Controlled Unclassified Information: What Happened to Marking Everything FOUO?
The U.S. government started developing the requirements for handling and protecting classified information during the Constitutional Convention and the Washington administration in the 1790s. These requirements were informal and were not set in a specific standard. Today, government requirements for information protection are formal—and they are changing. The changes apply to U.S. government information but can also be applied to private industry when personal or sensitive information is being handled. For instance, a company handling sensitive information, such as medical data, will have specific handling requirements to protect that information from unauthorized persons.
Security professionals who have worked with or for the government are familiar with the basic development of information protection. The concepts of handling and protecting information go hand-in-hand. The three standard requirements each person handling and protecting classified information must meet are:
- The proper security clearance with eligibility;
- A signed and documented nondisclosure agreement; and
- A need to know.
The three requirements have been engraved in security professionals’ minds over the years and serve as a basis for protecting classified information. But what about Controlled Unclassified Information (CUI)? CUI is unclassified information that requires additional protection or safeguarding. The U.S. government is taking a new approach in marking and handling CUI, which can lead to best practices in the private sector by modeling proper protection methods for sensitive information. Some common examples of CUI are personally identifiable information (PII) or protected health information (PHI). These categories pertain to information being handled by any company, organization, or government. For example, the requirements in handling PHI pertains to all persons handling this information and can also be referenced through the Health Insurance Privacy and Accountability Act (HIPAA).
Where Did CUI Come From?
First we must look at what controlled information is. We have been handling both classified and controlled information for decades. The information has not changed, nor has the need to protect it. The U.S. government is finally offering detailed guidance for how to handle and protect controlled information.
On 4 November 2010, U.S. President Barack Obama signed Executive Order 13556, Controlled Unclassified Information. The order outlined the requirement to implement protections for CUI when information is deemed necessary to protect, but does not fall under classified information, as outlined in Executive Order 13526. EO 13556 required the establishment of a way to identify non-classified information that still needs protection. The National Archives and Records Administration (NARA) was tapped to create CUI categories and subcategories, along with their protections, including marking and handling.
This executive order started the process on how to identify controlled information, along with the intent to protect it. The Department of Defense Instruction (DoDI) 5200.48: Control Unclassified Information is the first step to implement a complex set of phases in protecting CUI.
DoDI 5200.48 was issued on 6 March 2020 with some follow-up instruction from department heads. The instruction has been limited because there are many aspects of CUI that need to be addressed, and it is clear that the identification and protection of CUI is not a one-size-fits-all situation. The instruction does identify the categories and subcategories of CUI, as outlined by NARA.
Working with CUI
CUI is everywhere. It is in the finance office, the human resource office, and even in an intelligence office. By acknowledging the types of CUI in an office, personnel will have more confidence in marking, handling, and, in turn, protecting CUI. Protecting information by marking it provides a warning for all personnel handling that information. The warning outlines what type of information it is, who is authorized to view or handle it, and what privacy laws or policies the information is protected under.
Knowing the difference between classified and controlled unclassified information is paramount. In my previous position as a security professional, classified information was the primary type of information handled. There was little to no emphasis on CUI with one minor exception—handling and protecting PII, which required some basic understanding and training to implement.
A classic approach used by government and industry professionals is marking unclassified information with the control “For Official Use Only” (FOUO). It almost seems that this control marking has been used as a just-in-case marking for controlled information. The experience and effort—not only by security professionals, but by all persons involved with government information—has a considerable effect on how CUI is marked.
The misunderstanding of CUI markings is not employees’ fault. Training is often the primary approach in implementing new requirements, but relying on training alone, whether online or in-person, is not an effective approach. Training must be supplemented with awareness. Personnel must be aware of the CUI changes so that the importance of protecting information is heightened.
There are 125 categories of CUI, as outlined by NARA and highlighted in DoDI 5200.48. The categories are broken down under 20 organizational index groupings (OIG). The separate OIGs outline what area the categories of information fall under. But wait, there’s more—the CUI category will also be identified with either a Basic or Specified marking control. For the CUI categories to be implemented in each department, section, office, etc., the personnel must identify what OIG their information falls under.
For example, personnel security information falls under the Provisional OIG. Those working with this CUI category will follow the guidelines for marking, handling, and protecting personnel security information.
Taking a deeper look, each category of controlled unclassified information has three authorities for implementing and controlling the information.
First, CUI will be determined Basic or Specified by the Safeguarding and Dissemination Authority for that specific CUI category. Under the Personnel Security Information CUI category, the information is considered Basic under Provisional Approval. Depending on the CUI category and the authority for the controlled information, there are going to be different specialized handling instructions. Each category must be reviewed separately for its specified marking and handling requirements.
Second, each CUI category will identify the direct safeguarding and/or dissemination authority that authorizes the control of that CUI category. The authority can be a statute, a regulation, or a governmentwide policy.
Third, there are sanctions to each CUI category outlining the penalty that may occur if CUI is mishandled in any way.
The statutes, regulations, or governmentwide policy are set in place to ensure that personnel follow the proper marking and handling of CUI for the protection of government-owned information. For government civilians and military, the requirement to mark and handle CUI does not differ from how government contractors mark and handle CUI. What may differ is what government contractors are exposed to and responsible for, which will be specifically outlined in their contractual documents, limiting what information they are authorized access to and providing provisions on CUI.
The concern moving forward with the CUI categories is not the requirement to protect the information, but how to properly mark the information. By placing the appropriate control markings, the information will be identified as needing protection from unauthorized use or dissemination to persons not authorized to receive the information.
Marking CUI Material
All government personnel—whether military, civilian, or contractor—are used to marking CUI in different formats. In the last decade alone, the focus on creating CUI categories and centralizing marking requirements has greatly increased. The emphasis on only marking information that is controlled as CUI has increased as well. It is unlawful to overclassify CUI to limit or restrict release of information to the public domain.
DoDI 5200.48 provides the guidelines and requirements for CUI marking and handling; however, the actual timeline for implementation and specific marking instruction is left to the separate departments to implement. Each department is responsible for publishing and implementing a comprehensive regulation or policy. In the meantime, security professionals can start to work on basic training on CUI, to include marking requirements.
For any document containing CUI, the banner line of the document should now start with “CUI” or “CONTROLLED.” The first portion of the control marking identifies that the document has information that is controlled. Of course, information that is controlled means that there are restrictions on dissemination. The use of CUI or CONTROLLED will be determined by the agency.
The second portion of the control marking will be the CUI category that covers the information. The CUI category is separated from CUI with two forward slashes.
The CUI category is based on the type of controlled information in the document. There are additional considerations for the CUI category. They are whether the information is Basic or Specified. If the CUI is Basic, the agency may decide to not list the CUI category. However, if the CUI is Specified, the agency must list “SP” in front of the CUI category. For instances where there are multiple CUI categories, the control marking will separate the categories by one forward slash. An example of all of this in full would be: CUI//CUI Category A/CUI Category C.
There may only be a handful of CUI categories any one office handles on a daily basis. Others—such as law enforcement, which has 19 CUI categories—may handle many. It will take an extreme amount of effort by all personnel to implement the markings and handle the controlled information accordingly.
The third portion of the control marking will identify any limited dissemination controls. The limited dissemination control is separated from the CUI category with two forward slashes. There are 20 limited dissemination controls that are used by agencies when further restrictions on dissemination are warranted. Restricting access through limited dissemination controls must only be used when it follows laws, regulations, and governmentwide policies.
CUI Timeline for Implementation
There are several questions regarding the implementation of marking CUI. One question steers more towards the official publication: When will my department or agency publish guidance on implementing all aspects of CUI? Unfortunately, each department or agency has its own timeline.
Another question that may strike a security professional is, how am I going to train my staff?
The information that security professionals need to be successful is right in front of us. As security professionals, we must know how to decipher the information and apply it to our specific area. In the Department of the Army, information security program managers will be the primary position to implement CUI marking, handling, and protection. Because CUI is a category of information security, the required information can be included in your current training forum. The handling and protection of CUI has already been implemented.
Finally, the marking of CUI: How do I mark CUI material and implement this new control marking method in my workplace? The answer is twofold. Security professionals must wait on further guidance from their higher headquarters. The specific guidance will provide information on how the department or agency will mark material and the applicable CUI categories. Your department or agency may require all CUI material to be marked as CONTROLLED instead of using CUI. Your department may also require that the CUI category be listed in the control marking even if it is Basic CUI. These specifics are important; they will assist security professionals in developing CUI training.
The specific CUI training is one method of implementing the CUI program. Another method is awareness. A lack of awareness can degrade an entire program. Training is completed, at best, every year. But awareness can be implemented daily. Awareness methods include posters, how-to’s, information papers, and newsletters.
A security professional must reflect on their own workplace and evaluate how they can best get the CUI updates and requirements implemented. Every department and agency is different when it comes to the CUI categories they are directly and indirectly involved in. However, all departments and agencies can assist each other in best practices to meet the standard. A security professional must seek the available information and form it to fit their situation.
Dr. Megan Schulze is a prior U.S. military officer with 18 years of federal government experience in multiple security disciplines. She completed her doctorate in 2014 with a specialty in Homeland Security Leadership and Policy. She currently works for the U.S. Department of Defense as a Security Specialist. She is an active attendee in ASIS International events.
The views expressed in this publication are those of the author and do not necessarily reflect the official policy or position of the Department of Defense or the U.S. government.
The public release clearance of this publication by the Department of Defense does not imply Department of Defense endorsement or factual accuracy of the material.