The Beginning of Controlled Unclassified Information (CUI)
In 2004, the 9/11 Commission Report emphasized the need of an information sharing environment that facilitated the horizontal dissemination of terrorism-related data among government personnel in order to address common communication problems across agencies and levels of government, improve agency response times, and enhance national security.
In response, a Presidential Memorandum of December 16, 2005, Memorandum on Guidelines and Requirements in Support of the Information Sharing Environment, created a process for establishing a single, standardized, comprehensive designation within the Executive branch for most Sensitive But Unclassified (SBU) information. However, due to the fact that Government agencies were implementing their own procedures for categorizing and handling SBU, more than 107 unique markings and over 130 different labeling and handling processes and procedures were created.
A related Presidential Memorandum of May 9, 2008, Designation and Sharing of Controlled Unclassified Information (CUI), addressed the problem of categorizing and handling SBU by adopting, defining, and instituting "Controlled Unclassified Information" (CUI) as the single, categorical designation for most SBU information. It also (1) established a CUI Framework for designating, marking, safeguarding, and disseminating CUI terrorism-related information; (2) designated the National Archives and Records Administration (NARA) as the Executive Agent responsible for overseeing and managing implementation of the CUI Framework, and (3) created a CUI Council (a subcommittee of the Information Sharing Council) to advise the CUI Executive Agent (NARA) on the development and issuance of policy and implementation guidance for the CUI program. The NARA delegated its authority to develop standardized CUI policies and procedures to the Director of Information Security Oversight Office (ISOO), (a component of NARA).
This memorandum was rescinded by Executive Order (EO) 13556, Controlled Unclassified Information, on November 4, 2010, and the guidelines previously outlined within it were expanded upon to establish an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that does not meet the standards for Classified National Security Information under EO 12958, as amended, or information classified under EO 13526, Original Classification Authority, or the Atomic Energy Act, as amended.
The CUI Program was designed to address several deficiencies in managing and protecting unclassified information to include inconsistent markings, inadequate safeguarding, and needless restrictions, both by standardizing procedures and by providing common definitions through a CUI Registry.
Published by the ISOO in 2011, the CUI Registry is an online repository for all information, guidance, policy, and requirements on handling CUI, including approved CUI categories and subcategories, general descriptions for each, the basis for controls, sets of procedures for the use of CUI, including but not limited to established markings, safeguarding, transporting, disseminating, reusing, and disposing of the information.
In FY 2014, the ISSO partnered with the National Institute of Standards and Technology (NIST) to produce a joint publication, NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Finalized in June 2015, this publication provided federal agencies with recommended requirements for protecting the confidentiality of CUI when (1) the CUI is resident in nonfederal information systems and organizations, (2) the information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies, and (3) there are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or governmentwide policy for the CUI category or subcategory listed in the CUI Registry. The CUI requirements recommended for use in this publication were derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and based on the proposed rule 32 CFR Part 2002, (32 CFR Part 2002, Controlled Unclassified Information), and apply to all components of nonfederal information systems and organizations that process, store, or transmit CUI, or provide security protection for such components.
On May 8, 2015, proposed rule 32 CFR Part 2002, produced by the ISOO, was published in the Federal Register and entered the Office of Management and Budget (OMB)-managed Federal regulatory process. 32 CFR Part 2002, Controlled Unclassified Information was published as a final rule on September 14, 2016 and became effective November 14, 2016. This regulation established policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
In FY 2017, the General Services Administration (GSA), DoD, and NASA developed FAR Case 2017-016, Controlled Unclassified Information (CUI), to apply CUI requirements to Federal contractors. The case, which is currently at the Civilian Agency Acquisition review stage, proposes to amend the Federal Acquisition Regulation (FAR) to implement the National Archives and Records Administration (NARA) Controlled Unclassified Information (CUI) program of Executive Order 13556 of November 4, 2010. The purpose of this FAR rule is to help ensure uniform implementation of the requirements of the CUI program in contracts across Government agencies. The FAR CUI is expected to differ from the current DFARS 252.204-7012 clause in that it will implement the NARA CUI program in full, will not refer to CUI as “covered defense information (CDI),” and will put the burden on the government to identify which contractor-generated information is considered CUI.