Controlled Unclassified Information (CUI) is causing anxiety for government employees and contractors, who are expected to implement a policy they too-often haven’t been trained on and don’t understand. As a result, many are over-compensating by slapping a “CUI” warning on everything they produce and calling it a day.
Nowhere do I see this more than in government employee and contractor boilerplate email signatures. I’ve lost track of how many times I’ve received an email from someone with an automatic disclaimer at the bottom indicating that the email “may contain” CUI – or, in some cases, that the email (and therefore every email the sender creates) is CUI.
Challenges with CUI Warning
While I understand the “better safe than sorry” thinking behind this, the impression it creates for a knowledgeable recipient is a combination of ignorance and profound narcissism – as in “I don’t understand this” or “everything I say I so important that it must be shielded from FOIA requests and congressional oversight.”
Ironically, such a practice can itself constitute a policy violation when the CUI warning is unwarranted. CUI warnings cannot lawfully be used to obstruct public transparency or congressional oversight, which is indeed what happens when inappropriately applied. And when the CUI warning is warranted, hedging one’s bets with a generic warning is insufficient to comply with marking requirements that demand headers, footers, and portion markings like classified information.
The DoD Inspector General recently put a spotlight on these problems with their release of a highly critical report about that Department’s implementation of the CUI program. But the problem is not new and not limited to this context. Earlier this year, I wrote about how CUI is becoming a potent tool for whistleblower reprisal and exercising personal vendettas.
Federal Contractors and Employees Dealing With CUI
So, what’s a worried government employee or contractor to do? As I’ve previously recommended, go straight to the source and read 32 CFR Part 2002, Executive Order 13556, and the National Archives and Records Administration’s (NARA’s) CUI Registry. You can access all that through NARA’s CUI website here.
Next, inquire with your organization’s security office whether your department or agency has implemented the CUI program yet. There are a handful of outliers that haven’t yet done so. In those cases, existing agency policy on handling sensitive-but-unclassified documents remains in effect until the CUI program is implemented there.
Finally, if your organization has implemented the CUI program, ask your security office for any agency-specific trainings or policy memoranda that supplement the primary authorities identified above. The most significant that I’m aware of is DoD Instruction 5200.48, but there may be others.
Ultimately, I encourage all federal employees and contractors to take ownership of educating themselves on this issue. Yes, its dry and boring, but it also isn’t likely going away.
This article is intended as general information only and should not be construed as legal advice. Although the information is believed to be accurate as of the publication date, no guarantee or warranty is offered or implied. Laws and government policies are subject to change, and the information provided herein may not provide a complete or current analysis of the topic or other pertinent considerations. Consult an attorney regarding your specific situation.
