Controlled Unclassified Information
The CUI Life Cycle shows the path that sensitive unclassified information takes as it goes from creation through destruction or public release. Each step in the CUI journey has clearly defined requirements to ensure proper safeguarding.
Easy to Use
CUI initial, annual, and refresher training
For those required to follow US Federal or Department of Defense regulations, such as:
Executive Order 13556
Cybersecurity Maturity Model Certification (CMMC)
DFARS Clause 52.204-7012
32 Code of Federal Regulations Part 2002
Why is this new?
Historically, federal agencies would employ ad hoc and agency-specific policies, procedures, and markings to safeguard and control this type of sensitive information.
Key Points to Know:
Controlled Unclassified Information, or CUI, is created by or on behalf of the Government
Compromising CUI can be expected to have a serious adverse effect on national security
CUI replaces existing agency markings like FOUO or SBU
CUI creation or storage on an information system requires NIST 800-171 Revision 2 compliance or a CMMC level 3 or higher maturity
CUI Markings Requirements
Mark media with necessary CUI markings and distribution limitations
The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.
Download this free desktop background for systems that process CUI.
Click on image and select "Save As". Once downloaded, open the image and "Set as desktop background".
US Federal Requirements
The National Archives and Records Administration, or NARA, as Executive Agent of the CUI program was designated to implement EO 13556 and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 “Controlled Unclassified Information” was issued by the ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI.
DoD Instruction 5200.48 Requirements
Anyone under any contractual obligation with the DoD is required to receive initial and annual CUI training, even if they don't access CUI.
At a minimum, DoD civilians, military members and on-site support contractors with access to Controlled Unclassified Information (CUI) shall receive both initial and annual refresher training that reinforces the policies, principles, and procedures covered in CUI policy.
Refresher training shall also address the threat and the techniques foreign intelligence activities use while attempting to obtain controlled unclassified DoD information and advise personnel of penalties for unauthorized disclosures.
The importance of unclassified information, its potential sensitivity, and the requirement to have all information reviewed and approved for release prior to public disclosure or Web posting shall be reiterated.
Refresher training shall also address relevant changes in CUI policy or procedures and issues or concerns identified during DoD Component oversight reviews.
Use of the CUI logo is on approval from the Executive Agent for the CUI program at Information Security Oversight Office within the National Archives and Records Administration.
The CUI Life Cycle ™ & © 2019 by CMMC Consulting LLC and SideChannelSec, LLC and may not be duplicated or reproduced without written consent.