Working for the federal government – especially the DoD can make you feel like you have to learn another language. Entire sites have been set up so people can develop their language skills and keep up in meetings. When Executive Order 13556 was put in place, the Controlled Unclassified Information (CUI) program was established in order to protect sensitive but unclassified information sensitive – formerly known as SBU. Previously, unclassified information could be marked – FOUO or the like, but there was nothing really controlling it. Enter CUI on to the scene.
What is CUI?
Unclassified information associated with a law, regulation, or government-wide policy and identified as needing safeguarding is considered CUI. It requires access control, handling, marking, dissemination controls, and other protective measures. It’s almost like classified information, but without the background investigation process to go with it. It also puts the onus on program teams to navigate the process of determining if information is CUI or not.
If you’re still unsure of it – like many DoD employees and contractors, it helps to consider what CUI is not. It’s not classified information, and it’s not just corporate intellectual property – unless it’s in support of government work.
How Do You Mark Something as CUI?
The Government uses the DD Form 254 to convey security requirements to contractors when contract performance requires access to classified information, and prime contractors also use the DD Form 254 to convey security requirements to subcontractors that require access to classified information to perform on a subcontract. So, if classified information gets a specific form and instructions, how is CUI determined and marked?
The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. That happens by checking the DoD registry – with your Common Access Card (CAC), which is built on the ISOO CUI Registry, for guidance and marking instructions on a program, document, or paragraph. It’s necessary to check in order to determine what meets the threshold for CUI – especially in the OPSEC category.
Each document needs to have a CUI designation indicator that lists the name of the DoD component, name of the office creating the document, CUI categories, distribution statement or limited dissemination controls (LDC), and contact information for the document’s POC. The CUI indicator needs to be on the main page, and then each page of the document needs to have a CUI marking. Once the CUI no longer requires safeguarding, then agencies are required to decontrol it.
Limited Dissemination Controls (LDC)
Among the many documents on CUI, the dissemination controls are helpful to clearly mark who has access. The most used for some offices will be NOFORN (No Foreign Dissemination), FED Only (Only Federal Employees), and FEDCON (Federal and Contractors Only). Use this list of markings in the designation indicator on the first page of your document, as well as, with the CUI marking on every page. All distribution statements are required to follow the DoD’s list, and they need to be selected according to necessary restrictions.
Change is Hard
CUI is about making sure that information should actually have special markings, and that the decision to add the markings is based on specific criteria as opposed to just a gut feeling. Over protection is costly and under protection is deadly. So, we’re aiming for our Goldilocks of “juussssttt right.”
Bottom line? When you change a process, it takes time. However, with a new process comes a lot of headaches for DoD offices. While SBU and FOUO may have not been tracked well, they also took a lot less hours out of a program manager‘s day. It takes time to determine what feels like just a lower form of classification, as well as be the responsible party for the document. If it’s too confusing and time consuming to do, it runs the risk of either not being implemented well or being ignored.