Under Executive Order 13556, the Controlled Unclassified Information (CUI) program establishes open and uniform practices for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies. CUI does not cover information that is classified under Executive Order 13526, or the Atomic Energy Act, as amended.
The Freedom of Information Act (FOIA) is a law that provides requesters the right to access information from Executive branch agencies. FOIA is a disclosure statute that provides that any person has a right, enforceable in court, to obtain access to Federal agency records, except to the extent that such records (or portions of them) are protected from public disclosure by one of nine exemptions or by one of three special law enforcement record exclusions.
The fact that information is designated as CUI shall not have a bearing on determinations pursuant to the FOIA, or any law requiring the disclosure of information or permitting disclosure as a matter of discretion, including disclosures to the Legislative or Judicial branch, in accordance with section 2(b) of Executive Order 13556.
The CUI program makes no changes to the FOIA process. Each Federal agency handles its own records in response to FOIA requests. Applying a CUI marking to a document does not designate the information as exempt under the FOIA. FOIA professionals must make a release determination on a case-by-case basis after analyzing the information contained in the media type (i.e., document, CD, DVD, video, MP3, e-mail, etc.) in accordance with the FOIA and its nine exemptions.
Contact the appropriate agency and office for specific procedures, or visit www.archives.gov/cui or www.FOIA.gov for more information.
According to the CUI Office and the Department of Justice's Office of Information Policy:
- The FOIA should not be cited as a safeguarding or dissemination control authority for CUI. The purpose of the FOIA is to open agency activities to the public:
- The FOIA gives the public the right to request and receive Federal agency records, unless those records are protected from disclosure by one of the Act's exemptions.
- Most FOIA exemptions are discretionary. As a result, FOIA exemptions should not be relied upon as an authority to create a CUI category or subcategory.
- One cannot properly conduct a FOIA analysis at the creation of a document because the record's content must be analyzed at the time of the FOIA request to determine whether it is appropriate for release.
- Decisions to disclose or withhold information must be made based on the applicability of the statutory exemptions contained in the FOIA, not on a CUI marking or designation.
For more information on guidance regarding CUI and FOIA select here.
FOIA Officers are trained professionals that understand the proper processes within their organizations that are necessary to make decisions related to FOIA compliance. The CUI Executive Order (EO) reinforces these existing processes within each organization and supports FOIA Officers as professionals in that regard.
FOIA Officers need to be aware of CUI because the CUI program will make policy changes in the way in which the Executive branch manages information, as detailed in EO 13556-Controlled Unclassified Information (http://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf)
FOIA Officers must understand the procedures related to CUI markings, safeguarding, handling, and dissemination, because they receive and manage requests from the public for this information and are critical links in the chain of information protection and sharing.
- To conceal violations of law, inefficiency, or administrative error.
- To prevent embarrassment to the U.S. Government, any U.S. official, organization, or agency.
- To improperly or unlawfully interfere with competition.
- To prevent or delay the release of information that does not require such protection.
- If it is required by statute or Executive Order to be made available to the public or if it has been released to the public under proper authority.
Conversation between Jenny and Chuck:
Jenny: Thank you, Chuck for taking the time out of your busy schedule to be with us today. Our audience and viewers have submitted various questions related to Controlled Unclassified Information (CUI) and how it should be handled and shared, so we thought we'd ask our CUI expert to come in and answer their questions.
Chuck: Oh, it's my pleasure to be here!
Jenny: Let's start with the questions then. First, is CUI classified and how is it reviewed?
Chuck: CUI is NOT classified information and should not be treated as such. The information designated as CUI is not automatically exempt from disclosure under the provisions of the FOIA. Information requested MUST still be reviewed on a case-by-case basis and released to the extent practicable.
Jenny: How are CUI categories and subcategories designated?
Chuck: CUI categories and subcategories are designated upon approval of the CUI Executive Agent and are official when published in the CUI Registry.
Jenny: At what point does CUI not require protections?
Chuck: CUI that is decontrolled pursuant to applicable decontrol instructions in the CUI Registry is no longer CUI and as such, no longer requires the protections associated with CUI.
Jenny: Is the information that was CUI authorized for public release?
Chuck: The decontrol of CUI does not constitute authority for public release, unless the decontrol occurred in response to a FOIA request. Public release of information that was previously CUI must first be approved by an authorized official in accordance with current directives, in the same manner as information that was never CUI.
Jenny: What type of handling and safeguarding measures must be applied to CUI?
Chuck: Minimum handling and safeguarding standards shall be contained in the CUI Registry for each type of CUI.
Jenny: Can CUI be shared with other agencies?
Chuck: To the extent not prohibited in the CUI Registry, CUI maybe shared with other agencies. Provided dissemination is not restricted pursuant to requirements cited in the CUI Registry, CUI may also be shared with other stakeholders, including but not limited to: Federal, State, local, tribal, or private-sector personnel; local government and law enforcement officials, and first responders; as well as foreign entities.
Jenny: So, who has control over CUI that is circulated to non-Federal entities?
Chuck: The Federal Government retains control of CUI that is disseminated to non-Federal entities with regard to authorized release to the public and is providing the information with a clear expectation that confidentiality will be preserved on the part of the recipient.
Jenny: In the case of a loss or compromise of CUI, what are the reporting requirements?
Chuck: Requirements for reporting on the loss or compromise of each type of CUI will be contained in the CUI Registry.
Jenny: Thank you, Chuck, for your time and for answering all our questions! That was very helpful and insightful. If people need more information or have any further questions, where can they go?
Chuck: If they have any further questions, they can visit www.archives.gov/cui or www.FOIA.gov.
Jenny: We hope you found this information useful. Thank you and have a great day!
CUI standardizes the management of Controlled Unclassified Information that may be shared across agencies, functions, and other entities while protecting information that requires safeguarding, and dissemination controls according to applicable law, regulations, and Government-wide policy.
To understand marking, dissemination, control, handling, and the guidelines for decontrol
The CUI Registry.
Transparency is important to CUI and FOIA because it increases the sharing of information, accountability, and efficiency, and creates an open and transparent government. It also protects individual privacy rights.
Everyone regardless of position or authority.
All Executive branch agencies that create information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.
Conversation between user and CUI/FOIA Specialist:
User: Excuse me. Can you help me, please?
CUI/FOIA Specialist: Yes, of course. How can I assist you?
User: I would like to get more information on how I can be better equipped to deal with the CUI program.
CUI/FOIA Specialist: Well, anyone who creates or handles CUI must attend or be provided training on CUI. It may be in the form of classroom instruction or through computer-based training (CBT) programs.
User: Is there any refresher training that we should attend?
CUI/FOIA Specialist: Refresher training shall be provided and may be in the form of classroom or computer-based training.
User: Great, thank you!
CUI/FOIA Specialist: Oh, and one last thing: Additional information can be found at http://www.archives.gov/cui/training.html. The website also includes various helpful links related to CUI.
User: That's very helpful. Thanks again and have a great day!