Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and Government-wide policies but is not classified under Executive Order 13526 "Classified National Security Information" or the Atomic Energy Act, as amended.
Components must ensure their personnel receive initial and annual refresher CUI education and training, and maintain documentation of this training for audit purposes. We provide a mandatory training course for all DOD personnel with access to CUI. This course also fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements. Refer to the "Training & Education" section on this page for the link to the "DOD Mandatory Controlled Unclassified Information (CUI) Training" course.
Report DoD Component training completion data to the USD(I&S) annually or as directed.
In accordance with DODI 5200.48, CUI training standards must, at minimum:
CUI includes, but is not limited to, Controlled Technical Information (CTI), Personally Identifiable Information (PII), Protected Health Information (PHI), financial information, personal or payroll information, and operational information.
The mandatory marking for all DOD CUI is the CUI Banner/Footer with the CUI Designation Indicator (DI) Block. This is the main marking that appears at the top and bottom of all documents containing CUI. The Banner/Footer markings must appear as bold capitalized text and be centered at the top and bottom of every page. Even if there is CUI only on one page, the entire document must be marked as CUI. Pages not containing CUI may be marked as "UNCLASSIFIED" or "CUI" at the discretion of the authorized holder or originator.
All documents containing CUI must have a CUI Designation Indicator (DI) Block to notify the recipient about information related to who originated the document. This may be accomplished through the use of a letterhead and four additional lines. If no letterhead is used, then a fifth line is required. The CUI DI Block is placed in the lower right hand corner or footer of the first page only and should include the following:
Portion marking of CUI is optional in classified documents and will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with "(CUI)." "CUI" will not appear in the banner or footer.
IF portion markings are applied, then all portions must be marked the same as with classified documents. Portions include subjects, titles, paragraphs and sub-paragraphs, bullet points and sub-bullet points, headings, pictures, graphs, charts, maps, reference list, etc. Do not apply portion marks to the CUI DI Block. When CUI portion marking is used, these rules must be followed:
Documents containing both classified and CUI will be marked with the highest level of classification in both the banner and footer. Portion marking is mandatory. To the greatest extent possible, classified and CUI should not be commingled within a single paragraph or portion. The CUI should be a separate portion from the classified information. If it is merged in the same paragraph, it will be marked with the appropriate classification marking (C, S, TS, TS/SCI, etc.).
The CUI DI Block must be aligned with the classification authority block (on the lower left side of the document) on the lower right hand side.
To alert viewers that the presentation contains CUI:
When a spreadsheet contains CUI, it should provide warnings to potential viewers. Some options include:
All new policies and forms containing CUI must be marked IAW DODI 5200.48. As policy and forms are eligible or require updating, all legacy markings (For Official Use Only, FOUO; U//FOUO; etc.) must be removed. The items must be reviewed to determine if they meet the threshold for qualifying as CUI. If so, they need to be revised to include the new CUI marking requirements.
Viewers must be made aware of the presence of CUI using a method readily apparent. For IT systems containing CUI. IT Systems may have user access agreements and/or banners on each screen IAW DOD CIO information systems policies.
Extra administrative markings, such as Draft or Pre-decisional, may be used in documents containing CUI to inform recipients of the non-final status of the documents. However, these words can appear as part of the CUI banner either above or below the CUI banner/footer markings. Another best practice is to have them shown as a watermark behind the text of the document. If that is not possible, they may be shown elsewhere in the document as long as they are separate from the CUI banner/footer markings. Certain authorities may require other markings, information, warnings, etc. These markings will not be part of the banner/footer markings but must be included elsewhere on the page to comply with the governing authority. A best practice is to place them after the "SUBJECT LINE" for memorandums to alert the reader of particular limitations to access or sharing the document or material.
No individual may have access to CUI information unless it is determined he or she has an authorized, lawful government purpose. CUI information may be disseminated within the DOD Components and between DOD Component officials and DOD contractors, consultants, and grantees to conduct official business for the DOD, provided dissemination is consistent with controls imposed by a distribution statement or limited dissemination controls (LDC).
CUI designated information may be disseminated to a foreign recipient in order to conduct official business for the DOD, provided the dissemination has been approved by a disclosure authority in accordance with DODI 5200.48, Paragraph 3.4.c and the CUI is appropriately marked as releasable to the intended foreign recipient.
The sender is responsible for determining appropriate safeguarding is in place on the receiving end of the fax and that the fax machine is located in a controlled environment.
A fax coversheet is required indicating the presence of CUI.
An agency Self-Inspection Program is required to internally manage and ensure compliance with the CUI Program.
A Self-Inspection Program evaluates:
Self-Inspection will also allow you to determine best practices, lessons learned, and to take corrective actions where necessary.
CUI must be stored in controlled environments that prevent or detect unauthorized access. Printed CUI documents must be protected by at least one physical barrier, such as a cover sheet or a locked bin/cabinet.
CUI may only be digitally stored in an authorized IT system/application provided it is:
CUI must be protected at all times. This includes having the Information Security Oversight Office (ISOO), the CUI Executive Agent, approved CUI markings on printed pages, and/or a CUI cover sheet to clearly identify the information as CUI when stored, transported, or when being used.
Placing a CUI marked document in a briefcase is acceptable for transport. There still should be one layer of protection (cover sheet, folder, or envelope) on the document.
You should notify the security manager by email or through some other means (sign-out sheet) of the removal of CUI from the work environment.
CUI must be decontrolled when the information no longer needs safeguarding. To achieve that, there are several actions:
Additionally, the CUI DI Block will have a diagonal line (45-degree angle) drawn through it with the name of the person and date of decontrol. Decontrol does not mean it is able to be publicly released. It must be reviewed in accordance with DODI 5230.09.
Guidance for destroying CUI documents and materials is provided in the DODI 5200.48, the CUI Registry, and ISOO Notice 2019-03. CUI documents and materials will be formally reviewed in accordance with Paragraphs a. and b. below before approved disposition authorities are applied, including destruction. Media containing CUI must include decontrolling indicators.
You must report all known or suspected CUI incidents to your supervisor and/or security manager as soon as you become aware of a possible CUI incident.
A CUI incident can come in many different forms. Examples include: