The CUI Program and this guide serve to implement Executive Order 13556, 32 CFR 2002 and the duties of the Information Security Oversight Office (ISOO). They offer Agencies guidelines on marking, safeguarding, disclosing, sharing and disposing information that does not qualify as classified but requires dissemination controls.

Agencies and contractors must abide by consistent rules when handling non-classified sensitive information or face the possibility of ISOO enforcement action. This standardization brings consistency and clarity when handling non-classified sensitive data.

The purpose of the isoo registry is to establish a common framework for the safeguarding of unclassified information.

Isoo CUI Registry is designed to assist agencies in streamlining data management and collaboration while meeting federal security requirements. This helps reduce risks of unauthorized disclosure, improves system error identification and correction capabilities and protect sensitive data from malicious activities. CUI policies also serve to minimize national security threats while simultaneously improving agency operations efficiency.

The CUI Registry is a central repository that defines which information requires safeguarding or dissemination controls under federal regulations or government-wide policies, both information already classified or unclassified and newly identified for protection under the CUI Program. It is managed by OMB and published online via National Archives and Records Administration – its regulations can be found at 32 CFR 2002.

Information to qualify as CUI must meet one or more of the following criteria:

1) They must be protected under the authority of an executive order, law, or policy document.

2) Additional safeguarding or dissemination controls must be implemented according to an executive order, law, policy statement or the CUI Program.

3) Each container must be marked with a “CUI” banner and/or indicator as detailed in the CUI Marking Guide.

As well as mandating specific markings, CUI guidelines also specify minimum physical and procedural safeguarding requirements to protect CUI. These include mandating that CUI be stored in a secured environment that is segregated from other information and only accessible by Authorized Holders; electronic information must be password-protected on an encrypted system or network, with CUI indicators visible upon logging-in or via an alert that pops up upon login; warnings should also be displayed during login screens or screen that pop up post logging-in as well as headers which appear before every printed output page.

CUI must always be stored or transmitted in an encrypted format to protect it from being read or understood by unintended third parties. Agencies must also follow specific procedures when transporting CUI, including protecting its transport containers against theft and leaving unattended. Agencies can use various means such as portable storage devices and hoteling systems which isolate authorized holder workstations from those of nonauthorized employees to meet this requirement.

Before any controlled unclassified information (CUI) can be disseminated, it must first be properly marked by both its originator and authorized holders. Authorized holders must also complete necessary CUI training and receive authorization from their senior agency official before handling or designating information as CUI. When disseminating CUI, authorized holders should review their agency’s CUI policy to ascertain if any limitations or restrictions should apply before disseminating it.

As previously discussed, when an authorized holder wishes to share CUI with non-executive branch entities they must enter into agreements or arrangements that adhere to the principles and purposes of the CUI Program. For instance, prepublication review and security policy review must follow standard DoD processes; similarly if disposing of record copies must adhere to their appropriate disposal procedure.

The purpose of the isoo registry is to provide a common framework for the safeguarding of unclassified information.

The ISOO CUI Registry creates a standard framework for safeguarding unclassified information that is subject to government-wide controls (access, handling, marking and dissemination). The Registry promotes transparency with the public by clearly outlining categories and subcategories of sensitive data that need protection; furthermore it helps ensure federal agencies take a consistent approach in classifying this sensitive data to comply with laws, regulations and government-wide policies.

The CUI Rule affects all Federal executive branch departments and agencies as well as contractors, vendors, and organizations handling Federal information on behalf of an agency. It establishes rules for designating, disseminating, safeguarding, disposing and disposing CUI as well as self-inspection and oversight requirements. Furthermore, agencies must use an uniform approach across their offices, facilities systems and procedures when protecting sensitive data.

CUI rules provide a uniform framework for classifying information that needs protecting, as well as specific guidance on how to label documents, emails and electronic storage devices accordingly. Documents or files containing CUI must be identified using either a banner label at the top of each document, or by including an indicator in either their title bar or filename stating they contain CUI. The CUI rule permits agencies to utilize additional administrative markings such as Pre-decisional, Draft or Deliberative to provide more context about sensitive information. While these supplemental markings don’t impose additional safeguarding or dissemination controls, they can still be displayed prominently on document watermarks and banner labels for added context.

Electronic systems that store CUI must display its specific identifier and associated security controls. This includes email systems, web servers, file storage and archiving systems and video telepresence systems. Documents containing CUI should first be reviewed by its creator or authorized holder to ensure it satisfies safeguarding and dissemination criteria before being forwarded on to another individual or organization.

Authorized holders must ensure that those participating in meetings or discussions where CUI is shared have legal purposes for sharing it, including whether each person is authorized to receive it and documenting this process.

Once documents no longer require being destroyed, they must be destroyed according to the CUI rule. When doing so, their methods of destruction should make all information indecipherable, unreadable and irrecoverable – although agencies may employ less expensive approaches than required by classified information destruction regulations – but all documents containing CUI must still be identified accordingly.

Few commenters have voiced concerns regarding the impact of the new rule on federal agencies’ ability to work with their partners and contractors, and costs associated with using specialized equipment for shredding paper records containing CUI. Their concern stems from misinterpreting its mandate for standard methods that do not exceed those required to destroy classified information.