“CUI is the new FOUO.” That’s kind of like saying “Thursday is the new Friday”, although a whole lot less exciting. But don’t mistake boring for inconsequential. I’m seeing a lot of clearance holders conflate the two sentiments, much to their detriment.
If you’re reading this article, chances are pretty good that you are familiar with both terms already – at least in the abstract. At the risk of putting too fine a point on it, “CUI,” or Controlled Unclassified Information, is the government-wide designator that has replaced the old “For Official Use Only” (FOUO) caveat for documents that are unclassified but still sensitive. These documents are potentially exempt from release under the Freedom of Information Act.
The idea behind CUI was initially a good one: eliminate the alphabet soup of FOUO and related designators being applied to unclassified documents by different agencies and unify everything under one label. Unfortunately, the same bureaucracy that gave us the widely-known over-classification problem quickly got its teeth into the fledgling CUI program. Now, we have yet another unwieldy system that some critics argue is being used primarily to hide information from public scrutiny.
Practically-speaking, however, clearance holders have a bigger problem than philosophical debates about public disclosure of public business. I’m talking about the procedures for handling, marking, and transmitting CUI – which differ from the rules surrounding classified information – and the extent to which they are being used by some security officials in a game of “gotcha.”
To be fair, the vast majority of security officials are fair-minded individuals doing their job honestly. Yet a small but pervasive pattern has emerged in the last two years of some security officials claiming documents are CUI only after their handling or disclosure becomes an issue (i.e., an embarrassment for the agency or the security official personally). That’s a cagey game, since most clearance holders have no idea what the rules are surrounding CUI and wouldn’t even begin to know how to fight back.
Fortunately, dear reader, the rules surrounding CUI are actually quite simple. And, no, security officials can’t simply waive a wand and designate material as CUI, although some will try that.
32 C.F.R. § 2002 is the federal law that governs all aspects of CUI. Every clearance holder should read it carefully. The law establishes a “CUI Registry” run by the National Archives, which in turn dictates what information can be deemed CUI. Unless the information at issue fits squarely within one of the categories identified in the CUI Registry, it cannot be considered CUI. Importantly, just like with classified information, officials are also prohibited from marking something as CUI just to prevent embarrassment.
There are some agency-specific regulations that further supplement and implement the CUI program – most notably, DoDI 5200.48 – but those regulations cannot conflict with the law, nor can they broaden what constitutes CUI.
The take-away? If someone appears to be erroneously asserting CUI as a basis for withholding information or punishing you for allegedly mishandling it, first assess if it clearly fits within one of the categories identified in the CUI Registry. If it doesn’t, or if the alleged security violation seems inconsistent with the applicable laws and policies, consider their motivation. Are they overcompensating for a lack of knowledge? Are they trying to hide embarrassing information? Whatever the reason, don’t just roll over and accept blame if there is a legitimate reason to dispute the CUI claim.
This article is intended as general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the publication date, no guarantee or warranty is offered or implied. Laws and government policies are subject to change, and the information provided herein may not provide a complete or current analysis of the topic or other pertinent considerations. Consult an attorney regarding your specific situation.
