Everything you need to know about Controlled Unclassified Information. The page is broken down into the following sections:
- Controlled Unclassified Information
- The Purpose of the CUI Program
- Applicable Laws, Regulations and Government-Wide Policies that Govern the CUI Program
- Legacy Marking Waivers
- Resources and Contacts
Controlled Unclassified Information (CUI)
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified.
The Purpose of the CUI Program
The purpose of the CUI program is a unified effort between Executive Branch agencies to standardize these protections and practices across departments and agencies.
Applicable Laws, Regulations and Government-Wide Policies that Govern the CUI Program
Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
Legacy Marking Waivers
Pursuant to 32 C.F.R. 2002.20, all federal agencies are required to uniformly and conspicuously apply controlled unclassified information (CUI) markings to all documents and information containing CUI. Commission staff shall be responsible for properly protecting, marking and otherwise handling CUI in accordance with all applicable FTC CUI policies, procedures, and guidance.
However, “[w]hen an agency designates information as CUI but determines that marking it as CUI is excessively burdensome, an agency’s CUI Senior Agency Official may approve waivers of all or some of the CUI marking requirements while that CUI remains within agency control.” 32 CFR 2002.38.
Based on agency appropriations and budget allocations, weighed against the scope and extent of the FTC’s digital and physical information assets, the FTC does not have the financial or staff resources to implement and maintain a comprehensive program to mark all of its existing or “legacy” documents or information, which would be excessively burdensome at this time. Therefore, the marking requirements set forth in the CUI Rule, 32 CFR part 2002, as reflected in the NARA CUI Marking Handbook, are waived at this time for existing or legacy FTC information including, but not limited to, information stored on the FTC shared drives or in offsite storage. If the information is transmitted outside of FTC control, however, authorized holders shall comply with applicable CUI marking requirements. In the meantime, the FTC will continue to work towards applying informational banners to any agency-owned and operated systems that store or process CUI, to help ensure that newly generated or compiled CUI is marked and maintained in accordance with applicable CUI Rule requirements.
Legacy information within the agency’s control remains protected by the information security policy. Accordingly, FTC authorized holders shall continue to apply and use these existing information security protections as long as the information remains their control. Protections include secured physical and electronic storage locations, i.e., secured facilities, FTC internal network, locked drawers and file cabinets, authorized destruction methods, etc. In addition, legacy markings (e.g., “nonpublic,” “confidential,” “in camera”) continue to identify legacy materials that require CUI protection. Furthermore, this waiver applies only to the mandatory implementation and maintenance of a comprehensive CUI marking program for the agency’s legacy materials, and does not prohibit the marking of such materials as CUI in lieu of legacy markings on a case-by-case basis, as appropriate and feasible.
This waiver will be reviewed on a bi-annual basis for a determination of continued applicability. If circumstances substantiate the waiver no longer applies, it will be rescinded immediately.
Any questions concerning this waiver or agency CUI marking requirements should be directed to either CUI Senior Agency Official, April Tabor, at firstname.lastname@example.org or the CUI Program Manager, Cynthia Savage, at email@example.com.
Resources and Contacts
For more information on the CUI Program and its elements, please visit the CUI Registry at Controlled Unclassified Information (CUI) | National Archives From the CUI Registry you will find training videos, and additional resources to increase your understanding of these concepts.