Controlled Unclassified Information (CUI) Program

The goal of the CUI program is to establish a culture of information protection to reduce DOI risk related to improper release of sensitive data/information and overprotection of non-sensitive data/information. The CUI Program is a unified effort between Executive Branch agencies to standardize the protections and practices of sensitive information across agencies. The CUI Program implements one uniform, shared, and transparent system for safeguarding and disseminating CUI that:

  • Establishes common understanding of CUI control.
  • Promotes information sharing.
  • Reinforces existing legislation and regulation.
  • Examines differences between CUI controls and FOIA exemptions.

Controlled Unclassified Information (CUI) is information created or possessed by the government or other entities (e.g., contractors, universities, other designated partners) on behalf of the Federal Government, that is defined as sensitive within the CUI Registry and DOI policy. CUI requires that sensitive information be appropriately marked to convey sensitivity, handling, and safeguarding requirements. CUI is sometimes required for privacy, law enforcement, or other reasons pursuant to and consistent with law, regulation, and/or Government-wide policy. Established by Executive Order 13556 [PDF], and implemented by 32 CFR part 2002 , the CUI Program is being applied across Executive Branch agencies. 

CUI Controls

The management of CUI requires a balance of recognizing, protecting, and safeguarding sensitive information from unauthorized holders and ensuring that authorized holders with a lawful government purpose have timely access to perform their duties. Both requirements are of equal importance when dealing with CUI. To properly manage CUI, the information must be placed into the correct CUI category and marked in accordance with the CUI marking requirements.  

CUI Categories

The CUI Program is organized by information groups referred to as CUI categories. Each CUI category is defined and authorized by at least one or more enactments. There are well over a hundred CUI categories currently being used in Federal Government. Fortunately, not all categories are used by and/or are important to any one agency. Some of the categories are common to all agencies, while others may be specific to an agency’s unique mission. In Department of Interior, there are about 30 categories that relate to our mission. 

CUI Markings

The CUI Program requires information designated as CUI to carry the appropriate markings. CUI markings convey sensitivity, handling, and safeguarding requirements. Marking requirements apply to all sensitive information, including existing unmarked information and newly created information determined to be CUI. The standard CUI marking is the acronym CUI. This marking will appear centered across the top of every page of any document with sensitive information in bold font, large enough to be readily visible. This marking replaces legacy markings such as For Official Use Only (FOUO) or Sensitive But Unclassified (SBU). 

CUI and Zero Trust

CUI aligns and supports the Chief Data Officer community and Zero Trust by providing the foundation for the identification of sensitive information to ensure the correct information is being designated sensitive and protected appropriately, further ensuring resources are correctly allocated and ultimately saving DOI money. 

Who is responsible for recognizing CUI?

Departmental Staff Members! Individual staff members may encounter CUI information during their employment. Staff members are responsible for recognizing and designating sensitive information as CUI using the correct guidance, categories, and markings. When determining if information is sensitive, staff must take into consideration whether the inappropriate release of such information has the potential to:

  • Cause harm to a person’s privacy or welfare.
  • Adversely impact economic or industrial institutions.
  • Compromise programs or operations essential to our national and agency interests.  

Who is responsible for safeguarding CUI?

Departmental Staff Members! When sharing CUI information with parties outside the agency, the individual sharing the information must ensure the recipients have a need-to-know, understand the federal and departmental CUI requirements, and protect it accordingly. Staff must handle CUI received from other government agencies in accordance with the requirements provided by 32 CFR part 2002 and the originating agency. Information received from non-governmental sources that meets CUI requirements must be protected in accordance with CUI requirements, and the originating organization’s instructions. 

Why CUI?

When there is no standard procedure for handling sensitive information, the sharing of information between federal agencies suffers.

Historically, each agency developed its own practices for handling sensitive information. Due to these varied practices, similar information in one agency could be defined and labeled differently in another agency. Likewise, dissimilar information in one agency could share a definition and/or label in another. The lack of standard procedure for handling sensitive information negatively impacted the sharing of information between agencies. In 2004, the 9/11 Commission Report recommended a horizontal sharing of intelligence information that transcended individual agencies. In 2008, the Bush administration released the memorandum on Designation and Sharing of Controlled Unclassified Information (CUI). This memorandum adopted, defined, and instituted CUI as the sole categorical designation to be used throughout the executive branch for all information within the scope of the CUI definition. The memorandum’s purpose was to standardize practices and thereby improve the sharing of information. The establishment of CUI fundamentally changed the way that executive branch agencies share sensitive information. CUI policy provides a uniform marking system across the Federal Government that replaces a variety of agency-specific markings.

Although CUI is not classified information, the malicious release of CUI poses a threat to national security.

In October 2009, a major data breach at the National Archives and Records Administration (NARA) put the records of millions of military veterans at risk. The Executive Branch responded to this incident with Executive Order 13556 [PDF], “Controlled Unclassified Information” issued in November of 2010, which created the first program to manage CUI. The establishment of CUI was a defining moment in information security, as it formally acknowledged that certain types of unclassified information are extremely sensitive, valuable to the United States, sought after by strategic competitors and adversaries, and often have legal safeguarding requirements. 

Additional Information

The following links provide additional information about DOI’s Controlled Unclassified Information (CUI) Program:

  • CUI Contacts:  This page provides a list of DOI Controlled Unclassified Information Coordinators and their contact information, as well as a means to e-mail those contacts directly with additional questions.
  • Federal CUI Registry: This page provides the National Archives registry for CUI used throughout the Federal Executive Branch.
  • CUI Categories: This page provides a comprehensive list of CUI Categories listed alphabetically within organizational index grouping.

Was this page helpful?

Please provide a comment