What is Controlled Unclassified Information?
Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and Government-wide policies but is not classified under Executive Order 13526 "Classified National Security Information" or the Atomic Energy Act, as amended.
Components must ensure their personnel receive initial and annual refresher CUI education and training, and maintain documentation of this training for audit purposes. We provide a mandatory training course for all DOD personnel with access to CUI. This course also fulfills CUI training requirements for industry when it is required by Government Contracting Activities for contracts with CUI requirements. Refer to the "Training & Education" section on this page for the link to the "DOD Mandatory Controlled Unclassified Information (CUI) Training" course.
Report DoD Component training completion data to the USD(I&S) annually or as directed.
In accordance with DODI 5200.48, CUI training standards must, at minimum:
- Identify individual responsibilities for protecting CUI.
- Identify the organizational index with CUI categories routinely handled by DoD personnel.
- Describe the CUI Registry, including purpose, structure, and location.
- Describe the differences between CUI Basic and CUI Specified.
- Identify the offices or organizations with DOD CUI Program oversight responsibilities.
- Address CUI marking requirements as described in the DODI 5200.48.
- Address the required physical safeguards and CUI protection methods as described in the DODI 5200.48.
- Address the destruction requirements and methods as described in the DODI 5200.48.
- Address the incident reporting procedures as described in the DODI 5200.48.
- Address methods for properly disseminating CUI within the DOD and with external entities inside and outside of the Executive Branch.
- Address the methods for properly decontrolling CUI as described in the DODI 5200.48.
CUI Is NOT classified information and may only be marked as CUI if it belongs to a category established in the ISOO and/or DOD CUI Registry.
- The Information Security Oversight Office (ISOO) Registry
- The DOD CUI Registry
- Provides an official list of the Indexes and Categories used to identify the various types of CUI used in DOD.
- Mirrors the National ISOO CUI Registry (may provide additional information unique to the Department of Defense).
- Is located at https://www.dodcui.mil.
What are examples of CUI?
CUI includes, but is not limited to, Controlled Technical Information (CTI), Personally Identifiable Information (PII), Protected Health Information (PHI), financial information, personal or payroll information, and operational information.
- Controlled Technical Information (CTI)
- Provided by a confidential source (person, commercial business, or foreign government) on condition it would not be released
- Related to contractor proprietary or source selection data
- That could compromise Government missions or interests
- Personally Identifiable Information (PII)
Personally Identifiable Information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. PII includes, but is not limited to:
- Social Security Number
- Date and place of birth
- Mother’s maiden name
- Biometric records
- Protected Health Information
- Passport number
- Protected Health Information (PHI)
- Is a subset of PII requiring additional protection
- Is health information that identifies the individual
- Is created or received by a healthcare provider, health plan, or employer, or a business associate of these
- Relates to:
- Physical or mental health of an individual
- Provision of healthcare to an individual
- Payment for the provision of healthcare to an individual
Steps to Identifying CUI
The mandatory marking for all DOD CUI is the CUI Banner/Footer with the CUI Designation Indicator (DI) Block. This is the main marking that appears at the top and bottom of all documents containing CUI. The Banner/Footer markings must appear as bold capitalized text and be centered at the top and bottom of every page. Even if there is CUI only on one page, the entire document must be marked as CUI. Pages not containing CUI may be marked as "UNCLASSIFIED" or "CUI" at the discretion of the authorized holder or originator.
CUI Designation Block
All documents containing CUI must have a CUI Designation Indicator (DI) Block to notify the recipient about information related to who originated the document. This may be accomplished through the use of a letterhead and four additional lines. If no letterhead is used, then a fifth line is required. The CUI DI Block is placed in the lower right hand corner or footer of the first page only and should include the following:
Controlled by: (If a letterhead or another standard indicator of origination is used, this line may be omitted. The second line must identify the office making the determination.)
Controlled by: [Name of DOD Component] (Only if not on letterhead)
Controlled by: [Name of Office]
CUI Category: (Agencies may use only those categories or subcategories approved by the CUI Executive Agent and published in the CUI Registry to designate information as CUI.)
Limited Dissemination Control: (Limited Dissemination Control (LDC) Markings can prevent a document from being shared with certain parties or notify others only certain parties should view it. They should only be used to further an authorized, lawful government purpose or when required by CUI authorities.)
POC and phone number
Portion marking of CUI is optional in classified documents and will appear in paragraphs or subparagraphs known to contain only CUI and must be portion marked with "(CUI)." "CUI" will not appear in the banner or footer.
IF portion markings are applied, then all portions must be marked the same as with classified documents. Portions include subjects, titles, paragraphs and sub-paragraphs, bullet points and sub-bullet points, headings, pictures, graphs, charts, maps, reference list, etc. Do not apply portion marks to the CUI DI Block. When CUI portion marking is used, these rules must be followed:
- CUI portion markings are placed at the beginning of the paragraph to which they apply and must be used throughout the entire document.
- CUI portion markings are contained within parentheses and may include these elements:
- When CUI portion markings are used and a portion does not contain CUI, a "U" is placed in parentheses to indicate the portion contains uncontrolled unclassified information. IF the CUI paragraphs are removed, the document will be decontrolled and no longer treated as CUI. It still must be reviewed before being publicly released.
- The document's banner/footer markings must be shown on each page even if portion marking is used – if not all pages contain CUI, they can be marked as "UNCLASSIFIED."
- As a best practice, keep the CUI and uncontrolled information in separate portions to the greatest extent possible to allow for maximum information sharing.
- There is the option to add a line at the bottom of the document to state when certain pages or attachments are removed. The document is no longer CUI.
CUI Markings in a Classified Document
Documents containing both classified and CUI will be marked with the highest level of classification in both the banner and footer. Portion marking is mandatory. To the greatest extent possible, classified and CUI should not be commingled within a single paragraph or portion. The CUI should be a separate portion from the classified information. If it is merged in the same paragraph, it will be marked with the appropriate classification marking (C, S, TS, TS/SCI, etc.).
The CUI DI Block must be aligned with the classification authority block (on the lower left side of the document) on the lower right hand side.
To alert viewers that the presentation contains CUI:
- Include the CUI DI Block on the first slide.
- Apply the CUI banner/footer markings to the top & bottom of each slide.
- For slides not containing CUI, it is optional to mark them as unclassified.
- CUI should be included in the file name that will be sent out to thee viewers.
When a spreadsheet contains CUI, it should provide warnings to potential viewers. Some options include:
- Use the CUI banner/footer markings.
- Use CUI DI Block to show the required information about the document.
- Include "CUI" in the filename.
Policies and Forms
All new policies and forms containing CUI must be marked IAW DODI 5200.48. As policy and forms are eligible or require updating, all legacy markings (For Official Use Only, FOUO; U//FOUO; etc.) must be removed. The items must be reviewed to determine if they meet the threshold for qualifying as CUI. If so, they need to be revised to include the new CUI marking requirements.
- Forms containing CUI when filled in must be marked accordingly.
- If space on the form is limited, cover sheets could be used for this purpose.
- Include a statement indicating the form is CUI when filled in.
Viewers must be made aware of the presence of CUI using a method readily apparent. For IT systems containing CUI. IT Systems may have user access agreements and/or banners on each screen IAW DOD CIO information systems policies.
Extra administrative markings, such as Draft or Pre-decisional, may be used in documents containing CUI to inform recipients of the non-final status of the documents. However, these words can appear as part of the CUI banner either above or below the CUI banner/footer markings. Another best practice is to have them shown as a watermark behind the text of the document. If that is not possible, they may be shown elsewhere in the document as long as they are separate from the CUI banner/footer markings. Certain authorities may require other markings, information, warnings, etc. These markings will not be part of the banner/footer markings but must be included elsewhere on the page to comply with the governing authority. A best practice is to place them after the "SUBJECT LINE" for memorandums to alert the reader of particular limitations to access or sharing the document or material.
Dissemination & Distribution
No individual may have access to CUI information unless it is determined he or she has an authorized, lawful government purpose. CUI information may be disseminated within the DOD Components and between DOD Component officials and DOD contractors, consultants, and grantees to conduct official business for the DOD, provided dissemination is consistent with controls imposed by a distribution statement or limited dissemination controls (LDC).
CUI designated information may be disseminated to a foreign recipient in order to conduct official business for the DOD, provided the dissemination has been approved by a disclosure authority in accordance with DODI 5200.48, Paragraph 3.4.c and the CUI is appropriately marked as releasable to the intended foreign recipient.
- All e-mails must be encrypted and contain a CUI banner at the top and bottom of the e-mail.
- Do NOT USE YOUR PERSONAL E-MAIL to transmit CUI.
- Must contain a CUI Designation Indicator block.
- If including an attachment containing CUI, the file name must indicate there is CUI included.
- Portion markings are not required in an unclassified document containing CUI; however, when using portion markings within a CUI document, all document subjects and titles, as well as individual sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be portion marked with (CUI). Use of the unclassified marking (U) as a portion marking for unclassified information within CUI documents or materials is required.
- CUI markings in a classified document will appear in paragraphs or subparagraphs known only to contain CUI and must be portion marked with CUI. CUI will NOT appear in the banner or footer. In this instance, the header and footer will be annotated with the highest classification of the classified document.
- Address the interior envelope/package to a specific recipient (not to an office or an organization).
- Do not put CUI markings on the outside/exterior layer of the envelope/package.
- Use automated tracking on the package to ensure it was delivered to the correct recipient.
- The following methods may be used to mail/ship CUI
- US Postal Service (USPS)
- Any commercial delivery service (FedEx, UPS)
- Interoffice mail delivery / Interagency mail delivery
The sender is responsible for determining appropriate safeguarding is in place on the receiving end of the fax and that the fax machine is located in a controlled environment.
A fax coversheet is required indicating the presence of CUI.
- Be aware of your surroundings and take steps to ensure others can't overhear what you are saying – do not use wireless phones to discuss CUI.
- Protect or safeguard your surroundings to prevent shoulder-surfing. Don't allow CUI to be viewed by unauthorized individuals while you work with CUI documents printed out or displayed on a screen.
- Verify you are sharing only with someone who has an authorized, lawful government purpose for the information.
- An authorized, lawful government purpose is the stan dard for deciding when to share and when not to share CUI with coworkers, Executive Branch agencies, or non-Federal partners.
- CUI may only be shared with contractors when it is identified in their contract by the government. CUI should only be shared when it will help achieve the goals of a common mission or project.
CUI Self-Inspection Program
An agency Self-Inspection Program is required to internally manage and ensure compliance with the CUI Program.
A Self-Inspection Program evaluates:
- How you are complying with the requirements for protecting, marking, storing, transporting, and destroying CUI;
- if you are reporting UDs of CUI and submitting required reports;
- if training is carried out as required;
- and if there are management oversights in place.
Self-Inspection will also allow you to determine best practices, lessons learned, and to take corrective actions where necessary.
Agency Self-Inspection Program
- The agency must establish a self-inspection program.
- The self-inspection program must include:
- At least annual review and assessment of the agency’s CUI program (The Senior Agency Official (SAO) may determine a greater frequency);
- Self-inspection methods, reviews, and assessments that serve to evaluate program effectiveness, measure the level of compliance, and monitor the progress of CUI implementation;
- Formats for documenting self-inspections and recording findings when not prescribed by the CUI (Executive Agent (EA);
- Procedures by which to integrate lessons learned and best practices arising from reviews and assessments into operational policies, procedures, and training;
- A process for resolving deficiencies and taking corrective actions; and
- Analysis and conclusions from the self-inspection program, documented on an annual basis and as requested by the CUI EA.
CUI must be stored in controlled environments that prevent or detect unauthorized access. Printed CUI documents must be protected by at least one physical barrier, such as a cover sheet or a locked bin/cabinet.
CUI may only be digitally stored in an authorized IT system/application provided it is:
- Configured at no less than the Moderate Confidentiality impact value
- Has limited access based on need, and
- Meets the requirements of DOD's IT Security Policy.
CUI must be protected at all times. This includes having the Information Security Oversight Office (ISOO), the CUI Executive Agent, approved CUI markings on printed pages, and/or a CUI cover sheet to clearly identify the information as CUI when stored, transported, or when being used.
Placing a CUI marked document in a briefcase is acceptable for transport. There still should be one layer of protection (cover sheet, folder, or envelope) on the document.
You should notify the security manager by email or through some other means (sign-out sheet) of the removal of CUI from the work environment.
CUI must be decontrolled when the information no longer needs safeguarding. To achieve that, there are several actions:
- The authorized holder or originator (or their designated representative) determines the CUI must be decontrolled.
- The CUI document(s) or material(s) will have the CUI banner and footer markings lined through and replaced with “DECONTROLLED.”
Additionally, the CUI DI Block will have a diagonal line (45-degree angle) drawn through it with the name of the person and date of decontrol. Decontrol does not mean it is able to be publicly released. It must be reviewed in accordance with DODI 5230.09.
- Printed CUI documents must be kept under direct control of an authorized holder and protected by a cover sheet during transport from the printer or copier.
- Do not send CUI to the printer unless you are able to be at the printer when it prints.
- not let CUI documents sit on the printer/copier where unauthorized individuals can have access to the information.
- If possible, use a printer/copier requiring you to enter a code or CAC before printing.
- CUI documents must have the proper CUI markings on each printed page.
Guidance for destroying CUI documents and materials is provided in the DODI 5200.48, the CUI Registry, and ISOO Notice 2019-03. CUI documents and materials will be formally reviewed in accordance with Paragraphs a. and b. below before approved disposition authorities are applied, including destruction. Media containing CUI must include decontrolling indicators.
- Record and non-record copies of CUI documents will be disposed of in accordance with Chapter 33 of Title 44, U.S.C. and the DoD Components' records management directives. When destroying CUI, including in electronic form, agencies must do so in a manner making it unreadable, indecipherable, and irrecoverable. If the law, regulation, or government-wide policy specifies a method of destruction, agencies must use the method prescribed.
- Record and non-record CUI documents may be destroyed by means approved for destroying classified information or by any other means making it unreadable, indecipherable, and unrecoverable the original information such as those identified in NIST SP 800-88 and in accordance with Section 2002.14 of Title 32, CFR.
Reporting CUI Incidents
You must report all known or suspected CUI incidents to your supervisor and/or security manager as soon as you become aware of a possible CUI incident.
A CUI incident can come in many different forms. Examples include:
- finding papers with CUI markings left unattended,
- knowing information in a document or system is CUI but is not marked properly, or
- emailing unencrypted CUI outside of your network.
The Unauthorized Disclosure (UD) Policy discusses the process for reporting all types of incidents and the procedures to be followed for CUI incidents. UD is closely related to the Insider Threat Program.
How to Respond to an Unauthorized Disclosure (UD) of Classified and Controlled Unclassified Information (CUI)
contains information in that is not necessarily found in policy. Where it is not found in policy, it is listed as a useful practice. Please refer to your Component specific guidance. For FSOs, please follow guidance in the NISPOM DOD 5220.22-M.
The DOD Unauthorized Disclosure Desk Reference
provides information on important definitions, required documentation, the Unauthorized Disclosure Program Management Office (UD PMO), what unauthorized disclosures should be reported to the UD PMO (even when attribution has not been made), and how the UD PMO reports media leaks to the Department of Justice (DOJ).