Controlled Unclassified Information (CUI)

CUI Frequently Asked Questions

The Controlled Unclassified Information (CUI) blog is an educational and informative resource, run by the CUI Executive Agent, to support the implementation of the CUI Program.  Please visit the CUI blog for frequently asked questions and to learn more about the program. 

Q&As for the CUI Program *In all cases, refer to your agency’s CUI program office for agency-specific requirements.*  


Question:  Will unclassified contracts have DD 254s issued to provide CUI Guidance or will unclassified contracts have simple attachments similar to the current FOUO (For Official Use Only) for guidance?

Answer:  DD 254s are only to be used with contracts that include CNSI (Classified National Security Information) requirements. The CUI EA has been working to develop a FAR (Federal Acquisitions Regulation) case (with GSA, DoD, NASA, DHS) that will be used to standardize the way Executive branch agencies convey safeguarding guidance for CUI.  This FAR case includes a draft standard form, similar to the DD 254, that is intended to consolidate where contract-related CUI requirements are conveyed).
 

Question:  Who is the responsible party for issuing Legacy CUI marking waivers?

Answer:  Per 32 CFR 2002.38, Senior Agency Officials (SAO) may issue marking waivers for CUI while it remains under agency control.

 

Question:  Where is the agency CUI POC list?

Answer:  https://www.archives.gov/cui/about/contact.html#contact-an-agency

 

Question:  Who is responsible for marking CUI?  The CUI EA (ISOO) has run into agencies failing to do so.  If we don’t generate the material what is contractor responsibility?

Answer:  Upon implementation, agencies are responsible for marking or identifying any CUI shared with non-federal entities.  Questions regarding the status of information (marked or unmarked) should be directed back to the government contracting activity.  Some agencies are not yet marking CUI and are still implementing the elements of the CUI program.  Contractors should not follow CUI program requirements or markings until directed to do so in a contract or agreement.

 

Question:  Would you please define agency when discussing legacy information?

Answer:  An agency (also a Federal agency, an executive agency, executive branch agency) is any “executive agency,” as defined in 5 U.S.C. 105; the United States Postal Service; and any other independent entity within the executive branch that designates or handles CUI.

 

Question:  What do you consider a re-use of CUI?

Answer:  Re-use means incorporating, restating, or paraphrasing information from its originally designated form into a newly created document.

 

Question:  What’s the difference between CUI and Controlled?

Answer:  There is no difference.  Both are authorized CUI Control Markings and can be used interchangeably unless limited by agency policy

 

Question:  Why is there, not a marking equivalent to “RELIDO” (which is an intelligence marking that allows authorized people downstream to further disseminate as needed without going back to the originator)?

Answer:  The only authorized Limited Dissemination Control (LDC) markings that can be used with CUI are those found on the CUI Registry.  CUI Notice 2018-07 (https://www.archives.gov/files/cui/documents/20181116-cui-notice-2018-07-limited-dissemination-controls.pdf) describes the proper use of LDC, along with the process for submitting new/additional LDCs for use with CUI.  The dissemination of all CUI is governed by the principle of “Lawful Government Purpose”.  This means that any recipient of CUI is deemed to have a mission-related purpose to receive the information and that there must be no prohibition to that dissemination in law, regulation, or governmentwide policy. If an agency wishes to communicate a restriction beyond this, any of the above-mentioned dissemination controls can be applied as appropriate.

 

Question:  Can you give examples of CUI Basic?

Answer:  The CUI Registry lists all authorized CUI Categories (basic and specified), which is located at https://www.archives.gov/cui/registry/category-marking-list.  The categories on this page that do not have a marking with “SP-” are CUI basic categories, like the agriculture category and the asylee category.

 

Question:  Does Industry ever have to mark CUI?

Answer:  Yes, but only when instructed to do so in the contract or supporting documentation, and have a lawful government purpose to do so.

 

Question:  Should a company be concerned with protecting CUI that is received from a government customer?

Answer:  CUI must be safeguarded in accordance with the contract, whether it is created or collected for the government, or shared from the government to the contractor.

 

Question:  When it comes to legacy information, should a contractor/company wait until the government agency (they work for/with) sends new documents that are marked CUI?

Answer:  Any information received or created as part of a current or previous contract should be protected in accordance with the terms of the contract under which it was received or created.  As agencies implement, CUI requirements will be added to existing and new contracts.

 

Question: What should be done if a customer marks every document  CONTROLLED with no true banner marking? Is that considered Basic? The word Controlled is an authorized banner marking for Basic CUI.

Answer: Under the CUI program, information marked “CONTROLLED” (CONTROLLED is a true banner marking) without additional markings would be CUI basic. Confirm with your customer and your contract that they are using CUI markings and ensure you follow any and all requirements in your contract or agreement.

 

Question:  How do you navigate a situation where you feel you have CUI but it hasn’t been marked appropriately?

Answer:  Questions regarding the status of CUI should be directed to the originator of the information or the government contracting activity.

 

Question:  What is the difference between U//FOUO and CUI?

Answer:  U//FOUO is a legacy marking used to indicate sensitivity based on agency policy or practice.  CUI is a marking that is used to indicate the presence of CUI basic information.  CUI markings are applied only to those information types/categories found on the CUI Registry and can be linked to laws, regulations, or Government-wide policies calling for protection or control of the information.  As the CUI program is implemented, U//FOUO will cease to be an authorized marking, but may still be seen on legacy documents once the transition to CUI is complete.

 

Question:  Banner Marking and document marking work for unstructured data?  What about marking structured data such as databases?

Answer:  For databases or applications, splash screens or banner marking can be used to satisfy the marking and identification requirements of the CUI Program.  System outputs can also be modified to apply markings upon printing or downloading from the application. 

The CUI office is working with NIEM to create a CUI Metadata standard that can be used to indicate CUI markings. Updates on this project will be relayed on the CUI Blog.

 

Question:  Do you mark/tag fields in the Database or categorize the system itself?

Answer:  Individual fields can be marked or a general alert can be placed on entry into the database/system (such as a splash screen and/or a banner at the top of the screen).  System outputs should be modified to include applicable CUI markings as needed, you can also use the CUI cover sheet SF901 when printing.

 

Question:  How would I mark/tag a system?

Answer:  Please refer to the CUI Marking handbook, page 27

 

Question:  Is purple recommended, but not required for the CUI cover sheet?

Answer:  The SF 901 is purple.  If color printing is not available, the form can be printed in black and white.  The CUI cover (OF 901, 902, 903) sheet used to be green and should not be used; it has been replaced with the SF 901. 

 

Question:  Do contractors have to mark CUI if their contract requires it?

Answer:  Yes.  Contractors need to follow what is in their contracts.  CUI requirements do not bind the public, except as authorized by a law, regulation, or as incorporated into a contract or agreement.

 

Question:  Are there reporting requirements and corrective actions for a CUI spillage, similar to those present for classified information?

Answer:  Agencies should develop reporting requirements for CUI spillage incidents.  Certain categories of CUI, like privacy, have special reporting requirements for loss or incidents.

 

Question:  Is the CUI banner marking replacing anything that we would have labeled FOUO?

Answer:  Once agencies implement the CUI program, legacy markings such as FOUO or SBU will no longer be used.  In some cases, what was previously marked as FOUO would align and be marked as CUI.  

 

Question:  How should Industry label their computers or USBs containing CUI?

Answer:  SF 902s and SF 903s can be used by Industry to label hard drives or USBs (media) that contain CUI.  They can be ordered from GSA here https://www.gsaadvantage.gov/.  You can also use a splash screen when signing in or a banner at the top/bottom of the screen to alert the user that there is CUI on the network being used.

 

Question:  If there are questions in regards to ITAR controls, does the CUI website offer any help and where can we find it?

Answer:  Please see the Export Control Category of CUI. https://www.archives.gov/cui/registry/category-detail/export-control.html

 

Question:  Do Industry personnel have the authority to generate original CUI?

Answer:  Depending on the terms of the contract, Industry may have the authority to generate CUI on behalf of the USG.

 

Question:  What’s the difference between CUI, FOUO, and the Privacy Act Coversheets?

 

Answer:  The SF 901, CUI coversheet is authorized for use with CUI.  Upon the implementation of the CUI Program for an agency, coversheets that are not required per underlying authorities, such as FOUO and Privacy Act, may no longer be used.

 

Question:  Where can subcontractors get CUI requirements?  

Answer:  The Draft CUI FAR case will have flowdown requirements much like the DFARs 252.204-7012.  Flowdown requirements should be reflected in the contract.

 

Question:  Are you familiar with any solutions that can automate the process of e-mail marking?

Answer:  ISOO is aware of a number of efforts within the Industry and within agencies to develop automated/assisted marking solutions for CUI.  There are no plans at this time by ISOO to publish an evaluated or approved list of vendors who have developed automated/assisted marking tools for CUI.

 

Question:  Can the CUI coversheet be used instead of marking each page of the document, or do we need to 

Answer:  An SF 901 may be used in lieu of marking every page of a document. Be sure to list on the SF 901 any specified categories, limited dissemination controls, or requirements called for by laws, regulations, or government-wide policies.

 

Question:  Is it required that CUI be stored in a GSA-approved safe?

Answer:  No.  CUI must be stored behind a locking barrier inside a controlled environment that prevents unauthorized access.  Organizations have some flexibility in determining what qualifies as a controlled environment.  CUI-specified categories may have additional physical security requirements.

 

Question:  Where can we access the CUI Marking Handbook?

 

Answer:  https://www.archives.gov/files/cui/documents/20161206-cui-marking-handbook-v1-1-20190524.pdf

 

Question:  What is the mechanism for removing markings or lifting restrictions on documents if/when the restriction has expired or no longer applies?

 

Answer:  CUI markings can be removed when the information has been decontrolled.  Decontrolling occurs when an authorized holder, consistent with 32 CFR 2002 and the CUI Registry, removes safeguarding or dissemination controls from CUI that no longer require such controls.  Decontrol may occur automatically or through agency action.  See 32 CFR § 2002.18.

 

Question: Are there specific/special record retention issues/timeframes specific to CUI?

Answer:  No.  Records retention issues/timeframes are not impacted by a record's status as CUI.

 

Question:  As a contractor with DoD, where can I go with CUI questions?

Answer:  For compliance with DoD contracts, the first place to check is the contract itself or the POC for the contract.  For questions about compliance with DFARs 7012, check out the DoD Procurement Toolbox at: https://dodprocurementtoolbox.com/faqs/cybersecurity/cybersecurity-faqs.  E-mail osd.dibcsia@mail.mil for clarification on DFARS 252.204-7012 or NIST SP 800-171 in support of DFARS 252.204-7012.  Emails sent to that address are reviewed frequently and distributed as appropriate to a cross-functional team of subject matter experts for action.

Top