Controlled Unclassified Information (CUI) Toolkit

CUI security awareness products for DOD employees and our industry partners

What is Controlled Unclassified Information?

Per Department of Defense Instruction (DODI) 5200.48 “Controlled Unclassified Information” March 6, 2020, the Department of Defense’s (DOD) policy for Controlled Unclassified Information (CUI), CUI requires safeguarding measures identified by the CUI Executive Agent in Part 2002.14 of Title 32, CFR, and, as necessary, in the law, regulation, or government-wide policy with which it is associated.

CUI, defined in Part 2002.14 of Title 32, CFR, is information the government or an entity creates or possesses, for or on behalf of the government that a law, regulation, or government-wide policy requires an agency to handle using safeguarding or dissemination controls.

CUI does not include classified information. Classified information is information the Executive Order 13526, “Classified National Security Information” December 29, 2009, any predecessor or successor order, or the Atomic Energy Act of 1954, as amended, requires agencies to mark with security classification markings and protect against unauthorized disclosure.

Training Requirements

The Office of the Secretary of Defense (OSD) and Department of Defense (DOD) Components’ heads must ensure their personnel receive initial and annual refresher CUI education and training, maintain documentation of this training for audit purposes, and report Component training completion data to the Under Secretary of Defense for Intelligence and Security (USD(I&S)) annually or as directed.

The training on CUI, must, at minimum:

  1. Identify individual responsibilities for protecting CUI.
  2. Identify the organizational index groups with CUI categories routinely handled by DOD personnel.
  3. Describe the CUI Registry, including purpose, structure, and location.
  4. Describe the differences between CUI Basic and CUI Specified.
  5. Identify the offices or organizations with DOD CUI Program oversight responsibilities.
  6. Address CUI marking requirements as described in DODI 5200.48.
  7. Address the required physical safeguards and CUI protection methods as described in the DODI 5200.48.
  8. Address the destruction requirements and methods as described in DODI 5200.48.
  9. Address the incident reporting procedures as described in DODI 5200.48.
  10. Address methods for properly disseminating CUI within the DOD and with external entities inside and outside of the Executive Branch.
  11. Address the methods for properly decontrolling CUI as described in DODI 5200.48.

The eLearning course “DOD Mandatory Controlled Unclassified Information (CUI) Training” is the mandatory training course for all DOD personnel with access to CUI. The course provides information on the eleven training requirements for accessing, marking, safeguarding, decontrolling, and destroying CUI, along with the procedures for identifying and reporting security incidents. This course also fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements. Refer to the "Training & Education" section on this page for the links to the course.

CUI Quick Links

DOD CUI Program

Policy Documents

National Policy

DOD Policy

Resources

DOD Mandatory Controlled Unclassified Information (CUI) Training

Life Cycle of CUI Shorts

Industry CUI Program

Identifying CUI

To determine if a set of unclassified information is CUI, compare the information to the categories and subcategories in the DOD CUI Registry. Unclassified information may only be marked as CUI if it aligns with a category established in the Information Security Oversight Office (ISOO) and (DOD) CUI Registry:

  • The ISOO Registry
  • The DOD CUI Registry  
    • The DOD CUI Registry mirrors the National CUI Registry, but it provides additional information on the relationships to DOD by aligning each Index and Category to DOD policies and providing relevant examples of each category.
    • It is located at: https://www.dodcui.mil/CUI-Registry-New/ External Link Icon.

Steps to Identifying CUI

Steps to Identifying CUI

Type and Examples of CUI

CUI includes (but is not limited to) Controlled Technical Information, Health Information, General Privacy Information (including certain types of personally identifiable information, and Personnel Records (of federal employees).

Controlled Technical Information (CTI)

DOD CUI Registry category page: https://www.dodcui.mil/Defense/Controlled-Technical-Information/ External Link Icon.

Technical information (for example, technical data or computer software) with military or space application whose export could reasonably be expected to adversely affect U.S. national security and nonproliferation objectives and is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. This term does not include information that is lawfully publicly available without restrictions. "Technical Information" means technical data or computer software, as those terms are defined in Defense Federal Acquisition Regulation Supplement clause 252.227-7013, "Rights in Technical Data - Noncommercial Items" (48 CFR 252.227-7013).

Protected Health Information (PHI)

DOD CUI Registry category page: https://www.dodcui.mil/Privacy/Health-Information/ External Link Icon.

Any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

General Privacy Information

DOD CUI Registry category page: https://www.dodcui.mil/Privacy/General-Privacy/ External Link Icon.

Personal information, or, in some cases, PII, or means of identification. PII, a necessarily broad term, refers to information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Information that is not PII can become PII whenever additional information becomes available—in any medium or from any source—that would make it possible to identify an individual. Means of identification is any name or number that may be used, alone, or in conjunction with any other information, to identify a specific individual.

Examples of PII and means of identification:

  • Social security number
  • Driver's license or state identification number
  • Alien Registration Number
  • Financial account number
  • Biometric identifiers (fingerprint, voiceprint, iris scan)
  • Date of birth
  • Full name
  • Citizenship or immigration status
  • Ethnic or religious affiliation
  • Criminal history
  • System authentication information (passwords, PINs)

Personnel Records

DOD CUI Registry category page: https://www.dodcui.mil/Privacy/Personnel-Records/ External Link Icon.

Personnel records of federal employees.

Marking CUI

Minimum Marking Requirements

During DOD's initial implementation of the CUI Program, all DOD CUI will be protected in accordance with the requirements under the Basic level of safeguards and dissemination unless specifically identified otherwise in a law, regulation, or government-wide policy. Required dissemination controls are outlined when applicable for each CUI category in the DOD CUI Registry External Link Icon.

In this current phase, the mandatory minimum marking requirements for all DOD CUI are:

  • The acronym "CUI," as bold capitalized text, centered in the banner and footer of each page.
  • The CUI Designation Indicator (DI) block on the first page or cover.

CUI Designation Indicator Block

All documents containing CUI must include the CUI DI block to immediately notify the recipient about information related to the document and the originator. This can be accomplished by using the official letterhead and including specific details about the originating office that controls the information, the CUI category(s), the Limited Dissemination Controls or required Distribution Statement(s) if appliable, and a Point of Contact (POC) to reach out to regarding questions about the information. In accordance with the DOD Controlled Unclassified Information Markings handbook (CUI Marking Aid) PDF Icon, the CUI DI block is typically placed in the lower right-hand corner or footer of the first page only. It typically appears in a five-line format as exemplified below:

Controlled by: [Name of DoD Component] (Include this line only if not on letterhead)
Controlled by: [Name of Office]
CUI Category(s): ): (Agencies may use only those categories or subcategories approved by the CUI Executive Agent and published in the CUI Registry to designate information as CUI. Some information qualifies as more than one category.)
Limited Dissemination Control/Distribution Statement: (Limited Dissemination Control (LDC) Markings can prevent a document from being shared with certain parties or notify others only certain parties should view it. These controls should only be used to further an authorized, lawful, government purpose or when required by CUI authorities. Controlled Technical Information (CTI) is to be marked with one of the Distribution Statements B through F in accordance with DODI 5230.24.)
POC: (Should include a primary phone number or email address)

CUI Markings in an Unclassified Document Containing CUI

Portion markings are optional on unclassified documents containing CUI; however, if used, they must be applied consistently to all portions. Portions include subjects, titles, paragraphs and sub-paragraphs, bullet points and sub-bullet points, headings, pictures, graphs, charts, maps, reference lists, etc. Do not apply portion markings to the CUI DI block.

  • When using CUI portion markings, place “(CUI)”, at the beginning of the portion, in parentheses to indicate portion contains CUI.
  • For portions not containing CUI, place an Unclassified portion marking "(U)" in parentheses at the beginning of the portion to indicate the portion contains uncontrolled unclassified information.
  • The document's banner and footer markings must be shown on each page even if portion markings are used—if an individual page does not contain CUI, it can be marked as "UNCLASSIFIED."
  • As a best practice, keep the CUI and uncontrolled unclassified information in separate portions to the greatest extent possible to allow for maximum information sharing.
  • There is the option to add a line or note at the bottom of the document to state that when certain pages or attachments are removed, the document is no longer CUI.

CUI Markings in a Classified Document Containing CUI

Documents containing both classified and CUI will be marked with the highest level of classification in both the banner and footer. Portion marking is mandatory in classified documents. CUI markings in classified documents will only appear in portions containing CUI and will be marked as “(CUI).” If it is not possible to ensure CUI only appears in portions that only contain CUI, the portion marking will reflect the highest classification level in the portion, and CUI will not appear in the banner and footer line.

Both the classification authority block (CAB) and the CUI DI block should be placed at the bottom of the first page. The CAB should appear on the lower left and the DI block on the lower right.

PowerPoint Presentations

To alert viewers that the PowerPoint presentation contains CUI:

  • Include the CUI DI block on the first slide
  • Apply the “CUI” banner and footer markings on the top and bottom of each slide
  • For the slides in the presentation not containing CUI, it is optional to mark them as unclassified

Spreadsheets

When a spreadsheet contains CUI: it should provide warnings to viewers. Options include using:

  • “CUI” banner and footer markings

CUI DI block to provide the required information about the document

Policies and Forms

Policies and forms containing CUI must be marked in accordance with DODI 5200.48, “Controlled Unclassified Information” Section 3.2. As policies and forms are eligible or require updating, all legacy markings (For Official Use Only, FOUO; U//FOUO; etc.) must be removed., DOD legacy material will not be required to be re-marked or redacted while it remains under DOD control or is accessed online and downloaded for use within DOD. The items must be reviewed to determine if they meet the threshold for qualifying as CUI. If so, they need to be revised to include the new CUI minimum marking requirements.

  • Forms containing CUI, when filled in, must be marked as CUI
  • If space on the form is limited, cover sheets can be used for this purpose.
  • Include a statement indicating the form is CUI when filled in.

Administrative/Supplemental Markings

Extra administrative markings, such as Draft or Pre-decisional, may be used in documents containing CUI to inform recipients of the non-final status of the documents.

Best practices for administrative/supplemental markings include:

  • Markings shown as a watermark behind the text of the document
  • Markings elsewhere in the document if they are separate from the CUI banner/footer markings
  • Other markings, information, or warnings that are not part of the banner/footer markings, but are included elsewhere on the page to comply with the minimum marking requirements outlined in policy

Reproducing CUI

Printing/Copying

Authorized holders of CUI may reproduce (e.g., copy, scan, print, or electronically duplicate) for of a lawful, government purpose, but when reproducing CUI documents on equipment such as printers, copiers, scanners, or fax machines, it must be on equipment that does not retain data, unless the data can be sanitized in accordance with NIST SP 800-53.

During working hours, the risk of unauthorized personnel accessing CUI must be minimized by not leaving the information unattended, including on copiers, printers, and fax machines.

Storing CUI

Authorized holders of CUI must establish a controlled environment for storing CUI, meaning ensuring there are sufficient internal security measures in place to prevent or detect unauthorized access to CUI. In DOD, open storage environments can be made controlled environments for CUI.

Controlled Environment and Storage for CUI

CUI must be stored in controlled environments suitable for preventing or detecting unauthorized access.

During working hours, take steps to minimize the risk of access by unauthorized personnel, by not reading, discussing, or leaving CUI information unattended when unauthorized personnel are present.

After working hours, store CUI in unlocked containers, desks, or cabinets if the government or contractor building provides security for continuous monitoring of access. If continuous monitoring security is not provided, the containers, desk, cabinets, or rooms where the CUI is stored must be locked.

Electronically Storing CUI

CUI may only be digitally stored on authorized DOD Information Technology (IT) systems or applications provided they are categorized at no less than the “moderate” confidentiality impact level and implement guidance in DOD Instruction (DODI), 8500.01, Cybersecurity PDF Icon and DODI 8510.01, Risk Management Framework for DOD Systems PDF Icon.

  • A splash screen warning and notice of consent must appear to alert users of the presence of CUI on IT systems, networks, and programs operating on the various domains. This ensures proper safeguarding and dissemination controls are implemented in accordance with 32 CFR, Part 2002 External Link Icon and DODI 5200.48 PDF Icon.

Self-Inspection

In accordance with 32 CFR 2002, DOD component heads must maintain internal oversight measure and monitor implementation and management of the CUI Program.

CUI Self-Inspection Annual Report

DOD component heads are required to conduct an annual inspection of their component’s CUI program, which includes creating an annual self-inspection report. The report must cover all aspects of your CUI program implementation activities.

CUI Self-Inspection Program

The CUI self-inspection program must include:

  1. At minimum, an annual review and assessment of the agency’s CUI program. The Senior Agency Official (SAO) may determine a greater frequency.
  2. Self-inspection methods, reviews, and assessments that serve to evaluate program effectiveness, measure the level of compliance, and monitor the progress of CUI policy implementation that includes ensuring:
    • Compliance with requirements for, marking, storing, sharing, decontrolling, and destroying CUI.
    • Unauthorized Disclosure of CUI reporting requirements are met.
    • CUI mandatory training requirements are met.
    • Management oversights are in place.
  3. Formats for documenting self-inspections and recording findings when not prescribed by the CUI Executive Agent (EA).
  4. Procedures for integrating the lessons learned as well as the best practices that arise from reviews and assessments into operational policies, procedures, and training.
  5. A process for resolving identified deficiencies and taking corrective actions.
  6. Analysis and conclusions from the self-inspection program, documented on an annual basis and as requested by the CUI EA.

Disposal

Dispose of Record and non-record copies of CUI in accordance with Chapter 33 of Title 44, U.S.C. External Link Icon, “Disposal of Records” and the DOD Components' records management directives.

Destruction

Authorized holders may destroy CUI when the Component no longer needs the information and when records disposition schedules published or approved by the National Archives and Records Administration (NARA) allow. Guidance for destroying CUI documents and materials is provided in Section 2002.12 of 32 CRF Part 2002 “Controlled Unclassified Information” PDF Icon, Section 4.5 of DODI 5200.48, the CUI Registry, and the Information Security Oversight Office’s (ISOO) CUI Notice 2019-03 “Destroying Controlled Unclassified Information (CUI) in Paper Form” PDF Icon. When destroying CUI, including electronic CUI it is required to use a method that makes it unreadable, indecipherable, and irrecoverable. In accordance with regulatory guidance:

  • Use a destruction method specifically required by law, regulation, or government-wide policy if it exists.
  • When a specific destruction method is not required by a law, regulation, or government-wide policy use the destruction guidance in NIST SP 800-53 External Link Icon, “Security and Privacy Controls for Federal Information Systems and Organizations” and NIST SP 800-88 External Link Icon, rev 1, “Guidelines for Media Sanitation”, or use any method approved for destroying Classified National Security Information.

Destroying Paper CUI

ISOO’s CUI Notice 2019-03 “Destroying Controlled Unclassified Information (CUI) in Paper Form” PDF Icon clarifies certain aspects of the requirement for destroying CUI in paper form as outlined in the 32 CFR, Part 2002.

Destroying Other Media Types of CUI

  • NIST SP 800-88, rev 1, Guidelines for Media Sanitation describes authorized methods for destroying media types (other than paper) containing CUI.
  • In accordance with DODI 5200.48, Section 4.5, media containing CUI must include decontrolling indicators.

Reporting CUI Incidents

Report misuse, mishandling, or unauthorized disclosure (UD) of CUI to the Unauthorized Disclosure Program Management Office (UD PMO) as soon as possible. Also, when applicable, notify the appropriate Military Department Counterintelligence Organization of all incidents.

The DOD Component’s Senior Agency Official and the CUI Component Program Manager must establish procedures to ensure prompt and appropriate action is taken to manage incidents involving the misuse or mishandling of CUI. These actions should include focus on correcting or eliminating the conditions that are contributing to CUI-related incidents.

Examples of CUI incidents include:

  • Finding papers with CUI markings left unattended
  • Knowing information in a document or system is CUI, but not marking information properly
  • Emailing unencrypted CUI outside of your network

DOD Regulatory guidance discusses the reporting process for all types of UD incidents and procedures to be followed for both CNSI and CUI incidents. UD is closely related to the Insider Threat Program.

How to Respond to an Unauthorized Disclosure (UD) of Classified and Controlled Unclassified Information (CUI) PDF icon provides guidance for appropriately responding to a UD in accordance with policy. Also refer to your Component for specific guidance. For Facility Security Officers (FSOs), follow guidance in 32 CFR, Part 117, National Industrial Security Program Operating Manual (NISPOM).The DOD Unauthorized Disclosure Desk Reference PDF icon provides information on:

  • Important definitions
  • Required UD documentation
  • UD PMO contact information
  • UD’s Reportable to UD PMO (even when attribution has not been made)
  • How the UD PMO reports media leaks to the Department of Justice (DOJ)
  • CUI Registry Information
  • CUI Training Information
  • Limited Dissemination Control for CUI
  • Distribution Statements and CUI
  • Tips for Sharing and Safeguarding CUI

Sharing/Disseminating CUI

CUI access should be encouraged and permitted to the greatest extent possible. An individual or organization generally does not need to demonstrate a need-to-know to access CUI, unless that is specifically required by a law, regulation, or government-wide policy. Individuals may only have access to CUI when it:

  • Furthers a lawful, government purpose.
  • Is not otherwise prohibited by any other law, regulation, or government-wide policy
  • Is not restricted by an authorized Limited Dissemination Control (LDC).

Limited Dissemination Controls

DOD components may use the approved CUI LDCs External Link Icon, as applicable, to limit access to CUI.

  • Components cannot use LDCs to unnecessarily restrict CUI access.
  • When DOD Components need to retain certain agency-specific CUI within their organizations, they may use the specific approved LDCs that limit access to those on an accompanying dissemination list.
  • The DOD CUI Registry External Link Icon outlines requirements for LDCs when applicable on each CUI category page.

Distribution Statements

Controlled Technical Information (CTI) is a category of CUI that must be marked with Distribution Statements in accordance with Department of Defense Instruction 5230.24, “Distribution Statements on DOD Technical Information,” January10, 2023, as amended PDF Icon. The required Distribution Statement serves as an export control warning, in accordance with national-level and DOD policy.

Sharing CUI with Foreign Entities

The Under Secretary of Defense for Intelligence and Security Memorandum “Change to Policy on Sharing Controlled Unclassified Information With Foreign Entities” January 13, 2024 External Link Icon, eliminates the requirement in Paragraph 3.7(b)(4) of DODI 5200.48 that a positive foreign disclosure decision must be made before CUI is released to a foreign entity. DOD-authorized holders of CUI may provide CUI to foreign entities to conduct official business for DOD and the United States government if there is a lawful, government purpose to do so, unless the CUI is expressly marked as not releasable to foreign nationals (“NOFORN”) by the originator.

Emailing CUI

  1. Do not use your personal email to transmit CUI.
  2. DOD information systems processing or transmitting CUI must be categorized at least at the moderate confidentiality impact level.
  3. All emails must be encrypted and must include a CUI banner at the top and bottom of the email. DOD SAFE is approved to share CUI, but files must also be encrypted.
  4. Email correspondence containing CUI must contain the CUI Designation Indicator (DI) block.
  5. If including an attachment that contains CUI, the file name of the attachment must indicate there is CUI included.
  6. Portion markings are not required on unclassified documents/emails that contain CUI; however, when portion markings are used they must be applied consistently to all sections. This includes subjects and titles, as well as individual parts, paragraphs, sub-paragraphs, or similar portions known to contain CUI. Use the portion markings (CUI) or (U) as applicable. When portion markings are used, it is required to portion mark the unclassified sections of the CUI document with (U).
  7. CUI markings in a classified document will appear in paragraphs or subparagraphs known only to contain CUI and must be portion marked with CUI. In this instance, the header and footer will be annotated with the highest classification of the classified document. CUI will NOT appear in the banner or footer.

Transporting CUI

Authorized holders of CUI must protect it from unauthorized access or observation when outside of a controlled environment, including during physical transport from one area or location to another, by using at least one physical barrier (e.g., cover sheet, folder, or envelope).

Mailing CUI

  1. Address the interior envelope/package to a specific recipient (not to an office or an organization).
  2. Do not place CUI markings on the outside/exterior layer of the envelope/package.
  3. Use automated tracking on the package to ensure delivery to the correct recipient.
  4. The following methods may be used to mail/ship CUI:
    • US Postal Service (USPS)
    • Any commercial delivery service (e.g., FedEx, UPS)
    • Interoffice mail delivery/Interagency mail delivery

Faxing CUI

The authorized holder sending CUI is responsible for determining and ensuring that appropriate safeguarding is in place on the receiving end of the fax.

Wireless Telephones and CUI

Avoid wireless telephone transmission of CUI when other options are available. CUI should only be transmitted on systems that meet NIST 800-171 and 800-53 standards for federal and non-federal systems.

Decontrolling CUI

CUI will be decontrolled when the information no longer requires safeguarding. Decontrolling CUI is similar to declassifying a classified document; however, there are no specific timelines to decontrol CUI unless required by a law, regulation, or government-wide policy. When a law regulation, or government-wide policy no longer warrants additional safeguarding or dissemination controls, the information must be decontrolled. To achieve that, several actions must be taken:

  • The authorized holder or originator (or their designated representative) determines if and when the CUI must be decontrolled.
  • The CUI document(s) or material(s) will have the CUI banner and footer markings lined through and replaced with “DECONTROLLED”.
  • The CUI Designation Indicator (DI) block will have a 45-degree diagonal line drawn through it with the name of the person/date of decontrol.

When CUI is decontrolled this does not mean it is available for public release. The CUI originator or authorized CUI holder must ensure the prepublication security review process is conducted before the information can be approved for public release. The information must still be reviewed in accordance with DODI 5230.09, Clearance of DOD Information for Public Release. See the example below of a decontrolled document.

Decontrolled Document Markings
decontrolled document markings image