***** IMPLEMENTATION REMINDER FROM THE EXECUTIVE AGENT *****
Existing practices for sensitive unclassified information remain in effect until the CUI marking implementation deadline (TBD).
Marking: CUI markings will be developed and scheduled for implementation following publication of additional guidance.
Safeguarding: For each CUI category and subcategory, federal agencies shall comply with information security requirements defined by the National Institute of Standards and Technology (NIST). Federal agencies shall consult the following NIST publications for guidance on implementing specific measures to safeguard CUI:
- Federal Information Processing Standards Publication 199, Standards for Security Categorization of Federal Information and Information Systems
- Federal Information Processing Standards Publication 200, Minimum Security Requirements for Federal Information and Information Systems
- Special Publication 800-53, Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations
- Special Publication 800-60, Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories
Dissemination: CUI shall be disseminated only to individuals who require the information for an authorized mission purpose.
Decontrol: Information shall be decontrolled as soon as possible when it no longer requires safeguarding measures and dissemination controls pursuant to its associated authorities. CUI that has been publicly released via authorized agency procedures shall be considered decontrolled.
- Select a Category or Subcategory to view associated detail information.
- An asterisk (*) indicates that safeguarding, dissemination, marking and/or decontrol measures that differ from General Guidelines are required by statute, regulation, or Government-wide policy.
- Unless noted, CUI may be controlled at the Category or the Subcategory level.
|Agriculture||Information related to the agricultural operation, farming or conservation practices, or the actual land of an agricultural producer or landowner.|
|Controlled Technical Information*||Controlled Technical Information means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with Department of Defense Instruction 5230.24, "Distribution Statements of Technical Documents." The term does not include information that is lawfully publicly available without restrictions. "Technical Information" means technical data or computer software, as those terms are defined in Defense Federal Acquisition Regulation Supplement clause 252.227-7013, "Rights in Technical Data - Noncommercial Items" (48 CFR 252.227-7013). Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.|
||Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.|
Related to information concerning the continuity of executive branch operations during all-hazards emergencies or other situations that may disrupt normal operations.
||Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.|
||Related to the duties, transactions, or otherwise falling under the purview of financial institutions or United States Government fiscal functions. Uses may include, but are not limited to, customer information held by a financial institution.|
|Geodetic Product Information*||Related to imagery, imagery intelligence, or geospatial information.|
||Related to admission of non-US citizens into the United States and applications for temporary and permanent residency.|
|Information Systems Vulnerability Information||Related to information that if not protected, could result in adverse effects to information systems. Information system means a discreet set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.|
|Intelligence||Related to intelligence activities, sources, or methods.|
|International Agreements*||Information provided by, otherwise made available by, or produced in cooperation with, a foreign government or international organization that requires protection pursuant to an existing treaty, agreement, bilateral exchange or other obligation under the requirements stipulated in 10 USC 130c(b), when not subject to classification under Executive Order 13526. Title 10 USC 130c(b) may exempt this class of foreign government information from the safeguard provisions otherwise required by Executive Order 13526. Per Title 10 USC 130c(h) the following national security officials are the only ones defined by statute as able to determine such information requires control: (A) The Secretary of Defense, with respect to information of concern to the Department of Defense. (B) The Secretary of Homeland Security, with respect to information of concern to the Coast Guard, as determined by the Secretary, but only while the Coast Guard is not operating as a service in the Navy. (C) The Secretary of Energy, with respect to information concerning the national security programs of the Department of Energy, as determined by the Secretary.|
|Law Enforcement||Related to techniques and procedures for law enforcement operations, investigations, prosecutions, or enforcement actions.|
|Legal||Information related to proceedings in judicial or quasi-judicial settings.|
|North Atlantic Treaty Organization (NATO)||Related to information generated by North Atlantic Treaty Organization (NATO) member countries under the North Atlantic Treaty international agreement, signed on April 4, 1949.|
|Nuclear*||Related to protection of information concerning nuclear reactors, materials, or security.|
|Patent||Patent is a property right granted by the Government of the United States of America to an inventor "to exclude others from making, using, offering for sale, or selling the invention throughout the United States or importing the invention into the United States" for a limited time in exchange for public disclosure of the invention when the patent is granted.|
|Privacy||Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-07-16, or "means of identification" as defined in 18 USC 1028(d)(7).|
|Procurement and Acquisition*||Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates.|
|Proprietary Business Information*||Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications.|
|SAFETY Act Information||Defined as “SAFETY Act Confidential Information” in 6 CFR Part 25, the regulations implementing the Support Anti-terrorism by Fostering Effective Technologies Act of 2002, SAFETY Act Information includes any and all information and data voluntarily submitted to the Department of Homeland Security under this part (including Applications, Pre-Applications, other forms, supporting documents and other materials relating to any of the foregoing, and responses to requests for additional information), including, but not limited to, inventions, devices, Technology, know-how, designs, copyrighted information, trade secrets, confidential business information, analyses, test and evaluation results, manuals, videotapes, contracts, letters, facsimile transmissions, electronic mail and other correspondence, financial information and projections, actuarial calculations, liability estimates, insurance quotations, and business and marketing plans.|
|Statistical*||Refers to information collected by a Federal statistical agency, unit, or program for statistical purposes or used for statistical activities; under law, regulation, or Government-wide policy such 'Statistical' CUI requires: (1) protection from unauthorized disclosure; (2) special handling safeguards; and/or (3) prescribed limits on access or dissemination.|
||Related to a compulsory contribution to government revenue involving information regarding returns or taxpayers.|
|Transportation||Related to any mode of travel or conveyance by air, land, or waterway.|