A new designation for sensitive but unclassified information (formerly known as SBU) was implemented and is now designated Controlled Unclassified Information (CUI). The CUI Program was established by Executive Order 13556 and protects unclassified information that is sensitive (e.g., export control, critical infrastructure, patent, legal, financial, personnel). Now that 32 CFR 2002 was published in November 2016, the implementation schedule for all federal agencies is moving forward.
The official government source of information for CUI is posted by the Information Security Oversight Office (ISOO) on the National Archives and Records Administration website. Last September ISOO issued a memorandum to all executive departments and agencies outlining target dates for a phased implementation within 180 days of the CUI Registry being posted. By the end of May 2017 all executive departments and agencies are required to start reporting progress on their implementation plans and status to ISOO.
Why is this all necessary?
There are currently over 100 different ways of characterizing SBU information. Additionally, there is no common definition, and no common protocols describing under what circumstances a document should be marked, under what circumstances a document should no longer be considered SBU, and what procedures should be followed for properly safeguarding or disseminating SBU information. As a result of this lack of clarity concerning SBU, information is inconsistently marked, without any common definitions related to these ad hoc markings. CUI reform is designed to address these deficiencies, in that it will provide a common definition and standardize processes and procedures.
The bottom line here is this: if you are an employee or contractor working for a federal agency then it would be a good idea to start boning up on what the new CUI categories are and what the requirements are on how to handle, mark, and protect the information so you don’t run afoul of regulatory guidance.