Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and Government-wide policies but is not classified under Executive Order 13526 "Classified National Security Information" or the Atomic Energy Act, as amended.
Components must ensure their personnel receive initial and annual refresher CUI education and training, and maintain documentation of this training for audit purposes. We provide a mandatory training course for all DOD personnel with access to CUI. This course also fulfills CUI training requirements for industry when it is required by Government Contracting Activities (GCA) for contracts with CUI requirements. Refer to the "Training & Education" section on this page for the link to the "DOD Mandatory Controlled Unclassified Information (CUI) Training" course.
Report DoD Component training completion data to the USD(I&S) annually or as directed.
In accordance with DODI 5200.48, Controlled Unclassified Information, training standards must, at minimum:
CUI includes, but is not limited to, Controlled Technical Information (CTI), Personally Identifiable Information (PII), Protected Health Information (PHI), organizational information, and any other personnel information.
The mandatory marking for all DOD CUI is the CUI Banner/Footer with the CUI Designation Indicator (DI) Block. This is the main marking that appears at the top and bottom of all documents containing CUI. The Banner/Footer markings must appear as bold capitalized text and must be centered at the top and bottom of every page. Even if there is CUI on only one page, the entire document must be marked as CUI.
All documents containing CUI must have a CUI Designation Indicator (DI) Block to notify the recipient about information related to the document originator. This may be accomplished through the use of a letterhead and four additional lines. If no letterhead is used, then a fifth line is required. In accordance with the DOD CUI Marking Handbook, the CUI DI Block is placed in the lower right-hand corner or footer of the first page only and should include the following:
CUI Portion markings in classified documents will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with "(CUI)". "CUI" must not appear in the banner or footer.
If portion markings are applied, then all portions must be marked the same as with classified documents. Portions include subjects, titles, paragraphs and sub-paragraphs, bullet points and sub-bullet points, headings, pictures, graphs, charts, maps, reference lists, etc. Do not apply portion marks to the CUI DI Block. When CUI portion markings are used, follow these rules:
Documents containing both classified and CUI will be marked with the highest level of classification in both the banner and footer. Portion marking is mandatory. To the greatest extent possible, classified and CUI should not be commingled within a single paragraph or portion. The CUI should be a separate portion from the classified information. If it is merged in the same paragraph, it will be marked with the appropriate classification marking (C, S, TS, TS/SCI, etc.).
The CUI DI Block must be aligned with the classification authority block (on the lower left side of the document) on the lower right-hand side.
To alert viewers that the presentation contains CUI:
When a spreadsheet contains CUI, it should provide warnings to viewers. Some options include using:
All new policies and forms containing CUI must be marked IAW DODI 5200.48, Section 3.2. As policies and forms are eligible or require updating, all legacy markings (For Official Use Only, FOUO; U//FOUO; etc.) must be removed. Per policy, DOD legacy material will not be required to be re-marked or redacted while it remains under DOD control or is accessed online and downloaded for use within DOD. The items must be reviewed to determine if they meet the threshold for qualifying as CUI. If so, they need to be revised to include the new CUI marking requirements.
For IT systems containing CUI, viewers must be made aware of the presence of CUI using a method readily apparent. IT Systems may have user access agreements and/or banners on each screen IAW DOD CIO information systems policies.
Extra administrative markings, such as Draft or Pre-decisional, may be used in documents containing CUI to inform recipients of the non-final status of the documents.
Best practices for administrative/supplemental markings include:
CUI must be stored in controlled environments that prevent or detect unauthorized access. Printed CUI documents must be protected by at least one physical barrier, such as a cover sheet or a locked bin/cabinet.
CUI may only be digitally stored in an authorized IT system/application provided it is/has:
CUI must be protected at all times. This includes having the Information Security Oversight Office (ISOO), the CUI Executive Agent, approved CUI markings on printed pages, and/or a CUI cover sheet to clearly identify the information as CUI when stored, transported, or being used.
Placing a CUI-marked document in a briefcase is acceptable for transport. There still should be one layer of protection (cover sheet, folder, or envelope) for the document.
You should notify the Activity Security Manager (ASM) of the removal of CUI from the work environment by email or some other means (e.g., sign-out sheet).
An agency Self-Inspection Program is required to internally manage and ensure compliance with the CUI Program.
A Self-Inspection Program evaluates proper:
Self-Inspection will also allow for the determination of best practices, lessons learned, and corrective actions, when necessary.
Guidance for destroying CUI documents and materials is provided in DODI 5200.48, the CUI Registry, and ISOO Notice 2019-03. CUI documents and materials will be formally reviewed in accordance with Paragraphs a. and b. below before approved disposition authorities are applied, including destruction. Media containing CUI must include decontrolling indicators.
You must report all known or suspected CUI incidents to your Supervisor and/or Activity Security Manager (ASM) immediately after a possible CUI incident.
A CUI incident can occur in different ways. Examples include:
No individual may have access to CUI information unless it is determined he or she has an authorized, lawful government purpose. CUI information may be disseminated within DOD Components, between DOD Component officials and DOD contractors, consultants, and grantees to conduct official business for DOD-provided dissemination is consistent with controls imposed by a distribution statement or limited dissemination controls (LDCs).
CUI designated information may be disseminated to a foreign recipient in order to conduct official business for the DOD, provided the dissemination has been approved by a disclosure authority in accordance with DODI 5200.48, Paragraph 3.4.c and the CUI is appropriately marked as releasable to the intended foreign recipient.
The sender is responsible for determining appropriate safeguarding is in place on the receiving end of the fax and that the fax machine is located in a controlled environment.
A fax coversheet is required indicating the presence of CUI.
CUI must be decontrolled when the information no longer needs safeguarding. Decontrolling is similar to declassifying a classified document. When a law, government-wide policy, or regulation no longer warrants additional safeguarding or dissemination controls, it must be decontrolled. To achieve that, several actions must be taken:
Decontrol does not mean it is able to be publicly released. It must still be reviewed in accordance with DODI 5230.09. See example below of a decontrolled document.
Decontrolled Document Markings