What is the CUI program?
Executive Order 13556 "Controlled Unclassified Information" established the CUI program, which is a system that standardizes and simplifies the way the Executive branch handles unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and government-wide policies. The program emphasizes the openness and uniformity of government-wide practices. Its purpose is to address the current inefficient and confusing patchwork that leads to inconsistent marking and safeguarding as well as restrictive dissemination policies, which are often hidden from public view.
Who is required to implement the CUI program?
The heads of Executive branch departments and agencies will be required to ensure implementation of the CUI program within their respective department or agency.
What information will become CUI?
Only information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies may be CUI. This excludes all information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.
How do the new CUI designations impact Freedom of Information Act (FOIA) requests?
The mere fact that information is designated as CUI shall not have a bearing on determinations pursuant to any law requiring the disclosure of information. The CUI program makes no changes to the FOIA process.
What is the CUI Governance Structure?
The President has designated the National Archives and Records Administration (NARA) as the CUI Executive Agent (EA). In this role, NARA has the authority and responsibility to oversee and manage the implementation of the CUI program.
The Executive Agent shall issue policy directives and publish a report on the status of agency implementation of the order to the President.
What are the next steps for implementing the CUI program?
The EA will consult with affected departments and agencies to begin the development of guidance necessary for the timely, efficient, and effective implementation of the CUI EO.
When should departments and agencies start to implement?
Before departments and agencies can apply CUI markings, the EA, with the advice of agencies, must issue detailed implementing guidance. In addition, the CUI registry must be operational and CUI training developed to further the system's implementation. Within one year of the date of the EO, the EA will establish the CUI Registry.
Departments and agencies will have 180 days after the EA's issuance of an implementing directive to provide the EA a proposed plan for CUI implementation in that agency, along with interim target dates.
When do employees start to use CUI?
Executive branch employees and contractors supporting government agencies should follow their existing "Sensitive But Unclassified" (SBU) schema until otherwise directed through guidance by the EA and implementation plans developed by their agencies.
When will the CUI registry be set up?
The CUI registry will be established within one year of the EO, be accessible by the public, and reflect authorized categories, subcategories, associated markings, as well as applicable safeguarding, dissemination, and decontrol procedures.
When will agencies have fully implemented the Order?
Guidance and an implementation plan will be developed to allow for the timely, efficient, and effective implementation of CUI. After a review of agency plans, and in consultation with affected agencies and the Office of Management and Budget, the Executive Agent shall establish deadlines for phased implementation by agencies.
Who will this affect?
The Executive Order will affect all Executive branch departments and agencies that employ safeguarding and dissemination controls for managing unclassified information pursuant to and consistent with law, regulations, and government-wide policies.
When will we see anything change?
While work has been underway for some time to study these issues, much work must be done prior to the Executive branch departments and agencies actually modifying their policies, procedures, and markings.
Examples of work to be done include finalizing implementation plans, designation of categories and subcategories of CUI along with consistent markings, identification of budgetary resources, technological modifications to numerous government systems, establishment of training, and creation of oversight. The proposed phase-in of CUI will occur over the course of several years.
Why is this all necessary?
There are currently over 100 different ways of characterizing SBU information. Additionally, there is no common definition, and no common protocols describing under what circumstances a document should be marked, under what circumstances a document should no longer be considered SBU, and what procedures should be followed for properly safeguarding or disseminating SBU information. As a result of this lack of clarity concerning SBU, information is inconsistently marked, without any common definitions related to these ad hoc markings. CUI reform is designed to address these deficiencies, in that it will provide a common definition and standardize processes and procedures.
Does this reform only apply to terrorism information?
The initial effort to reform SBU information was centered on terrorism information. The President's CUI Task Force recommended applying the efforts to standardize other documents requiring safeguarding since there are tremendous efficiencies that can be achieved by designing one business process to handle all SBU information. The CUI EO establishes a program for managing not just terrorism information, but all such unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and government-wide policies.