Federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release. Protection may be required for privacy, law enforcement, or other reasons pursuant to and consistent with law, regulation, and/or Government-wide policy. Historically, each agency developed its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch in which similar information might be defined and labeled differently, or where dissimilar information might share a definition and/or label, depending on the agency which originally created the information.
The Controlled Unclassified Information (CUI) program represents an unprecedented initiative to standardize practices across more than 100 separate departments and agencies; State, local, Tribal and, private sector entities; academia; and industry, to enable timely and consistent information sharing, and to increase transparency throughout the Federal government and with non-Federal stakeholders. Sharing CUI is authorized for any lawful government purpose, defined as any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).
In 2004, the 9/11 Commission Report recommended the horizontal sharing of intelligence information, transcending individual agencies. This recommendation was expanded by the Presidential Task Force appointed in May 2009 to include all information falling within the definition of CUI in the possession or under the control of the Executive Branch of the Federal Government. Executive Order 13556 Controlled Unclassified Information (the Order) established such a comprehensive Controlled Unclassified Information Program in November 2010. The Order designated the National Archives and Records Administration to serve as the Executive Agent (EA) to implement and oversee agency actions to ensure compliance with the Order. The Archivist of the United States established the CUI Office within NARA to fulfill the responsibilities of CUI Executive Agent and appointed the Director of the Information Security Oversight Office (ISOO) as Director of the CUI Office.
Executive Order 13556 prescribed collaborative discussion and consultation between the EA and affected agencies to develop and implement the CUI Program. This charge has guided an iterative development strategy to craft a policy that impacts more than 100 departments and agencies within the Executive branch, while balancing respective agency authority and practicability with the standardization called for in the Order. Based on this approach, the planned format of a general regulation supplemented by specific guidance issued by ISOO for discrete program elements (such as safeguarding, dissemination, decontrol, marking) was superseded by that of a regulation that consolidated both general principles and supplemental guidance into a single document.
On May 8, 2015, proposed rule 32 CFR Part 2002 was published in the Federal Register and entered the Office of Management and Budget (OMB)-managed Federal regulatory process. With EA support, OMB conducted additional rounds of Executive branch-wide interagency comment, public comment, National Archives and Records Administration (NARA) leadership review and additional discussions between OMB, the Executive Office of the President, the National Security Council and select stakeholders. 32 CFR Part 2002 Controlled Unclassified Information, was published as a final rule on September 14, 2016, and became effective November 14, 2016.
As elements are added to the CUI Program, associated tools and resources are developed and/or updated, including Training, Oversight, and Reporting. The status of the CUI Program is reported annually to the President, in individual reports in 2011 and 2012, and, since 2013, as part of the ISOO Annual Report.
The CUI Program will continue to evolve throughout its phased implementation as challenges are identified and addressed. EA activities will transition from initial development to general maintenance and oversight as the CUI Program is integrated into regular agency practice.