Next

CUI

Restart

Back

This material was developed with funding from the National Science Foundation 

1/8

Controlled Unclassified Information

Stakeholders

2/11

CIO

Board of Directors

Business Partners

Employees

Controlled Unclassified Information (CUI) is the compliance risk management topic that every defense industry and research institution should be discussing. Cybersecurity vulnerabilities and regulatory compliance requirements are two very challenging areas for most organizations. CUI compliance stakeholders span the organization from users that generate CUI data to the Board of Directors responsible for the organization’s due diligence for safeguarding these assets.

Managers & Administrators

Controlled Unclassified Information is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

Emergency Management

      Training

Existing Laws and Regulations

Law Enforcement

Click to reveal

Shared

      Governance

Agriculture

    Accountability

Tax

Standardized

  Policy and Guidance

Copyright

Transparent

Patent

Controlled Unclassified Information Program

What is CUI?

               Technology

Legal

1/11

FOUO vs CUI

Click to enlarge

FOUO is a government generated protective marking.  For Official Use Only (FOUO) is a document designation, not a classification. This designation is used by the Department of Defense and several other federal agencies to identify information or material which, although unclassified, may not be appropriate for public release. The contractor is responsible for handling and protection of FOUO markings only when generated and disseminated by the Government and is required to apply FOUO markings only when extracting FOUO information from such material.

4/11

Click to return

System and Computer

Email

5/11

CUI Marking

Electronic Storage Media

Paper Documents

CUI can be found on just about any form of media have slightly different security marking requirements, but the same basic principle applies to all of them--clearly identify the media as CUI and who designated it as CUI.

Text is bold and ALL CAPITALS

Limited Dissemination Control

6/11

1

CATEGORY

Paper-1 CUI Document Banner

2

The Banner Marking text is bold, capitalized, black, and centered on the page.

//

The CUI Control Marking, Category Marking, and Limited Dissemination Control markings are separated by double forward slashes (//). If you have multiple category markings or dissemination controls, use a single forward slashes (/) to separate.

3

DISSEM

Click on each number to build a banner

CUI Marking Control

CONTROLLED

CUI Category

//

The Banner Marking must appear at the top of each page (top and bottom banner markings are a “best practice”).

10/11

<< Click to apply label

Electronic Storage Media Marking

 The SF 903 USB drive size label is about 2.125” x .625”. Place the SF903 to a USB drive containing CUI in a manner that does not adversely affect the operation of the drive or the operation of the medium in which you insert it. Once you apply the label, it cannot be removed.

Main Menu

9/11

There are only a few differences between the rules for marking printed documents and email. A Banner Marking will be placed at the top of the email body and the email must carry a CUI Designation Indicator. If you forward an email that contains CUI, you must include all the original CUI markings. NARA also recommends that sends terminate the Suject Line with the phrase [Contains CUI]. If the email includes an attachment that contains CUI, NARA also recommends that the file name indicate the presence of CUI, such as FileName[CONTAINS CUI}.docx.

Email CUI Markings

All documents containing CUI must indicate the designator's agency.The designation indicator can be accomplished using a letterhead, a signature block that includes the agency, or a "Controlled by" line. The CUI Designation Indicator is required. It may also contain optional contact information.

Paper-3 Document Markings

Agencies may choose to require documents to include portion markings.placed at the beginning of a section (such as at the start of a paragraph)provide granularity to identify what specific information belongs to specific CUI Categories or has specific Limited Dissemination Controls

8/11

Natural and Cultural Resources

Statistical

NATO

Nuclear

Immigration

International Agreements

Quiz

Transportation

Privacy

Procurement and Acquisition

Provisional

Intelligence

Legal

Law Enforcement

Financial

Patent

Critical Infrastructure

Export Control

Defense

Proprietary Business Information

Tax

Over the years, federal agencies, federal services, and contractors compiled sensitive, but not classified, information. This information is now organized into categories based on the information type and end user of the information. Select a Category to view the associated detail information.

CUI Categories

3/11

Ammonium NitrateChemical-terrorism Vulnerability InformationCritical Energy Infrastructure InformationEmergency ManagementGeneral Critical Infrastrucrue InformationInformation Systems Vulnerability InformationPhysical SecurityProtected Critical Infrastructure InformationSAFETY Act InformationToxic SubstancesWater Assessments

Controlled Technical InformationDoD Critical Infrastructure Security InformationCritical Energy Infrastructure InformationNaval Nuclear Propulsion InformationUnclassified Controlled Nuclear Information - Defense

Export ControlledExport Controlled Research

Bank SecrecyBudgetComptroller GeneralConsumer Complaint InformationElectronic Funds TransferFederal Housing Finance Non-Public InformationGeneral Financial InformationInternational Financial InstitutionsMergersNet WorthRetirement

Immigration

AsyleeBattered Spouse or ChildPermanent Resident StatusStatus AdjustmentTemporary Protected StatusVictims of Human TraffickingVisas

Intelligence

AgricultureForeign Intelligence Surveillance ActForeign Intelligence Surveillance Act Business RecordsGeneral IntelligenceGeodetic Product InformationIntelligence Financial RecordsInternal DataOperations Security

Internation Agreements

International Agreement Information

Accident InvestigationCampaing FundsCommitted PersonCommunicationsControlled SubstancesCriminal History Records InformationDNAGeneral Law EnforcementInformantInvestigationJuvenileLaw Enforcement Financial RecordsNational Security LetterPen Register/Trap & TraceRewardSex Crime VictimTerrorist ScreeningWhistleblower Identity

Administrative ProceedingsChild PornographyChild Victim/WitnessCollective BargainingFederal Grand JuryLegal PrivilegeLegislative MaterialsPresentence ReportPrior ArrestProtective OrderVictimWitness Protection

Archaeological ResourcesHistoric PropertiesNational Park System Resources

NATO RestrictedNATO Unclassified

NATO

Procurement and Acquisition

General Procurement and AcquisitionSmall Business Research and TechnologySource Selection

General NuclearNuclear Recommendation MaterialNuclear Security-Related InformationSafeguards InformationUnclassified Controlled Nuclear Information - Energy

Nuclear

Patent ApplicationsInventionsSecrecy Orders

Privacy

Contract UseDeath RecordsGeneral PrivacyGenetic InformationHealth InformationInspetor General ProtectedMilitary Personnel RecordsPersonnel RecordsStudent Records

Entity Registration InformationGeneral Proprietary Business InformationOcean Common Carrier and Marine Terminal Operator AgreementsOcean Common Carrier Service ContractsPropietary ManufacturerPropietary Postal

Proprietary Business Information

Homeland Security Agreement InformationHomeland Security Enforcement InformationInformation Systems Vulnerability Information - HomelandInternational Agreement Information - HomelandOperations Security InformationPersonnel Security InformationPhysical Security - HomelandPrivacy InformationSensitive Personnal Identifiable Information

Provisional

Statistical

Investment SurveyPesticide Producer SurveyStatistical InformationUS Census

Federal Taxpayer InformationTax ConventionTaxpayer Advocate InformationWritten Determiniations

Transportation

Railroad Safety Analysis RecordsSensitive Security Information

SP-CTI

The only authorized Limited Dissemination Controls are: No Foreign Dissemination (NOFORN)Federal Employees Only (FED ONLY)Federal Employees and Contractors Only (FEDCON)No Dissemination to Contractors (NOCON)Dissemination List Controlled (DL ONLY)Authorized for Release to Certain Nationals Only (REL TO [USA, LIST])DISPLAY ONLY

Paper-2 CUI Banner Format

Category  Markings

Limited Dissemination Control

Mandatory: use of either CUI or CONTROLLED is acceptable  but must be applied consistently throught the document.

CUI Control Marking

CUI Marking  Control

Limited Dissemination Control Marking

Mandatory: if multiple CUI Categories are referenced in the document, list each Category. If the document contains CUI Specified, the CUI Category marking must start with “SP-“ and list the specified category. A CUI Category can have both CUI Basic and CUI Specific. It is the authority, not the information, that makes it CUI Basic or CUI Specific so you must know under which authority you designate a document as CUI.

NOFORN/FEDCON

Use single forward slash to separate multiple entries

Optional: used to place limits on how CUI can be shared. Consult the CUI Registry and the agency for guidance on use.

Click on each button 

7/11

If you are unable to access internal computer storage media, you must mark the outside of the computer. If you are using government-owned equipment, you can use an SF 902 or SF 903 to mark equipment. The SF 902 and 903 are nearly identical except the SF903 is narrow. If you are not marking government-owned equipment or if you do not have access to the SF 902 or SF 903, the security markings can be applied with a permanent marker.

11/11

System and Computer Marking