Which is best practice for protecting controlled unclassified information?

Protecting sensitive information is crucial for organizations that handle controlled unclassified information (CUI). CUI refers to information that requires safeguarding or dissemination controls pursuant to laws, regulations, or government-wide policies. While not classified, CUI still requires procedures for handling and protection against unauthorized disclosure. Organizations must follow best practices to secure CUI and avoid data breaches.

Why is Protecting CUI Important?

CUI makes up the majority of information the government creates or possesses. It includes things like personal information, proprietary business data, law enforcement information, and export-controlled information. While not classified, CUI still requires safeguards because its unauthorized release could cause harm. Data breaches involving CUI can erode public trust, cause financial loss, and damage national security interests. Following information security best practices helps prevent these negative outcomes.

CUI Program Requirements

In 2010, Executive Order 13556 established the CUI Program to standardize CUI handling across government agencies. The CUI Program is jointly implemented by the National Archives and Records Administration (NARA) and the CUI Executive Agent. Under the program, all federal agencies must comply with 32 CFR Part 2002, “Controlled Unclassified Information.” This regulation outlines requirements for CUI handling, including:

  • Designating CUI categories and subcategories
  • Marking CUI appropriately
  • Establishing CUI controls like dissemination and access restrictions
  • Developing CUI training
  • Managing CUI decontrols and public release

Organizations that handle CUI for the government, such as contractors, must also comply with 32 CFR Part 2002. Failing to follow CUI regulations can result in criminal or administrative penalties.

Assessing CUI Security Risks

A key initial step is assessing risks to CUI based on impact level. Agencies designate CUI into three impact levels under the Federal Information Processing Standards (FIPS) 199:

  • Low: Unauthorized disclosure could cause a limited adverse effect. Most CUI falls under this level.
  • Moderate: Unauthorized disclosure could cause serious adverse effects.
  • High: Unauthorized disclosure could cause exceptionally grave damage.

Impact levels help determine appropriate controls. For example, financial audit data may warrant moderate controls, while nuclear regulatory commission data requires high controls. Organizations should conduct risk assessments, classify CUI by impact level, and select controls accordingly.

CUI Marking Requirements

Proper marking is essential so individuals know CUI when they see it. The CUI Registry contains approved markings like “For Official Use Only” and “Law Enforcement Sensitive.” Markings must appear on materials containing CUI and external storage devices like thumb drives. Approved markings help prevent unauthorized access and inadvertent disclosures. However, lack of marking does not exempt information from CUI controls. Unmarked CUI still requires protection.

CUI Banner Markings

Banner markings indicate the highest controls needed for materials containing CUI. They appear at the top on the front cover, first page, or start of an electronic file. Banner markings consist of the CUI category, CUI markings, and CUI dissemination controls. For example:


Portion Markings

Individual CUI portions within materials require markings too. Portion markings use CUI category abbreviations like “ECI” for export-controlled information. They go directly before or after the CUI portions. Portion markings help identify CUI within larger documents and prevent unauthorized access to specific sections.

Subject and Title Markings

The subject line or title of emails, files, folders, etc. also requires CUI marking if the content contains CUI. This quickly signals CUI status to anyone accessing the material. For example, an email subject would be marked “CUI//REL TO USA AND JPN ONLY.”

Limiting Access and Dissemination

After identifying CUI, agencies must establish access and dissemination controls to prevent unauthorized disclosure. Access to CUI should be role-based, with only those requiring it for their jobs gaining access. Controls may include:

  • Physical Controls: Locked rooms, cabinets, and other barriers to unauthorized individuals accessing physical CUI.
  • Logical Access Controls: Usernames, passwords, multi-factor authentication, and encryption to control digital access.
  • Dissemination Controls: Markings that specify authorized recipients, like NOFORN (not releasable to foreign nationals).

More restrictive controls apply to CUI with higher impact levels. For example, top secret information would require very strict need-to-know access. Proper access and dissemination controls limit CUI exposure to only authorized personnel.

CUI Storage and Transmission

When storing and transmitting CUI, agencies must utilize secure methods aligned to the information’s impact level. Higher impact CUI demands more stringent measures. Storage and transmission controls help prevent interception or loss of CUI. Examples include:

  • Secure Physical Storage: Locked filing cabinets, drawers, safes, or protected facilities for physical CUI.
  • Encrypted Digital Storage: Encrypted hard drives, removable media, and cloud backups for electronic CUI files.
  • Secure Transmission Methods: Encrypted email and file transfer systems. Physically vetted couriers for hard copy transfers.

Protocols like Transport Layer Security (TLS) encryption provide secure connections for transmitting CUI. Government-approved products that meet minimum security requirements should be utilized when available.

Destroying CUI

Destroying CUI when no longer needed is crucial for information security. Proper destruction techniques prevent unauthorized access from discarded CUI. Acceptable destruction methods vary based on impact level but may include:

  • Cross-cut shredding for CUI hard copies.
  • Burn bags for secure physical destruction.
  • Degaussing to magnetically erase electronic media.
  • Overwriting or cryptographic erasure for digital files.

Physical destruction techniques like shredding should use equipment that produces particles meeting new CUI specifications. Cryptographic erasure that meets NIST Special Publication 800-88 Revision 1 guidelines provides secure file deletion. Rigorous destruction processes help prevent CUI disclosure through improper disposal.

CUI Training Requirements

Employees and contractors handling CUI must complete mandatory annual training on CUI policy and procedures. Training facilitates consistent and proper CUI identification, marking, storage, transmission, and destruction. Core training topics include:

  • Definitions and impact levels of CUI categories
  • Required markings for different CUI types
  • Appropriate access and dissemination controls
  • Proper physical and digital storage methods
  • Acceptable CUI transmission mechanisms
  • Destruction requirements
  • Consequences for noncompliance

Training should align with an organization’s CUI policies and Include mechanisms to test comprehension. Signed acknowledgement of training completion helps document compliance. Refresher training is key for maintaining security awareness.

Audit and Accountability

Tracking and auditing CUI handling provides accountability. Annual self-inspections help assess policy compliance. Audits should review areas like:

  • CUI marking practices
  • Access control mechanisms
  • Transmission methods
  • Storage procedures
  • Destruction processes
  • User training completion

Identifying control gaps facilitates corrective actions like updated policies, training, and technologies. Maintaining CUI inventories also helps track lifecycles. When breaches occur, logs help determine causes for remediation.

Transferring CUI

When transferring CUI outside an organization, certain requirements apply to ensure security:

  • Appropriate markings showing CUI status and controls
  • Signed nondisclosure agreements with recipients
  • Secure transmission via approved mechanisms
  • Notification procedures in case of loss or unauthorized disclosure

Government contractors must adhere to clause DFARS 252.204-7012 for transferring DoD CUI. Transfers to the public require review and approval processes to prevent unauthorized release.

Incident Response

Organizations must establish procedures for responding to CUI breaches, such as:

  • Internal reporting processes when incidents are discovered
  • Mechanisms for assessing damage and mitigating impacts
  • Notifying oversight authorities of qualifying incidents
  • Conducting analyses to identify root causes and prevent recurrences
  • Updating policies, controls, and training accordingly

Lessons learned from analyses help strengthen CUI protections going forward. Response and reporting help organizations meet regulatory obligations while enhancing practices.

Cloud Computing Considerations

Storing or processing CUI in cloud environments introduces unique considerations, including:

  • Assessing cloud provider compliance with Federal Risk and Authorization Management Program (FedRAMP) standards
  • Using cloud products with appropriate FedRAMP authorizations for CUI
  • Encrypting CUI end-to-end when stored or transmitted via cloud
  • Preventing unauthorized cloud access through identity management
  • Understanding CUI storage locations and use of multi-tenant environments
  • Obtaining assurances on CUI spillage controls in cloud

Cloud computing provides efficiencies but also requires added diligence regarding CUI. Utilizing FedRAMP-authorized cloud products helps mitigate risks when leveraging cloud capabilities.

Physical and Operational Security

Beyond data-centric controls, physical and operational security helps safeguard CUI by preventing unauthorized access. Examples include:

  • Visitors always escorted in CUI storage or use areas
  • Restricting entry/exit points from CUI facilities
  • Background checks for employees and contractors accessing CUI
  • Securing printers, scanners, and other hardware associated with CUI
  • Enabling lock screens with passwords on CUI systems
  • Automatic system timeouts requiring reauthentication
  • Logging and monitoring to detect anomalous access attempts

Holistic physical and operational controls create layered security reinforcing data-focused protections. Integrating CUI security into processes and culture helps make it enduring and effective.

CUI Protection Program Management

A CUI protection program requires active governance and dedicated resources. Crucial program management elements include:

  • Central CUI coordination team with defined roles and responsibilities
  • Regular working group meetings to validate controls and assess risks
  • Approval processes for CUI tools, technology, providers, etc.
  • Mechanisms for tracking, reporting, and analyzing CUI metrics
  • Defined lifecycles with expiration triggers for access, dissemination controls
  • Validation through techniques like penetration testing and red teaming

An engaged CUI program team provides oversight while enabling collaboration across involved groups. Structured life cycles prevent CUI controls from enduring indefinitely beyond when justified.


Protecting controlled unclassified information is vital for government agencies, contractors, and other responsible entities. Implementing best practices for identifying, marking, accessing, storing, transmitting, and destroying CUI helps mitigate risks of unauthorized disclosure and related harms. A comprehensive program centered on NARA CUI policy ensures strong and reliable controls tailored to impact levels. Beyond just data security, integrating CUI protections into organizational culture and operations establishes durable protection.