FSO PROS
  • Home
  • About
    • Our Team
    • FAQs
  • SERVICES
    • Ask an FSO: One-Time Services
    • FSO Program Management
    • Security SME Advisory
    • Talent Acquisition & Training
    • GovCon Compliance Support
  • 351X
  • Employment
  • Contact

Controlled Unclassified Information (CUI)

3/15/2025

 
Bits of information can act like puzzle pieces that an adversary may collect, aggregate, analyze, and exploit to do harm to or gain an advantage over the U.S. Sensitive information can be especially vulnerable to compromise due to its potential for aggregation. As such, it is crucial to have robust safeguards in place to protect this type of information.
 
What is CUI?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.
 
The CUI program, established by Executive Order 13556 and implemented by 32 CFR part 2002, defines the need for protection of this type of information and establishes requirements for protecting it.
 
The CUI Program addresses the designation, handling, and decontrolling of CUI in accordance with DoDI 5200.48, including CUI identification, sharing, marking, safeguarding, storage, dissemination, destruction, and records management.
 
 
Identifying CUI
Unclassified information associated with a law, regulation, or government-wide policy and identified as needing safeguarding is considered CUI.  It requires access control, handling, marking, dissemination controls, and other protective measures for safeguarding. This may be information that the government creates or possesses, or that an entity creates or possesses for or on behalf of the government.
 
CUI is clustered into organizational indexes (e.g., defense, privacy, proprietary) with associated categories, and is categorized by the DoD according to the specific law, regulation, or government-wide policy requiring control. 
 
The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category.  If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.
 
The National Archives and Records Administration (NARA) maintains the CUI Registry, which lists the authorities that require or permit safeguarding or dissemination controls for specific types of information. The CUI registry also provides a list of specific categories of CUI information.
 
 
CUI Responsibilities and Training Requirements
Every individual at every level, including DoD civilian, military personnel, and contractors providing support to the DoD in accordance with contractual requirements, are required to comply with the requirements in DoDI 5200.48.
 
The Department of Defense (DoD) has implemented a mandatory CUI training program to educate personnel on the proper handling, protection, and dissemination of CUI.
 
All individuals, both cleared and uncleared, that perform U.S. Government related work could be exposed to CUI information. As such, we should all complete CUI training so that we have a thorough understanding of how to identify, handle, and protect CUI.
 
Reporting Requirements
Identifying and protecting CUI is imperative to keeping our country’s sensitive data safe from those who would do us harm.
 
If you receive CUI and have not yet completed CUI training, you should contact your Facility Security Officer (FSO) immediately.
 
When you receive CUI information, documents, or materials, you should notify your company’s Facility Security Officer (FSO) for awareness.
 
If you find CUI that is not properly controlled or stored, you must report this to your company’s Facility Security Officer (FSO).
 
Resources and Additional Learning
 
  • DoD Mandatory CUI Training
  • CUI Toolkit
  • CUI Registry
  • CUI Policies
  • Deliver Uncompromised Toolkit
  • Case Study Library
  • CUI Policies
  • Executive Order 13556
  • 32 CFR Part 2002
  • DoDI 5200.48
  • 32 CFR Part 117 (NISPOM Rule)
  • 32 CFR Part 147 (Adjudicative Guidelines)
 
As always, if you have any questions about whether or not a situation requires reporting, ask your FSO! Your company’s FSO is the best person to help you navigate any questions you have about security compliance, briefing, and reporting requirements. As security professionals, we are here to help you navigate things to ensure you fulfill all requirements.

Comments are closed.
    Picture
    Sign up to receive our monthly Security Snippet Newsletter!
    Sign up

    Archives

    December 2025
    November 2025
    October 2025
    September 2025
    August 2025
    July 2025
    June 2025
    May 2025
    April 2025
    March 2025
    February 2025
    January 2025

    Categories

    All
    Controlled Unclassified Information (CUI)
    Counterintelligence (CI)
    Cybersecurity
    Financial & Life Changes
    Foreign Factors & Travel
    Holiday Security
    Information Security
    Insider Threat
    Mental Health Awareness
    Reporting Requirements
    Security Policy
    Suspicious Contact

COMPANY INFO
​About Us
​Contact Us
​Employment
​FAQs​
SERVICE OFFERINGS
Ask an FSO:​ One-Time Services
​​FSO Program Management
Security SME Advisory
Training & Talent Acquisition
GovCon Compliance Support
Book Meeting
 Newsletter Signup
​​​Referral Program
351X SaaS​
© 2015-2026. All Rights Reserved.  |  FSO PROS® is a Registered Trademark of FSO Pros LLC  |  A Subsidiary of Dexterity Services Corp.   
Terms of Use & Privacy Policy
  • Home
  • About
    • Our Team
    • FAQs
  • SERVICES
    • Ask an FSO: One-Time Services
    • FSO Program Management
    • Security SME Advisory
    • Talent Acquisition & Training
    • GovCon Compliance Support
  • 351X
  • Employment
  • Contact