But Unclassified (SBU), Private, For Official Use Only (FOUO), and other less common
markings that may be in use. Personally Identifiable Information (PII), now a subset of
CUI, may still be referred to as PII in accordance with the Privacy Act.
For a complete listing of CUI Categories, refer to the CUI Registry at archives.gov/cui.
For a subset of CUI Categories that GSA is likely to use see the InSite page
insite.gsa.gov/cui.
The authorized holder makes the determination as to whether information is CUI. Those
owners who create and manage such data must be familiar with the CUI categories and
CUI policies, complete all training, and know how to determine what information is CUI
and how it should be handled. They will determine the type of CUI (Basic or Specified --
see Safeguarding Standards below, and Appendix B - Definitions), the applicable
category, and the necessary markings and decontrol actions required based on the
specifics within this Guide and the applicable authority. See the list of Categories likely
used by GSA with associated markings.
PBS 3490 Security for Sensitive Building Information Related to Federal Buildings,
Grounds, or Property governs handling of sensitive information specifically focused on
sensitive building information. The terminology within that policy should be consulted,
along with the GSA CUI Policy and this Guide, when dealing with sensitive building
information that must be protected. The CUI category for this information will be Physical
Security as found in the CUI Registry.
The GSA CUI Program does not apply to classified information, which is governed by
Executive Order 13526, Classified National Security Information. No classified
information may be controlled within the CUI Program.
Types of CUI
CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide
6
policy does not have any specific handling or dissemination requirements. CUI Basic is handled
according to the uniform set of controls set forth in the CFR and the CUI Registry.
CUI Specified is different in that the authorizing law, regulation, or Government-wide policy
contains specific handling controls that differ from those for CUI Basic. The CUI Registry
indicates which authorities include such specific requirements. CUI Specified controls may be
more stringent than, or may simply differ from, those required by CUI Basic. CUI Specified is
NOT a “higher level” of CUI, it is simply different. Since CUI Specified is based upon a law,
federal regulation, or Government-wide policy, this form of CUI cannot be legally ignored or
overlooked.
Summary:
CUI Basic CUI Specified
Sensitive information with no additional or
different requirements mentioned in the
underlying authorities. CUI Basic does not
provide any specific guidance. Most CUI will be
Basic.
Sensitive information whose underlying authority has
specified something different or extra is required for that
type of information (e.g., limited distribution, additional
protections, etc.). Not a higher level of CUI, just
different.
Authorized users need to understand which authority applies to their specific information. That
authority, shown in the CUI Registry Category List
, will say if the information is CUI Basic or CUI Specified.
Safeguarding CUI
General Safeguarding Policy.
CUI, regardless of its form, shall be protected in a manner that minimizes the risk of
unauthorized disclosure while allowing for access by authorized holders. Persons
working with CUI shall be careful not to expose CUI to unauthorized users or others who
do not have a lawful government purpose to see it. Cover sheets may be placed on top of
7
documents to conceal their contents from casual viewing. Personnel may use cover
sheets to protect CUI documents while in use, but must secure CUI documents in a
locked location, such as a desk drawer or file cabinet, when not in use or under
observation.
Authorized holders of CUI are responsible for complying with applicable safeguarding
requirements in accordance with 32 CFR 2002, this Guide, and all applicable guidance
published in the CUI Registry.
All sensitive information should be protected even if the markings are incorrect or
missing. Due to varied time spans of agencies transitioning from legacy markings to CUI,
some sensitive information may not be marked properly, or may not be marked at all.
This information should still be treated and safeguarded as CUI. Anyone finding an
incorrectly marked document should notify the disseminating individual or agency and
request a properly marked document or have them confirm that it is not CUI.
For categories specifically designated as CUI Specified, individuals must follow the
procedures in the underlying laws, regulations, or Government-wide policies that
established the specific category involved. Only categories designated in the CUI
Registry as CUI Specified may impose more stringent safeguarding measures. This
information is available in the CUI Registry.
Safeguarding Practices.
Only authorized holders shall have access to CUI. An authorized holder is a person or
entity that handles GSA’s CUI, has completed the required CUI training, and has
authorization from GSA management to designate or handle CUI.
CUI in printed copy must be kept under direct control of an authorized holder, and
protected by at least one physical barrier (e.g., a locked door or drawer) whenever it is
left unattended. Even where the facility/building is secure, CUI must not be left
unattended in open spaces.
All CUI must be protected from access, overhearing, or observation by unauthorized
persons. In GSA’s open office environments CUI holders should be aware of CUI being
viewed on a computer screen and should find a private area for CUI-related discussions.
A CUI cover sheet may be used to protect printed material while in use, but CUI
documents must be secured in a locked location when not in use or under observation.
When outside a GSA building or other controlled environment, personnel must always
keep CUI under their direct control and protect it with at least one physical barrier to
prevent the CUI from unauthorized access or observation. CUI shall not be viewed while
on public transportation or open areas where others may be exposed to it. In hotel rooms,
CUI should be kept in a locked briefcase or room safe. While not a good practice, CUI
8
could be stored in a locked automobile, if necessary, but only if it is in an envelope,
briefcase, or otherwise covered from view, and best locked in the trunk if available.
Reproduction of CUI (copying, faxing, scanning, printing, electronic duplication) is
allowed if it is in furtherance of a Lawful Government Purpose where the recipient has a
need to receive/view/handle it (as determined by the authorized holder), and if all GSA
and CUI policies and handling protections are followed.
Electronic CUI shall only be stored in properly encrypted systems (e.g., database, email,
network drive, website, segregated and protected electronic storage device) categorized
at the minimum FISMA Moderate level. See below under “Safeguarding CUI in Federal
and Nonfederal IT Systems” for more details.
The GSA Google Cloud Platform workspace is an authorized IT system/application. CUI
may be stored on Google Drive and discussed via Google Meet provided there is limited
access to the file/drive or meeting to only those with a Lawful Government Purpose.
Gmail may be used to transmit CUI within GSA’s network. CUI must be encrypted if going
outside a gsa.gov email address. See the Email section below for details.
Authorized holders must make the determination that all persons involved in CUI
discussions or meetings are authorized to know about CUI before using voicemail
systems, messaging or chat functions, telepresence systems, video teleconferencing, or
any other electronic means of sharing.
When transporting CUI to and from an alternate work location, the information must be
protected (See the Methods of Disseminating CUI section of this Guide).
Refer to IT Security Procedural Guide Media Protection [CIO IT Security 06-32] for details
on protection of and controlling access to digital and hardcopy information, and
sanitization of media prior to disposal or reuse. IT Procedural Guides can be found on
InSite.
Safeguarding CUI in Federal and Nonfederal IT Systems.
See the Definitions section for an explanation of Federal and Nonfederal Systems.
CUI is categorized at the moderate confidentiality impact value in accordance with
Federal Information Processing Standard 199, Standards for Security (FIPS Publication
199). Systems that include CUI must incorporate the requirement to safeguard CUI at the
moderate confidentiality impact value into their design and management actions. GSA
may increase the confidentiality impact value above moderate and apply additional
security requirements and controls only internally and may not require anyone outside the
agency to maintain the higher impact value or more stringent security
requirements/controls.
9
All applicable GSA policies apply when CUI is held within an IT system. Additional
guidance can be found in CIO-IT Security Procedural Guides. The guides provide more
detailed information on how to implement security processes and controls and provide
worksheets and forms to meet reporting requirements. The guides are updated as
needed to reflect the latest regulations and technologies.
All applicable Government-wide standards and guidelines issued by the National Institute
of Standards and Technology (NIST), and applicable policies established by the Office of
Management and Budget (OMB) apply (see FIPS Publication 199, FIPS Publication 200,
and NIST SP 800-53).
Electronic CUI shall only be stored in a password protected system (e.g., database,
email, network drive, segregated and protected electronic storage device). CUI indicators
must be present to alert users of the presence of CUI within the system. A warning must
be shown on the login screen or via a screen after logging in, and optionally in headers
that appear on each page displayed. Additionally, any printouts generated from an
application must have the CUI banner on every page of the printout. If these are not
printed by the application, the user must write the banner on every page that is printed or
request a Limited Marking Waiver if marking every page is excessively burdensome.
The following text must be used as a splash screen for any IT system containing CUI:
WARNING
This is an AGENCY Federal Government computer system that is "FOR OFFICIAL USE
ONLY." This system is subject to monitoring. Therefore, no expectation of privacy is to be
assumed. Use of this system indicates consent to monitoring and recording. Individuals found
performing unauthorized activities may be subject to disciplinary action including criminal
prosecution.
This system contains Controlled Unclassified Information (CUI). All individuals viewing,
reproducing or disposing of this information are required to protect it in accordance with 32
CFR Part 2002 and GSA Order CIO 2103.2 CUI Policy.
For additional information: [contact information or website where users can get help]
(The first section of the splash screen text above is required, as written, by CIO 2100.1 IT
Security Policy. The second section is GSA’s terminology to be used to meet the requirements
of 32 CFR 2002 and NIST SP 800-53. The third section is optional but helpful for users in case
they need assistance.)
CUI shall not be processed on personally owned electronic devices unless connected
through an approved GSA system with approved controls in place. CUI shall not be
stored on personally owned electronic devices.
10
CUI shall not be sent to or from personal email accounts.
CUI shall not be posted on or processed through any external or non-agency approved
websites or portals (internet kiosks, social media sites, blogs, etc.).
NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems
and Organizations”, addresses the elements necessary to protect CUI on nonfederal
information systems in accordance with the requirements of 32 CFR 2002.
Marking CUI
General.
All CUI documents must be marked and protected according to applicable laws,
regulations, and Government-wide policies. CUI markings listed in the CUI Registry are
the only markings authorized to designate unclassified information requiring safeguarding
or dissemination controls.
Authorized holders of CUI will be held accountable for knowing and following these
procedures as described in the mandatory training and in this Guide. Authorized holders
may determine what information qualifies for CUI status and apply the appropriate CUI
markings when the information is designated as CUI.
CUI markings must not be used to conceal illegality, negligence, ineptitude, or other
disreputable circumstances embarrassing to any individual, any agency, the Federal
Government, or any of their partners, or for any purpose other than to adhere to the law,
regulation or Government-wide policy authorizing the control.
Anyone finding an incorrectly marked document should notify the disseminating individual
or agency and request a properly marked document or have them confirm that it is not
CUI. The lack of CUI markings on information that qualifies as CUI does not exempt the
authorized holder from abiding by applicable handling requirements as described in
Executive Order 13556, 32 CFR 2002, and the CUI Registry. Also see the Incident
Management section of this Guide.
Banner Markings.
GSA-specific marking requirements and examples are addressed on InSite.gsa.gov/cui.
CUI must be marked with a CUI banner marking at the top of each printed page (banner
markings are also authorized as optional at the bottom of each page, but they are not
required for GSA). The content of the banner marking must be inclusive of all CUI within
the document and must be the same on every page. If the document contains only CUI
11
Basic, the banner may consist of just the letters CUI. If the document contains CUI
Specified, the full marking must be used to indicate the type of CUI and dissemination
controls if any.
Banner markings include one, two, or three elements:
1. CUI control marking (mandatory for all CUI). This marking, CUI, by itself, is
sufficient to indicate the presence of CUI Basic categories.
2. CUI category marking (mandatory for CUI Specified, optional for CUI Basic). If any
part of a document contains CUI Specified, then the applicable category marking
must appear in the banner, preceded by two slashes and “SP-“ to indicate the
specified nature of the category (e.g., CUI//SP-PRVCY). When including multiple
categories in the banner they must be alphabetized, with specified categories
appearing before any basic categories. Multiple categories in a banner line must
be separated by a single forward slash (/).
3. Limited Dissemination Control Markings (optional for CUI Basic or CUI Specified).
NARA has published a list of several Limited Dissemination Control Markings that
can be applied. Limited Dissemination Control Markings are preceded by a double
forward slash (//) and appear as the last element of the CUI banner marking.
Limited Dissemination Control Markings may only be applied to CUI to bring
attention to any dissemination control called for in the underlying authority or to
limit the dissemination of CUI. Limited Dissemination Control Markings should be
used only after carefully considering the potential impacts on the timely
dissemination of the information to authorized recipients.
All documents containing CUI must indicate the agency of designation. This may come in
several forms, including letterhead, or signature block on the first page of the document
or on a cover sheet. A best practice is also to include information for a point of contact or
group email address for the office within the organization.
Marking Guidelines.
Refer to NARA’s NARA’s Marking Handbook and GSA’s Marking Manual for detailed
information on markings and marking requirements.
Markings for Categories that GSA is likely to use and links to specific information
concerning them is consolidated in GSA’s CUI Catalog for reference.
Cover Sheets
The CUI cover sheet can be used to identify CUI, alert observers from a distance that CUI is
present, and serve as a shield to protect the CUI from inadvertent disclosure. CUI Cover
sheets are optional but encouraged when dealing with printed materials since they can help
12
ensure anyone who sees or receives the information is aware of the protection it requires.
When not in use though, CUI must be secured in a locked location such as a desk, drawer, or
cabinet.
The cover sheet (or transmittal letter if faxing) should:
Include a designation indicator;
List any CUI Specified Categories contained in the document or transmission;
List any applicable Limited Dissemination Controls (markings); and
List any special handling or dissemination requirements called for by the underlying
law, regulation, or Government-wide policy related to the CUI Specified information.
State that there is no CUI if the attachment is removed.
The CUI cover sheet (Standard Form 901) is available through GSA’s forms library or at
https://www.archives.gov/cui/additional-tools.
Email.
When emailing CUI outside the GSA network (gsa.gov) it must be in an attachment that
is encrypted using a FIPS-compliant method. For best practice include an indicator such
as [Contains CUI] at the end of the file name and/or at the end of the subject line of the
email
When marking emails, it is mandatory to include the appropriate banner marking at the
top of the email to indicate that the email contains CUI. If the email is forwarded, the
banner marking must be carried forward at the top of the forwarding email.
When sending an email where the attachment is removed and the email no longer
contains CUI, add the following statement below the banner marking “When attachment
is removed, this email is Uncontrolled Unclassified Information”.
Portion Marking.
GSA is not doing portion marking at this time. However, this section is included as
information only. If a GSA generated document contains CUI then the whole document is
marked as CUI on each page.
Portion marking is a means to provide information about the sensitivity of a particular
section of text, paragraph, bullet, picture, chart, etc. The markings consist of an
abbreviation enclosed in parentheses, usually at the beginning of a sentence or title.
13
Portion marking is not required, but it is permitted to facilitate information sharing and
proper handling, and to assist FOIA reviewers in identifying the CUI within a large
document that may be primarily Uncontrolled Unclassified Information.
If portion markings are used in any portion of a document, they must be used
throughout the entire document. All portions or sections must be portion marked, even
those that do not contain CUI. The paragraphs that contain CUI should begin with the
designation (CUI). Sections that do not contain CUI should be marked as Uncontrolled
Unclassified Information, designated with a (U).
When authorized holders include CUI in documents that also contain classified (CNSI)
information, the portions must be marked appropriately. The decontrolling provisions of
the CUI Program apply only to the portions marked CUI. See the CUI Marking
Handbook for specific guidance on commingling CUI with CNSI.
See NARA’s Marking Handbook for details on the use of portion markings.
Legacy material.
Documents that were created prior to implementation of the CUI Program and remain in
storage and unused do not need to be marked as CUI.
Documents that were created prior to implementation of the CUI Program and are
made active and used again must be reviewed to see if they qualify as CUI, and if so,
be marked with the appropriate CUI markings.
If requested, the CUI SAO may grant a limited waiver if re-marking is considered
prohibitively burdensome.
The information must still be safeguarded and disseminated according to CUI
procedures. If the information is disseminated outside GSA, the waiver will not
apply and the information must be marked with appropriate CUI markings.
See the Waivers of CUI Requirements section of this Guide for additional
information.
Challenges to Designation of Information as CUI.
Authorized holders of CUI who, in good faith, believe that its designation as CUI is
improper or incorrect, or who believe they have received unmarked CUI, should send an
email to cui@gsa.gov for internal handling or notify the designating agency.
GSA’s SAO will manage challenges to CUI status following this process:
The challenge will be emailed to the SAO as soon as it is received.
14
The SAO will acknowledge receipt of the challenge within 7 days by writing (via
email or letter, as appropriate) to the challenger or the challenger’s agency if the
exact person is not known. This response will include the anticipated timetable for
response and the contact information for the SAO or designee making GSA’s
decision.
The SAO will provide the challenger the opportunity to explain, verbally or in
writing, their rationale for believing the CUI is inappropriately designated.
The SAO will ensure that both internal and external challengers have the option of
bringing it anonymously, and that challengers are not subject to retribution.
Until the challenge is resolved, all authorized holders must continue to safeguard
and disseminate the challenged CUI at the control level indicated in the markings.
If a challenging party disagrees with the response to a challenge, that party may
use the Dispute Resolution procedures described in 32 CFR 2002.
Working Papers.
Working papers containing CUI must be marked and protected the same way as the finished
product and as required for any CUI contained within them. This applies whether or not the
working papers will be shortly destroyed, and when no longer needed they should be
destroyed as described in the section Destroying CUI of this Guide.
Supplemental Administrative Markings.
Supplemental Administrative Markings (e.g., Pre-decisional, Draft, Deliberative) may be used
with CUI but may not impose additional safeguarding requirements or disseminating
restrictions. Their purpose is to note the status of documents under development.
Supplemental markings may not appear in the CUI banners, nor may they be incorporated into
the CUI designating/decontrolling indicators or portion markings. Utilizing watermarks is the
best way to display supplemental markings.
Sharing CUI (Accessing and Disseminating)
GSA and all agencies in the executive branch are obligated to ensure that information can be
shared with others who have an appropriate need for it in furtherance of a Lawful Government
Purpose. These information sharing needs must occur within the parameters of the authorities in
the CUI Registry and be balanced by protection requirements. Authorized holders must ensure
when sharing CUI that entities who receive it continue protecting it to the required standards.
General Practices.
15
Individuals may disseminate and permit access to CUI in accordance with the specific
laws shown in the CUI Registry if it furthers a Lawful Government Purpose and is not
otherwise prohibited by law.
Not all sensitive or protected information is automatically considered CUI; only specific
applicable information that falls within the categories of the CUI Registry should be
controlled as CUI. Unclassified information may not be controlled except through the CUI
Program, and access to CUI may not be unlawfully or improperly restricted.
Prior to disseminating CUI, authorized holders must mark CUI according to the CUI
Marking Guide and 32 CFR 2002.
GSA should enter into a written agreement with any intended non-executive branch
entity when possible. For more information on agreements and arrangements with non-
executive branch entities see CUI Notice 2018-01.
When a written agreement is not feasible and CUI must be shared, the authorized holder
must communicate to the recipient that the Government strongly encourages the non-
executive branch entity to protect CUI in accordance with 32 CFR 2002 and the CUI
Registry.
If an authorized person releases CUI in accordance with an applicable information
access statute, such as the Freedom of Information Act (FOIA), the CUI shall remain
controlled within GSA and will continue to be handled as CUI.
Controls on Accessing and Disseminating CUI.
Authorized holders of CUI Basic may disseminate and allow access to any authorized
recipient if the requirements of this CUI Guide and 32 CFR 2002 are met.
Authorized holders of CUI Specified may disseminate and allow access as permitted by
the authorizing laws, regulations, or Government-wide policies that established that
category of CUI Specified.
In the absence of specific dissemination restrictions from the applicable authority, CUI
Specified may be disseminated the same as CUI Basic.
Only the approved dissemination controls in the CUI Registry that limit who CUI may be
disseminated to may be used, and only if they serve a lawful Government purpose, or are
required by law, regulation, or Government-wide policy. Refer to the CUI Marking
Handbook for further information. If there is significant doubt about whether it is
appropriate to use a limited dissemination control, contact the GSA CUI Program Team
at cui@gsa.gov for guidance.
16
Methods of Disseminating CUI.
Standard commercially available telephone lines are acceptable for the discussion of
CUI. Be aware of the surroundings so unauthorized persons are not within hearing
distance.
CUI on Google sites or GSA webpages shall only be on a restricted site and password
protected. CUI in Google docs or sheets must maintain limited access to only other
authorized holders of that CUI.
When sending CUI via email outside of the GSA network the CUI must be in an
encrypted attachment (sending within the GSA network is appropriately protected). The
body of the email must not contain any CUI, but should include the applicable CUI
markings. Attachments shall be encrypted using FIPS-compliant WinZip (see this InSite
page for details). Other forms of encryption may be used provided they comply with FIPS
Publication 140-2.
There are alternative methods for sharing information with other agencies. Two are listed
below. For other possibilities, check with the CUI team to ensure they are approved.
To share with other federal agencies, OMB MAX can be used to create a shared
space where files can be stored (https://community.connect.gov). MAX is
approved for FISMA Moderate (or medium sensitivity) data including Controlled
Unclassified Information. It should not be used for classified or highly sensitive
information. In addition, users should not post sensitive personally identifiable
information (PII) in MAX (more on their webpage).
When sharing with DoD you can use their system, SAFE (https://safe.apps.mil).
Be sure to check the "encrypt every file" option, as directed in the SAFE User
Guide. DoD SAFE utilizes the latest web-browser Transport Layer Security (TLS)
encryption protocols to secure files while they are in transit. When the encryption
option is selected, files uploaded into SAFE are secured with Advanced Encryption
Standard (AES) encryption, a Federal Information Processing Standard (FIPS)
140.2 Level 2 approved encryption method.
Holders of CUI shall limit access to CUI to only those individuals authorized to handle it,
and shall verify that the information reached its destination. See GSA Order CIO 2100.1
IT Security Policy for additional details.
When sending CUI by commercial delivery service or courier, address it to only a
specific recipient (not to an office or organization). GSA employees must use
automated tracking. The US Postal Service or any commercial delivery service
may be used to transport CUI as well as any interoffice or interagency mail
system.
Do not put CUI markings on the outside of the package/envelope.
17
CUI documents shall not be left unattended in an open environment, such as on a
printer where unauthorized people can have access to the information.
Faxing of CUI documents is authorized provided the recipient has a Lawful
Government Purpose for access. Authorized holders must also confirm the
authorized recipient is available to receive the fax, and did indeed receive it.
Follow the requirements for controls on disseminating CUI Basic or CUI Specified as
detailed in the CUI Registry for each applicable category.
When disseminating CUI through a Federal IT system, that system must be in
compliance with FISMA requirements and be authorized to operate at the moderate
confidentiality impact value (or higher) as set out in FIPS Publications and NIST
Guidance.
Exceptions:
CUI Privacy Category - Without written permission from the employee’s
supervisor, the Data Owner, and the IT system Authorizing Official (AO),
authorized holders shall not physically take information marked with one of the
CUI Privacy Categories from GSA facilities (including GSA managed programs
housed at contractor facilities under contract), or access it remotely (i.e., from
locations other than GSA facilities unless using GSA-approved systems), in
accordance with GSA Order CIO 2100.1 IT Security policy.
CUI Physical Security Category - Information marked with CUI’s Physical Security
Category (e.g., sensitive building information, previously marked Sensitive But
Unclassified (SBU)) does not require written permission but the authorized holder
should confirm that the receiver has a legitimate Lawful Government Purpose for
accessing building information, as stated in PBS 3490.3 CHGE 1 Security for
Sensitive Building Information Related to Federal Buildings, Grounds, or Property.
If the requestor is unknown to the authorized holder, the authorized holder should
contact the designated project manager if the project is in design or construction
phase, or the building manager, whichever is responsible for the building/property
related to the request for verification. See PBS 3490 for details, or for information
concerning emergency situations.
Sending and Receiving CUI.
While Executive Branch agencies are in various stages of implementing the CUI Program, CUI
may be shared, but care must be taken regarding legacy vs. CUI markings.
Receiving marked legacy information when the recipient has implemented the CUI
Program.
18
If the receiving agency plans to reuse or transmit the legacy marked information to
another agency, then it must evaluate the information and remark it as CUI as
appropriate.
If applicable, the receiving agency must also adhere to any agency marking
waivers as they apply to internal dissemination.
If applicable, the receiving agency should apply any appropriate Limited
Dissemination Control Markings (LDCMs).
Receiving agencies should NOT reuse legacy markings, such as FOUO or SBU,
on new documents that are derived from marked legacy information.
Agencies should contact the originator of the material if they have any questions.
Receiving information marked as CUI when the recipient has NOT implemented the CUI
Program.
Transmitting agencies may feel some trepidation about the security of their
information when sending it to another agency that has not implemented the CUI
Program, as the recipient may not inherently protect this information to the same
standards outlined in the CUI Program.
For this reason, the transmitting agency may wish to directly convey safeguarding
requirements for this information to the receiver.
Recipients must then protect this information in accordance with any safeguarding
guidelines from the originators of the material, individual agency policy, and/or any
Limited Dissemination Controls.
Receiving agencies should NOT remove CUI markings from the information.
Agencies should contact the originator of the material if they have any questions.
Sending information marked as CUI when the recipient has NOT implemented the CUI
Program.
The transmitting agency must keep its CUI markings on the information.
If CUI Specified or Limited Dissemination Controls are contained in the
transmission of the information, the sender should also include a description of the
safeguarding or dissemination requirements related to the information.
19
Transmitting agencies may want to use the CUI Cover sheet to express these
additional safeguards to recipients.
Sending marked legacy information when the recipient has implemented the CUI
Program.
Transmitting agencies must provide a point of contact with the information in case
the recipient has questions about safeguarding the material.
Any special handling requirements associated with the information, such as limited
dissemination controls, should be conveyed through transmittal or in a manner
apparent to the recipient of the information.
CUI as Records
CUI documents may be official GSA records. If they are determined to be records they must not
be destroyed until applicable records retention has been met and any applicable litigation hold
has been lifted. See CIO 1820.2 GSA Records Management Program for additional information
on managing records. For clarification, convenience copies of documents marked CUI should be
protected as CUI, but would not be a record. The Agency records retention schedules and other
recordkeeping guidance is found on Insite.
Transferring
After December 31, 2022, GSA will no longer be transferring paper records to the National
Archives, be it for temporary or permanent purposes. Thus, only electronic records are
applicable to the conversation of transferring records to NARA. Recordkeeping custodians,
such as Recordkeeping SMEs per CIO 1820.2, will be required to store, track, and properly
destroy non-permanent records and to transfer permanent electronic records per the
applicable GSA records retention schedule. When CUI markings are no longer applicable to
documents they should be removed and those permanent records transferred to the National
Archives and Records Administration (NARA). Any records retaining a CUI mark after transfer
to NARA must indicate on the transfer form the presence of CUI. Refer to Records
Management pages on InSite for additional information.
Destroying
CUI records and copies must be destroyed as required by the CUI Program. See the section
Destroying CUI of this Guide for details and for information.
Decontrolling
Decontrolling occurs when an authorized holder, consistent with the CUI Registry, removes
safeguarding or dissemination controls from CUI that no longer require such controls.
Decontrol may occur automatically or through agency action.
CUI should be decontrolled (removed from protection of the CUI Program) as soon as
practicable when:
20
Laws, regulations, or Government-wide policies no longer require CUI controls;
An authorized holder from the designating agency requests to decontrol it;
The designating agency releases it to the public in response to a FOIA request,
which GSA considers to be a public release of the CUI or provides the CUI
pursuant to a Privacy Act request (See CUI Joint Memo 2018-11-19 for details);
It is consistent with any declassification action under Executive Order 13526 or
any predecessor or successor order; or
A predetermined event or date occurs, as described in the authorizing regulations
listed in the CUI Registry.
Decontrolling CUI relieves authorized holders from requirements to handle the
information under the CUI Program, but does not constitute authorization for public
release.
Once decontrolled, any public release of information that was formerly CUI must be in
accordance with applicable laws and GSA policies on the public release of
information.
Only authorized holders may decontrol CUI.
The authorized holder must clearly indicate that decontrolled CUI is no longer
controlled when restating, paraphrasing, reusing, releasing to the public, or donating
CUI to a private institution. Line through or remove the CUI markings to indicate it is
no longer being controlled as CUI.
Authorized holders may request that a designating agency decontrol certain CUI. If
an authorized holder publicly releases CUI in accordance with the designating
agency’s authorized procedures, the release constitutes decontrol of the information.
The authorized procedure should be handled by the CUI SAO. Contact the GSA CUI
Program Manager at cui@gsa.gov for information.
Unauthorized disclosure of CUI does not constitute decontrol. CUI must not be
decontrolled solely due to unauthorized disclosure. Proper procedures must still be
followed for decontrolling and possible misuse.
When laws, regulations, or Government-wide policies require specific decontrol
procedures, authorized holders must follow such requirements.
21
Records Management Note: The Archivist of the United States may decontrol records
transferred to the National Archives in accordance with 32 CFR 2002.34, absent a
specific agreement to the contrary with the designating agency.
Decontrolling Indicators
Where feasible, authorized holders must include a specific decontrolling date or event
with all CUI. Any decontrolling schedule holding this information should be readily
apparent to an authorized holder. The CUI may be decontrolled as of the specific
date without further review by the designator. Indicate the date or event when the
information can be decontrolled by adding a statement in the footer or elsewhere on
the page.
If using an event to authorize decontrol it must be foreseeable and verifiable by any
authorized holder. The designator should be the POC and should provide a method
of contact for authorized holders to verify that the event has occurred.
Authorized holders must clearly indicate when CUI is no longer controlled. For small
documents, all CUI markings within a decontrolled CUI document shall be crossed
out. For larger documents, strike-through of markings can be made on the first page
or cover page, and on the first page of any attachments that contain CUI. The first
page or cover page should also indicate that the CUI markings are no longer
applicable and the date which the document was decontrolled.
Destroying CUI
CUI may be destroyed when:
GSA no longer needs the information; and
GSA records disposition schedules no longer require retention of the records. For
more information refer to GSA Order CIO 1820.2GSA Records Management
Program.
Destroy CUI, including in electronic form and physical media (CDs, DVDs, flash/external
drives, external/portable drives, etc.), in a manner that makes it unreadable,
indecipherable, and irrecoverable. CUI may not be placed in office trash bins or recycling
containers. CUI must be destroyed as required by the authority for the applicable
category. If the authority does not mention a specific method, it should be destroyed
according to SP 800-88, Guidelines for Media Sanitization. Specifically, the minimum
standard for shredding CUI is to particles that are 1mm x 5mm (.04 inches x .2 inches).
If a company is contracted to shred CUI, the contract must ensure protection of the CUI
throughout the process, including while in transit and during transfer between collection
bins and the shredding equipment. Bins used to collect CUI before being transferred for
shredding must be locked and be marked as acceptable for temporarily holding CUI.
22
Equipment that is used for the electronic storage or processing of CUI (including copiers,
fax machines, scanners, etc.) shall be sanitized per GSA Order CIO 2100.1 IT Security
Policy whenever it is transferred, sold, or re-assigned to a person not authorized access
to the CUI previously contained in the equipment.
Since destruction is required by specialized equipment, documents containing CUI
information must not be destroyed at an alternate work location (telework location,
contractor site, etc.) that doesn’t have the proper equipment. CUI must be returned to
GSA for destruction in the appropriate shredders or collection bins, or returned to an
authorized holder (e.g., a Contracting Officer, the creator of the information, etc.) for
proper destruction.
Managers, CORs, and other leaders should periodically review work areas and
employee/contractor practices to ensure that sensitive material is being discarded in an
appropriate manner.
Training
Employees must receive initial training within 60 days of employment and at least once every 2
years thereafter. The CUI policy delineates the specifics of mandatory training. Advanced
Training is also available and may be mandatory for those who create, own, and/or use CUI
regularly.
Self-Inspection
In accordance with 32 CFR 2002, GSA must maintain internal oversight efforts to
measure and monitor implementation and management of the CUI Program.
The Self-Inspection Program includes:
Self-inspection methods, reviews, and assessments that serve to evaluate
program effectiveness, measure the level of compliance, and monitor the progress
of CUI implementation;
Documents self-inspections and recording findings;
Procedures by which to integrate lessons learned and best practices arising from
reviews and assessments into operational policies, procedures, and training;
A process for resolving deficiencies and taking corrective actions in an
accountable manner; and
Analysis and conclusions from the self-inspection program, documented on an
annual basis and as requested by the CUI Executive Agent.
23
The details and processes of the program will be referenced or included in this Guide
when finalized.
Misuse
Misuse of CUI occurs when someone uses CUI in a manner not in accordance with 32 CFR
2002, the CUI Registry, this policy, or the applicable laws, regulations, and Government-wide
policies that govern the affected information. This may include intentional violations or
unintentional errors in safeguarding or disseminating CUI. This may also include designating or
marking information as CUI when it does not qualify as CUI.
The CUI SAO is the point of contact for the Executive Agent when the EA receives
reports of misuse by GSA from another agency or from within GSA.
All employees, contractors and lessors shall report suspected or confirmed misuse of CUI
as soon as possible. See the Incident Management section below for more details.
Where laws, regulations, or Government-wide policies governing certain categories of
CUI specifically establish sanctions for the misuse of CUI, agencies are responsible for
coordinating with the appropriate parties concerning such sanctions.
Sanctions for Misuse of CUI
Consequences for misuse of CUI are based on existing GSA policies and the type of
information involved (building information, PII, etc.). Each policy’s applicable
consequences shall apply. In general, any employee who does not comply with this
Guide or the laws, regulations, or Government-wide policies pertaining to CUI may incur
disciplinary action in accordance with HRM 9751.1 Maintaining Discipline.
In the event a contractor employee misuses CUI, the matter shall be referred to the
cognizant contracting officer to determine whether remedies should be imposed under
the contract.
When an individual is found to be responsible for the commission of a CUI incident,
he/she may be subject to administrative, disciplinary, or criminal sanctions. The
underlying law, regulation, or Government-wide policy is consulted to determine guidance
on sanctions. The type of sanctions imposed is based on several considerations,
including:
Severity of the incident;
Intent of the person committing the incident;
Extent of training the person(s) has received;
Frequency of which the individual has been found responsible in the commission
of other such incidents, to include Security Violations or Infractions involving
classified information.
24
Specific requirements in applicable laws, policies or regulations.
Sanctions include, but are not limited to, verbal or written counseling, reprimand,
suspension from duty and pay, removal, removal of access to CUI, or criminal penalties.
The underlying law, regulation, or Government-wide policy is consulted for guidance, as
appropriate.
Administrative sanctions are assessed in accordance with the policies, procedures, and
practices established by GSA’s Office of Human Resources Management, and actions
involving the suspension or revocation of a security clearance are taken in accordance
with the applicable Executive Orders.
Where a proposed sanction associated with the unauthorized disclosure of CUI is in
excess of a reprimand, the matter is coordinated with the Office of the General Counsel
(OGC). Further, where a criminal violation has occurred that may result in a criminal
prosecution, the matter is coordinated with OGC, the Office of the Inspector General
(OIG), and the Department of Justice.
Incident Management
An incident can be thought of as a violation (or imminent threat of violation) of security or privacy
policies or standard practices. Incidents could cause loss or damage to hardware, software,
networks, or data (electronic or hard copy), or could affect personnel. They could be successful
or failed attempts to gain unauthorized access to CUI applications, unauthorized entry into a
building or room, unauthorized use of a system, unauthorized acquiring or viewing of sensitive
data, or similar situations.
GSA Order CIO 2100.1M IT Security Policy and the IT Security Procedural Guide
Incident Response (IR) [CIO IT Security 01-02] discuss processes for reporting all types
of incidents, and these procedures should be followed for CUI incidents.
Suspicious conduct and/or violations of CUI policy are reportable to the Insider Threat
Program under ADM P 2400.1A, Appendix B.
Authorized holders and all GSA employees are responsible for reporting incidents of
misuse involving CUI. Specific actions include:
Employees and contractor employees: Notify the IT Service Desk at 866-450-
5250 or ITServiceDesk@gsa.gov immediately.
Contracts: Contractors are responsible for reporting incidents in accordance with
the requirements of their contract(s). Two Federal Acquisition Regulation (FAR)
cases have been opened to incorporate the applicable incident reporting
requirements for PII and CUI into the FAR.
25
Leases: For building leases involving CUI (previously SBU), the Lessor is
responsible for reporting incidents to the Lease Contracting Officer and the GSA
Incident Response Team at gsa-[email protected].
Reportable CUI incidents could include but are not limited to:
Any knowing, willful, or negligent action that could reasonably be expected to
result in an unauthorized disclosure of CUI.
Any knowing, willful or negligent action to designate information as CUI contrary to
the requirements of Executive Order 13556, and its implementing directives.
Any incident involving computer or telecommunications equipment or media that
may result in disclosure of CUI to unauthorized individuals, or that results in
unauthorized modification or destruction of CUI system data, loss of CUI computer
system processing capability, or loss or theft of CUI computer system media.
Any incident involving the processing of CUI on computer equipment that has not
been specifically approved and accredited for that purpose by an authorized
official.
Any incident involving the shipment of CUI by an unapproved method, or any
evidence of tampering with a shipment, delivery, or mailing of packages containing
CUI.
Any incident in which CUI is not stored by an approved means.
Any incident in which CUI is inadvertently revealed to or released to a person not
authorized access.
Any incident in which CUI has been destroyed by unauthorized means.
Any incident in which CUI has been reproduced without authorization or contrary
to specific restrictions imposed by the originator.
Any incident in which CUI has been shared contrary to an applied dissemination
control marking.
Any other incident in which CUI is not safeguarded or handled in accordance with
prescribed procedures.
Individuals who share CUI external to GSA and become aware of any incident,
regardless of whether it did or could have resulted in any actual, potential, or suspected
loss or compromise of CUI shall immediately report the incident of misuse to the IT
Service Desk. The IT Service Desk will notify the Incident Response Team who will
26
notify the CUI Program Manager. The PM will assist the SAO in determining if the
incident of misuse warrants an inquiry and reporting to the Executive Agent.
Waivers of CUI Requirements
When information is designated as CUI but it is determined that marking it as CUI is excessively
burdensome, the SAO may approve waivers of all or some of the CUI marking requirements
while that CUI remains within agency control.
As stated in CIO 2103.2 GSA CUI Policy, legacy marking of archived documents is not
required unless the documents, files, or systems are made active again. The policy
grants automatic waivers to CUI marking requirements for legacy material that remains
unused. Therefore, if there is a substantial amount of stored information with legacy
markings and removing legacy markings and designating or re-marking it as CUI would
be excessively burdensome, a waiver of these requirements for some or all of that
information while it remains under agency control, and the information is not being used,
is granted.
In urgent circumstances, the CUI SAO may waive the requirements of the CUI policy or
the CUI Registry for any CUI within GSA’s possession or control, unless specifically
prohibited by applicable laws, regulations, or Government-wide policies.
To allow sharing CUI with other agencies or nonfederal entities or persons in an
emergency situation, the SAO may grant an exigent circumstances waiver. In such
cases, the authorized holders must make recipients aware of the CUI status of any
disseminated information.
Limited marking waivers may be granted to allow omission of CUI markings while the
document remains within GSA control (CUI is not to be shared outside of GSA unless
properly marked or an exigent circumstances waiver is granted). The information still
needs to be protected according to CUI requirements. Waivers may be requested by
emailing cui@gsa.gov and can be granted when It is impractical to individually mark CUI
due to quantity or nature of the information (e.g., forms, blueprints, etc.).
When the circumstances requiring the waiver come to an end, the SAO must reinstitute
the requirements for all CUI covered by the waiver without delay.
The SAO must retain a record of each waiver of CUI requirements, notify authorized
recipients and the public of the waivers, and report the waivers to the CUI Executive
Agent in the CUI Annual Report.
Contact the CUI team at cui@gsa.gov for more information about waivers and/or to
obtain a waiver request form.
27
Appendix A - References
Executive Order 13556 Controlled
Unclassified Information (CUI)
https://obamawhitehouse.archives.gov/the-
press-office/2010/11/04/executive-order-
13556-controlled-unclassified-information
32 CFR 2002 Controlled Unclassified
Information (CUI) (Implementing Directive)
https://ecfr.io/Title-32/pt32.6.2002
NIST Special Publication 800-53, Security
and Privacy Controls for Federal Information
Systems and Organizations, Revision 5
https://nvlpubs.nist.gov/nistpubs/SpecialPubli
cations/NIST.SP.800-53r5.pdf
NIST Special Publication, 800-88, Guidelines
for Media Sanitization, Revision 1
https://csrc.nist.gov/publications/detail/sp/800
-88/rev-1/final
NIST Special Publication 800-171 Protecting
CUI in Nonfederal Information Systems and
Organizations
https://csrc.nist.gov/publications/detail/sp/800
-171/rev-2/final
SP 800-172 Enhanced Security
Requirements for Protecting Controlled
Unclassified Information: A Supplement to
NIST Special Publication 800-171
https://csrc.nist.gov/publications/detail/sp/800
-172/final
SP 800-171A Assessing Security
Requirements for Controlled Unclassified
Information
https://csrc.nist.gov/publications/detail/sp/800
-171a/final
FIPS Publication 199, Standards for Security
Categorization of Federal Information and
Information Systems
https://csrc.nist.gov/publications/detail/fips/19
9/final
FIPS Publication 200, Minimum Security
Requirements for Federal Information and
Information Systems
https://csrc.nist.gov/publications/detail/fips/20
0/final
FAR Clause 52.204-21, Basic Safeguarding
of Contractor Information Systems
https://federalregister.gov/a/2016-11001
Federal Information Security Modernization
Act (FISMA)
https://www.congress.gov/113/plaws/publ283
/PLAW-113publ283.pdf
GSA Directives
28
PBS 3490.3 CHGE 1 Security for Sensitive
Building Information Related to Federal
Buildings, Grounds, or Property
https://www.gsa.gov/directive/security-for-
sensitive-building-information-related-to-
federal-buildings,-grounds,-or-property-
CIO 2200.1 GSA Privacy Program
https://www.gsa.gov/directive/gsa-privacy-
act-program
CIO 2100.1 GSA Information Technology (IT)
Security Policy
https://www.gsa.gov/directive/gsa-
information-technology-(it)-security-policy-0
GSA Order CIO 2103.2 Controlled
Unclassified Information (CUI) Policy
https://insite.gsa.gov/directives-
library/controlled-unclassified-information-cui-
policy-1
CIO 2104.1B GSA Information Technology
(IT) General Rules of Behavior
https://www.gsa.gov/directive/gsa-
information-technology-(it)-general-rules-of-
behavior-
CIO 2180.2 GSA Rules of Behavior for
Handling Personally Identifiable Information
(PII)
https://www.gsa.gov/directive/gsa-rules-of-
behavior-for-handling-personally-identifiable-
information-(pii)-
CIO 2231.1 GSA Data Release Policy
https://www.gsa.gov/directive/gsa-data-
release-policy
CIO 9297.2C GSA Information Breach
Notification Policy
https://www.gsa.gov/directive/gsa-
information-breach-notification-policy-
HRM 9751.1 Maintaining Discipline
https://www.gsa.gov/directive/maintaining-
discipline
OAS 1820.1 P GSA Records Management
Program
https://www.gsa.gov/directive/gsa-records-
management-program
Media Protection Guide [CIO IT Security 06-
32]
See IT Security Procedural Guides page on
InSite:
https://insite.gsa.gov/topics/information-
technology/security-and-privacy/it-security/it-
security-procedural-guides
Incident Response (IR) [CIO IT Security 01-
02]
See IT Security Procedural Guides page on
InSite:
https://insite.gsa.gov/topics/information-
technology/security-and-privacy/it-security/it-
security-procedural-guides
29
Appendix B - Definitions
Agency (also Federal agency, executive agency, executive branch agency) is any
“executive agency,” as defined in 5 U.S.C. 105; the United States Postal Service; and
any other independent entity within the executive branch that designates or handles CUI.
Agreements are arrangements in which agencies set out CUI handling requirements for
contractors and other information-sharing partners when the arrangement with the other
party involves CUI. Agreements include, but are not limited to, contracts, grants,
licenses, certificates, memoranda of agreement or understanding, and information-
sharing agreements. When disseminating or sharing CUI with non-executive branch
agencies, agencies must enter into written agreements that include CUI provisions
whenever possible (see 32 CFR 2002.13(a)(6) and (7) for details). When sharing
information with foreign entities, agencies should enter agreements when feasible (see
32 CFR 2002.13(a)(6) and (7) for details).
Authorized holder is an individual, organization, or group of users that is permitted to
designate or handle CUI, in accordance with 32 CFR 2002. Authorized holders who
create and manage CUI must be very familiar with the CUI categories and CUI policies,
complete all training, and know how to determine what information is CUI and how it
should be handled. They will determine the type of CUI (Basic or Specified -- see
“Safeguarding Standards” sections of this Guide), the applicable category, and the
necessary markings and decontrol actions required based on the type of information and
the specifics within this Guide.
Classified information is information that Executive Order 13526, “Classified National
Security Information,” December 29, 2009 (3 CFR, 2010 Comp., p. 298), or any
predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires
to have classified markings and protection against unauthorized disclosure.
Controlled environment is any area or space an authorized holder deems to have
adequate physical or procedural controls (e.g., barriers or managed access controls) to
protect CUI from unauthorized access or disclosure.
Control level is a general term that encompasses the category of specific CUI, along with
any specific safeguarding and disseminating requirements.
Controlled Unclassified Information (CUI) is information that requires safeguarding or
dissemination controls pursuant to and consistent with applicable law, regulations, and
government-wide policies but is not classified under Executive Order 13526 or the Atomic
Energy Act, as amended.
Controls are safeguarding or dissemination requirements that a law, regulation, or
Government-wide policy requires or permits agencies to use when handling CUI. The
requirements may be specifically stated in the authority or the authority may generally
require agencies to safeguard the information (in which case, the agency applies the
controls from Executive Order 13556, this rule, and the CUI Registry).
CUI Basic is the set of CUI categories that use the CUI Program’s uniform set of controls
for handling CUI set forth in this rule. CUI Basic differs from CUI Specified in that,
although laws, regulations, or Government-wide policies require agencies to protect or
control the CUI Basic information, they do not specifically articulate any safeguarding or
dissemination controls for that information. The CUI Basic controls therefore apply
30
whenever CUI Specified ones do not cover the involved CUI. (See definition of CUI
Specified in this section.)
CUI categories are those types of information for which laws, regulations, or
Government-wide policies require agencies to exercise safeguarding or dissemination
controls, and which the CUI Executive Agent has approved and listed in the CUI Registry.
CUI category markings are the markings approved by the CUI Executive Agent for the
categories listed in the CUI Registry.
CUI Executive Agent is the National Archives and Records Administration (NARA), which
implements the executive branch-wide CUI Program and oversees Federal agency
actions to comply with Executive Order 13556. NARA has delegated this authority to the
Director of the Information Security Oversight Office (ISOO).
CUI Program is the executive branch-wide program to standardize CUI handling by all
Federal agencies. The Program includes the rules, organization, and procedures for
CUI, established by Executive Order 13556, 32 CFR 2002, and the CUI Registry.
CUI Program Manager (PM) is an agency official, designated by the agency head or CUI
Senior Agency Official, to serve as the official representative to the CUI Executive Agent
on the agency’s day-to-day CUI Program operations, both within the agency and in
interagency contexts.
CUI Registry is the online repository for all information, guidance, policy, and
requirements on handling CUI, including everything issued by the CUI Executive Agent
other than 32 CFR 2002. Agencies and authorized holders must follow the requirements
in the CUI Registry. Among other information, the CUI Registry identifies all approved
CUI categories, provides general descriptions for each, identifies the basis for controls,
establishes markings, and sets out handling procedures. The CUI Registry is located on
the www.archives.gov/cui/ website (or successor site).
CUI Senior Agency Official (SAO) is a senior official designated in writing by an agency
head and responsible to that agency head for implementation of the CUI Program within
that agency. The CUI SAO is the primary point of contact for official correspondence,
accountability reporting, and other matters of record between the agency and the CUI
Executive Agent.
CUI Specified is the set of CUI categories that each have specific handling controls
required or permitted by authorizing laws, regulations, or Government-wide policies.
Decontrolling is the removal of safeguarding or dissemination controls from CUI when the
information is no longer considered CUI.
Designating CUI is when an authorized holder determines that a specific item of
information falls into a CUI category.
Designating agency is the executive branch agency that designates a specific item of
information as CUI.
Disseminating occurs when authorized holders transmit, transfer, or provide access to
CUI to other authorized holders through any means, whether internal or external to the
agency.
Document means any tangible thing which constitutes or contains information, and
means the original and any copies (whether different from the originals because of notes
made on such copies or otherwise) of all writings of every kind and description over
which an agency has authority, whether inscribed by hand or by mechanical, facsimile,
31
electronic, magnetic, microfilm, photographic, or other means, as well as telephonic or
visual reproductions or oral statements, conversations, or events, and including, but not
limited to: correspondence, email, notes, reports, papers, files, manuals, books,
pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables,
facsimiles, records, studies, working papers, accounting papers, contracts, licenses,
certificates, grants, agreements, computer disks, computer tapes, telephone logs,
computer mail, computer printouts, worksheets, sent or received communications of any
kind, teletype messages, agreements, diary entries, calendars and journals, printouts,
drafts, tables, compilations, tabulations, recommendations, accounts, work papers,
summaries, address books, other records and recordings or transcriptions of
conferences, meetings, visits, interviews, discussions, or telephone conversations,
charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase
or sale correspondence, electronic or other transcription of taping of personal
conversations or conferences, and any written, printed, typed, punched, taped, filmed, or
graphic matter however produced or reproduced. Document also includes the file, folder,
exhibits, and containers, the labels on them, and any metadata associated with each
original or copy. Document also includes voice records, film, tapes, video tapes, email,
personal computer files, electronic matter, and other data compilations from which
information can be obtained, including materials used in data processing.
Federal information system is an information system that a Federal agency uses or
operates, or that a contractor or other non-executive branch entity operates on behalf of
an agency. An information system operated on behalf of an agency provides data
processing services to the agency that the Government might otherwise perform itself but
has decided to outsource. This includes systems operated exclusively for Government
use and systems operated for multiple users (multiple Federal agencies or Government
and private sector users) such as email services, cloud services, etc. A GSA information
system is an example of a federal information system.
Foreign entity is a foreign Government, international or foreign public or judicial body,
international or foreign private organization (including contractors and vendors), foreign
individual (including contractors and vendors), or an element of such an organization that
is established, operated, and controlled by individual(s) acting outside the scope of any
official capacity as officers, employees, or agents of the executive branch of the Federal
Government.
Full Operational Capability (FOC) is attained when all organizations scheduled to receive
a system have received it and have the ability to employ and maintain it. For the CUI
Program, FOC occurs when policy, training, physical requirements, and IT Systems are
all in place and align with the CUI Program. An agency can achieve FOC ahead of other
agencies.
Handling is any use of CUI, including but not limited to marking, safeguarding,
transporting, disseminating, reusing, and disposing of the information.
Initial Operational Capability (IOC) is attained when an agency has their CUI policy in
place, has verified physical safeguarding requirements, and has initiated (or completed)
training of its workforce. Some of the older protection practices might still be in place. An
agency IOC may be different than an IOC for the entire Executive branch.
32
Lawful Government purpose is any activity, mission, function, operation, or endeavor that
the U.S. Government authorizes or recognizes within the scope of its legal authorities.
Legacy material is unclassified information that an agency marked as restricted from
access or dissemination in some way, or otherwise controlled, prior to the CUI Program’s
existence.
Limited dissemination is any CUI Executive Agent-approved control on disseminating
CUI.
Misuse of CUI occurs when someone uses CUI in a manner not in accord with the policy
contained in Executive Order 13556, 32 CFR 2002, and the CUI Registry, or the
applicable laws, regulations, and Government-wide policy that establish the affected CUI
categories. .
Non-executive branch entity is a person or organization established, operated, and
controlled by an individual(s) acting outside the scope of any official capacity as officers,
employees, or agents of the executive branch of the Federal Government. Such entities
may include elements of the legislative or judicial branches of the Federal Government;
State, interstate, Tribal, or local Government elements; private organizations; or
international individuals, including contractors and vendors. This does not include
individuals or organizations that may receive CUI information pursuant to federal
disclosure laws, including the Freedom of Information Act and the Privacy Act of 1974.
Nonfederal information system is any information system that does not meet the criteria
for a Federal information system. It is generally considered a system that contains
Government information but is not owned or managed by a Government agency.
Agencies must follow the guidelines of NIST SP 800171 when establishing security
requirements to protect CUI’s confidentiality on nonfederal information systems.
Personally Identifiable Information (PII) is information that can be used to distinguish or
trace an individual's identity, either alone or when combined with other information.
Because there are many different types of information that can be used to distinguish or
trace an individual's identity, the term PII is necessarily broad. The definition of PII is not
anchored to any single category of information or technology. Rather, it requires a case-
by-case assessment of the specific risk that an individual can be identified using
information that is linked or linkable to said individual. In performing this assessment, it is
important to recognize that information that is not PII can become PII whenever additional
information is made publicly available in any medium and from any source that,
when combined with other information to identify a specific individual, could be used to
identify an individual (e.g. SSNs, name, DOB, home address, home email).
Portion is ordinarily a section within a document, and may include subjects, titles,
graphics, tables, charts, bullet statements, sub-paragraphs, bullets points, or other
sections.
Protection includes all controls an agency applies or must apply when handling
information that qualifies as CUI.
Public release occurs when an agency makes information formerly designated as CUI
available to members of the public through the agency’s official release processes.
Disseminating CUI to non-executive branch entities as authorized does not constitute
public release; nor does releasing information to an individual pursuant to the Privacy Act
of 1974 or disclosing it in response to a FOIA request.
33
Records are agency records and Presidential papers or Presidential records (or Vice
Presidential), as those terms are defined in 44 U.S.C. 3301 and 44 U.S.C. 2201 and
2207. Records also include such items created or maintained by a Government
contractor, licensee, certificate holder, or grantee that are subject to the sponsoring
agency’s control under the terms of the agreement.
Re-use means incorporating, disseminating, restating, or paraphrasing CUI from its
originally designated form into a newly created document.
Self-inspection is an agency’s internally managed review and evaluation of its activities to
implement the CUI Program.
Unauthorized disclosure occurs when individuals or entities, either intentionally or
unintentionally, gain access to CUI when such access does not further a Lawful
Government Purpose. Unauthorized disclosure may be intentional or unintentional.
Uncontrolled unclassified information is information that neither Executive Order 13556
nor classified information authorities cover as protected. Although this information is not
controlled or classified, agencies must still handle it in accord with Federal Information
Security Modernization Act (FISMA) requirements.
Working papers are documents or materials, regardless of form, that an agency or user
expects to revise prior to creating a finished product.