Lifecycle of Controlled Unclassified Information (CUI)

CUI follows a lifecycle similar to all protected information. While the designation of certain types of information requiring safeguarding and dissemination may be new, the process should be very familiar to DIB partners.

Create : CUI is created when recorded on paper or entered into an information system

Identify & Designate: Realize that the information is generated for or on behalf of an agency within the Executive Branch under a contract and determine if the information falls into one of the more than one hundred categories of CUI in the National and DOD CUI Registries. It is also important to realize what is not CUI.

Mark/Label: At a minimum, CUI markings for unclassified DOD documents will include the acronym “CUI” or “CONTROLLED” in the banner of the document. It is a best practice to include markings in both the banner and footer of the document, and it is imperative to reference the CUI Marking Guide to ensure correct markings.

Store: CUI can be stored in NIST 800-171 compliant information systems or controlled physical environments.

Disseminate: Only authorized holders may disseminate in accordance with distribution statements, dissemination controls, and applicable laws.

Destroy: Hard and soft copies of CUI should be appropriately destroyed, meaning they are rendered unreadable, indecipherable, and irrecoverable. Review clearing, purging, and destruction in NIST SP 800-88: Guidelines for Media Sanitization.

Decontrol: All holders must promptly decontrol CUI once the CUI owner has properly determined the information no longer requires safeguarding or dissemination controls, unless doing so conflicts with the related law, regulation, or government-wide policy in accordance with DoDI 5230.09.

Who can view Controlled Unclassified Information (CUI)

Access to CUI can be granted to individuals performing “any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes [as] within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement) on the need to know basis”.

Types of Controlled Unclassified Information (CUI)

There are two types of CUI: CUI Basic and CUI Specified.

CUI Basic

CUI Basic is the type of CUI that a law, regulation, or government-wide policy says must be protected, but doesn’t provide any further instruction for its protection. CUI Basic contains basic handling and dissemination controls.

1. CUI Basic has the same handling and sharing guidance across the entire Executive Branch and can be marked as either CUI or Controlled.
2. The Federal Information Systems Modernization Act (FISMA) requires that CUI Basic be protected at the FISMA Moderate level.
3. Examples of CUI Basic Categories

CUI Specified

CUI Specified is the type of CUI where the authorizing law, regulation, or policy puts more restrictive controls on the specific handling, marking, or sharing requirements to ensure adequate protection.

1. Individual directors of Federal Agencies define guidance.
2. Each Federal Agency has its additional handling and storing requirement(s) and may apply limited dissemination controls to the CUI content.
3. Each Federal Agency has its own rules for CUI Specified.
4. Export-controlled (ITAR and EAR-controlled information) are types of CUI Specified.

Important Points:
Since CUI Specified can call for different controls and protection than CUI Basic, it is mandatory to label the specific protection of the content in the banner (SP-)
Examples of CUI Specified Categories

Controlled Unclassified Information (CUI) Marking Guidance

CUI markings alert holders that the information must be protected. A cover sheet may also be used to identify CUI, alerting observers that CUI is present from a distance and serving as a shield to protect CUI from inadvertent disclosure. In the CUI program, there is a standard way to apply markings, as well as alternative methods to satisfy marking or identification requirements. Listed below are three components of marking CUI and an example of a CUI coversheet.

Designation Indicator

1. Provides a holistic view of the security A mandatory component for all CUI markings that identifies who originated the CUI.

Banner Markings

1. For CUI Basic, it is mandatory to include the CUI Control banner marking “CUI” or “CONTROLLED”
2. For CUI Specified, the category marking must appear in the banner and must be preceded by “SP-”.
3. Use the same banner marking on every page – the top banner must apply to the entire document.
4. If possible, apply markings to the bottom of the document.
5. If feasible, make the text black, bold, capital, and centered.

CUI Protection Barriers

CUI must always be secured using controlled environments, both physically and electronically, that ensure access to CUI is only by authorized users with a lawful government purpose.

PHYSICAL BARRIERS

The CUI Program requires that inside a controlled environment there is at least one physical barrier to prevent unauthorized access to CUI such as the following:

1. Sealed envelopes
2. Locked doors, overhead bins, drawers, file cabinets
3. Area equipped with electronic locks

CUI safeguards must also prevent unauthorized individuals from observing or overhearing discussions containing CUI. Public areas such as break rooms, lobbies, or public transportation, are not acceptable for the storage, discussion, or review of CUI.

ELECTRONIC BARRIERS

The CUI program requires that some barrier or compartmentalization exists to prevent unauthorized users from accessing electronic CUI, such as the following:

1. Dedicated network drives or SharePoint sites
2. Protected file folders
3. Intranet sites

Information stored on electronic systems and networks must be compartmentalized and protected according to the lawful government purpose for accessing that information. All projects should establish procedures to ensure that only authorized individuals have access to CUI, and its access is removed when it is no longer required.

Access and Information Systems Controls

CDI or CUI data may only be processed (i.e., transmitted, accessed, or stored) on company-approved devices including company workstations, GFE, approved subcontractor workstations, or MDM or MAM-enrolled devices.

1. Dedicated network drives or SharePoint To handle CUI, you must use Office 365 GCC High environment (aka “O365 Defense”).
2. If your client has CUI Specified or Certain Dissemination Controls that require certification at the FIPS High level, contact InterSec, Inc. for further guidance.

Access to CUI while on company business foreign travel must be permitted by your client and your contract and is subject to company device restrictions. Access to CUI while on personal foreign travel is not permitted.

ACCESSING, SHARING, AND STORING CUI/CDI

CDI or CUI data may only be processed (i.e., transmitted, accessed, or stored) on approved devices including workstations, Government Furnished Equipment (GFE), approved subcontractor workstations, MDM or MAM-enrolled personnel devices; more specifically:

1. Office 365 Commercial is limited to information that is suitable for public release and CUI Basic for non-DFARs projects and is built to the FIPS Moderate specifications. For guidance on FIPS requirements, reference NIST 800-171.
2. Office 365 GCC High (aka O365 Defence) must be used for CDI, CUI Specified, and CUI Basic for DFARS projects

Disposing Controlled Unclassified Information CUI

Regardless of the type (i.e., physical or electronic), CUI must be destroyed until the information is rendered unreadable, indecipherable, and unrecoverable.

PHYSICAL DESTRUCTION

1. Procedures for the physical destruction of CUI are different from those for unclassified information.
2. For physical media, such as a document, use an approved cross-cut shredder or a secured destruction bin.
3. Ensure that the shredder or destruction bin is marked ”Approved for the destruction of Controlled Unclassified Information”.
4. Never use trash cans or recycling bins to dispose of CUI.

ELECTRONIC DESTRUCTION

1. Follow proper roll-off procedures when leaving your project.
2. Seek necessary technical guidance for electronic destruction of CUI, contact InterSec, Inc. for support on clearing, purging, and destroying.
3. Projects can also reference guidance found in NIST SP 800-88 to ensure that their methods align with the standards of the CUI Program.