Identifying CUI

• The ISOO Registry
  •  As the CUI Executive Agent, ISOO maintains the national CUI Registry at https://www.archives.gov/cui.
• The DOD CUI Registry  
  • Provides an official list of the Indexes and Categories used to identify the various types of CUI within DOD.
  • Mirrors the national ISOO CUI Registry (may provide additional information unique to the DOD).
  • Is located at https://www.dodcui.mil.

What are examples of CUI?

CUI includes, but is not limited to, Controlled Technical Information (CTI), Personally Identifiable Information (PII), Protected Health Information (PHI), organizational information, and any other personnel information.

• Controlled Technical Information (CTI)
  • Provided by a confidential source (person, commercial business, or foreign government) on condition it would not be released
  • Related to contractor proprietary or source selection data
  • Could compromise Government missions or interests
• Personally Identifiable Information (PII)
  Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. PII includes, but is not limited to: 
  • Social Security Number
  • Date and place of birth
  • Mother’s maiden name
  • Biometric records
  • Protected Health Information
  • Passport number
• Protected Health Information (PHI)
  • Subset of PII requiring additional protection
  • Health information that identifies the individual
  • Created or received by a healthcare provider, health plan, or employer, or a business associate of these
  • Related to:
    • Physical or mental health of an individual
    • Provision of healthcare to an individual
    • Payment for the provision of healthcare to an individual

Steps to Identifying CUI

Marking CUI

Banner Markings

The mandatory marking for all DOD CUI is the CUI Banner/Footer with the CUI Designation Indicator (DI) Block. This is the main marking that appears at the top and bottom of all documents containing CUI. The Banner/Footer markings must appear as bold capitalized text and must be centered at the top and bottom of every page. Even if there is CUI on only one page, the entire document must be marked as CUI.

CUI Designation Block

All documents containing CUI must have a CUI Designation Indicator (DI) Block to notify the recipient about information related to the document originator. This may be accomplished through the use of a letterhead and four additional lines. If no letterhead is used, then a fifth line is required. In accordance with the DOD CUI Marking Handbook, the CUI DI Block is placed in the lower right-hand corner or footer of the first page only and should include the following:

Portion Markings

CUI Portion markings in classified documents will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with "(CUI)". "CUI" must not appear in the banner or footer.

If portion markings are applied, then all portions must be marked the same as with classified documents. Portions include subjects, titles, paragraphs and sub-paragraphs, bullet points and sub-bullet points, headings, pictures, graphs, charts, maps, reference lists, etc. Do not apply portion marks to the CUI DI Block. When CUI portion markings are used, follow these rules:

• CUI portion markings are placed at the beginning of the paragraph to which they apply and must be used throughout the entire document.
• CUI portion markings are contained within parentheses and may include these elements:
  • When CUI portion markings are used and a portion does not contain CUI, a "U" is placed in parentheses to indicate the portion contains uncontrolled unclassified information. If the CUI paragraphs are removed, the document will be decontrolled and no longer treated as CUI. It still must be reviewed before being publicly released.
  • The document's banner/footer markings must be shown on each page even if portion markings are used – if not all pages contain CUI, they can be marked as "UNCLASSIFIED".
  • As a best practice, keep the CUI and uncontrolled information in separate portions to the greatest extent possible to allow for maximum information sharing.
  • There is the option to add a line at the bottom of the document to state when certain pages or attachments are removed. The document is no longer CUI.

CUI Markings in a Classified Document

Documents containing both classified and CUI will be marked with the highest level of classification in both the banner and footer. Portion marking is mandatory. To the greatest extent possible, classified and CUI should not be commingled within a single paragraph or portion. The CUI should be a separate portion from the classified information. If it is merged in the same paragraph, it will be marked with the appropriate classification marking (C, S, TS, TS/SCI, etc.).

The CUI DI Block must be aligned with the classification authority block (on the lower left side of the document) on the lower right-hand side.

PowerPoint Presentations

To alert viewers that the presentation contains CUI:

• Include the CUI DI Block on the first slide
• Apply the CUI banner/footer markings on the top and bottom of each slide
• CUI should be in the file name
• For slides not containing CUI, it is optional to mark them as unclassified

When a spreadsheet contains CUI, it should provide warnings to viewers. Some options include using:

• CUI banner/footer markings
• CUI DI Block to show the required information about the document
• "CUI" in the filename

Policies and Forms

All new policies and forms containing CUI must be marked IAW DODI 5200.48, Section 3.2. As policies and forms are eligible or require updating, all legacy markings (For Official Use Only, FOUO; U//FOUO; etc.) must be removed. Per policy, DOD legacy material will not be required to be re-marked or redacted while it remains under DOD control or is accessed online and downloaded for use within DOD. The items must be reviewed to determine if they meet the threshold for qualifying as CUI. If so, they need to be revised to include the new CUI marking requirements.

• Forms containing CUI - when filled in - must be marked accordingly.
• If space on the form is limited, cover sheets can be used for this purpose.
• Include a statement indicating the form is CUI when filled in.

Information Technology (IT) Systems

For IT systems containing CUI, viewers must be made aware of the presence of CUI using a method readily apparent. IT Systems may have user access agreements and/or banners on each screen IAW DOD CIO information systems policies.

Administrative/Supplemental Markings

Extra administrative markings, such as Draft or Pre-decisional, may be used in documents containing CUI to inform recipients of the non-final status of the documents. 

Best practices for administrative/supplemental markings include:

• Markings shown as a watermark behind the text of the document
• Markings elsewhere in the document as long as they are separate from the CUI banner/footer markings
• Other markings, information, warnings, etc. that are not part of the banner/footer markings, but must be included elsewhere on the page to comply with the governing authority
• Place these markings after the "SUBJECT LINE" for memorandums to alert the reader of particular limitations to access or share the document or material.

Reproducing CUI

Printing/Copying

1. Printed CUI documents must be kept under direct control of an authorized holder and protected by a cover sheet during transport from the printer or copier.
2. Do not send CUI to the printer unless you or another authorized recipient are able to be at the printer when it prints.
3. Do not let CUI documents sit on the printer/copier where unauthorized individuals can have access to the information.
4. If possible, use a printer/copier requiring you to enter a code or CAC before printing.
5. CUI documents must have the proper CUI markings on each printed page.

Storing/Transporting CUI

CUI must be stored in controlled environments that prevent or detect unauthorized access. Printed CUI documents must be protected by at least one physical barrier, such as a cover sheet or a locked bin/cabinet.

CUI may only be digitally stored in an authorized IT system/application provided it is/has:

• Configured at no less than the Moderate Confidentiality impact value
• Limited access based on need
• Met the requirements of DOD's IT Security Policy

CUI must be protected at all times. This includes having the Information Security Oversight Office (ISOO), the CUI Executive Agent, approved CUI markings on printed pages, and/or a CUI cover sheet to clearly identify the information as CUI when stored, transported, or being used.

Placing a CUI-marked document in a briefcase is acceptable for transport. There still should be one layer of protection (cover sheet, folder, or envelope) for the document.

You should notify the Activity Security Manager (ASM) of the removal of CUI from the work environment by email or some other means (e.g., sign-out sheet).

Protecting CUI

1. Be aware of your surroundings and take steps to ensure others can't overhear what you are saying – do not use wireless phones to discuss CUI.
2. Protect or safeguard your surroundings to prevent shoulder-surfing. Don't allow CUI to be viewed by unauthorized individuals while you work with CUI documents printed out or displayed on a screen.
3. Verify you are sharing CUI only with someone who has an authorized, lawful government purpose for the information.
4. An authorized, lawful government purpose is the standard for deciding when to share and when not to share CUI with coworkers, Executive Branch agencies, or non-federal partners.
5. CUI may only be shared with contractors when it is identified in their government contract. CUI should only be shared when it will help achieve the goals of a common mission or project.

CUI Self-Inspection Program

An agency Self-Inspection Program is required to internally manage and ensure compliance with the CUI Program.

A Self-Inspection Program evaluates proper:

• Compliance with requirements for protecting, marking, storing, transporting, and destroying CUI
• UD reporting of CUI and required report submissions
• Training is carried out as required
• Management oversights are in place

Self-Inspection will also allow for the determination of best practices, lessons learned, and corrective actions, when necessary.

Agency Self-Inspection Program

1. The agency must establish a self-inspection program.
2.  The Self-Inspection Program must include:
   1. at minimum, an annual review and assessment of the agency’s CUI program. The Senior Agency Official (SAO) may determine a greater frequency.
   2. self-inspection methods, reviews, and assessments that serve to evaluate program effectiveness, measure the level of compliance, and monitor the progress of CUI implementation.
   3. formats for documenting self-inspections and recording findings when not prescribed by the CUI (Executive Agent (EA).
   4. procedures by which to integrate lessons learned and best practices arising from reviews and assessments into operational policies, procedures, and training.
   5. a process for resolving deficiencies and taking corrective actions.
   6. analysis and conclusions from the self-inspection program, documented on an annual basis and as requested by the CUI EA.

Destruction

Guidance for destroying CUI documents and materials is provided in DODI 5200.48, the CUI Registry, and ISOO Notice 2019-03. CUI documents and materials will be formally reviewed in accordance with Paragraphs a. and b. below before approved disposition authorities are applied, including destruction. Media containing CUI must include decontrolling indicators.

1. Record and non-record copies of CUI documents will be disposed of in accordance with Chapter 33 of Title 44, U.S.C. and the DoD Components' records management directives. When destroying CUI, including in electronic form, agencies must do so in a manner making it unreadable, indecipherable, and irrecoverable. If the law, regulation, or government-wide policy specifies a method of destruction, agencies must use the method prescribed.
2. Record and non-record CUI documents may be destroyed to make the original information irrecoverable by means approved for destroying classified information or by any other means that also make it unreadable and indecipherable. References are identified in NIST SP 800-88 and Title 32 CFR, Section 2002.14 – Safeguarding.

• ISOO Notice 2019-03, Destroying Controlled Unclassified Information (CUI) in Paper Form 
• NIST SP 800-88, Guidelines for Media Sanitation  (this is important because it provides guidance for other types of media besides paper) 
• NSA/CSS Media Destruction Guidance, Evaluated Products Lists (EPL)
• 44 U.S.C. Chapter 33, Disposal of Records 
• Title 32 CFR, Section 2002.14, Safeguarding 

Reporting CUI Incidents

You must report all known or suspected CUI incidents to your Supervisor and/or Activity Security Manager (ASM) immediately after a possible CUI incident.

A CUI incident can occur in different ways. Examples include:

• Finding papers with CUI markings left unattended
• Knowing information in a document or system is CUI, but not marking information properly
• Emailing unencrypted CUI outside of your network

• Important definitions
• Required documentation
• Unauthorized Disclosure Program Management Office (UD PMO)
• What unauthorized disclosures should be reported to the UD PMO (even when attribution has not been made)
• How the UD PMO reports media leaks to the Department of Justice (DOJ)

Sharing/Transmitting CUI

Dissemination & Distribution

No individual may have access to CUI information unless it is determined he or she has an authorized, lawful government purpose. CUI information may be disseminated within DOD Components, between DOD Component officials and DOD contractors, consultants, and grantees to conduct official business for DOD-provided dissemination is consistent with controls imposed by a distribution statement or limited dissemination controls (LDCs).

CUI designated information may be disseminated to a foreign recipient in order to conduct official business for the DOD, provided the dissemination has been approved by a disclosure authority in accordance with DODI 5200.48, Paragraph 3.4.c and the CUI is appropriately marked as releasable to the intended foreign recipient.

Emailing CUI

1. DO NOT USE YOUR PERSONAL EMAIL to transmit CUI.
2. All emails must be encrypted and contain a CUI banner at the top and bottom of the email.
3. Email correspondence containing CUI must contain a CUI Designation Indicator (DI) block.
4. If including an attachment containing CUI, the file name must indicate there is CUI included.
5. Portion markings are not required in an unclassified document containing CUI; however, when using portion markings within a CUI document, all document subjects and titles, as well as individual sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be portion marked with (CUI) or (U) for Unclassified. Use of the unclassified marking (U) as a portion marking for unclassified information within CUI documents or materials is required.
6. CUI markings in a classified document will appear in paragraphs or subparagraphs known only to contain CUI and must be portion marked with CUI. In this instance, the header and footer will be annotated with the highest classification of the classified document. CUI will NOT appear in the banner or footer.

Mailing CUI

1. Address the interior envelope/package to a specific recipient (not to an office or an organization).
2. Do not put CUI markings on the outside/exterior layer of the envelope/package.
3. Use automated tracking on the package to ensure it was delivered to the correct recipient.
4. The following methods may be used to mail/ship CUI
   • US Postal Service (USPS)
   • Any commercial delivery service (FedEx, UPS)
   • Interoffice mail delivery / Interagency mail delivery

Faxing CUI

The sender is responsible for determining appropriate safeguarding is in place on the receiving end of the fax and that the fax machine is located in a controlled environment.

A fax coversheet is required indicating the presence of CUI.

Decontrolling CUI

CUI must be decontrolled when the information no longer needs safeguarding. Decontrolling is similar to declassifying a classified document.  When a law, government-wide policy, or regulation no longer warrants additional safeguarding or dissemination controls, it must be decontrolled.  To achieve that, several actions must be taken:

• The authorized holder or originator (or their designated representative) determines if CUI must be decontrolled.
• The CUI document(s) or material(s) will have the CUI banner and footer markings lined through and replaced with “DECONTROLLED".
• The CUI DI Block will have a 45-degree diagonal line drawn through it with the name of the person/date of decontrol.

Decontrol does not mean it is able to be publicly released. It must still be reviewed in accordance with DODI 5230.09. See example below of a decontrolled document. 
 

Decontrolled Document Markings