Answer To “Information May Be CUI In Accordance With” Under DoD CUI Training

• Established by the then-President Barack Obama under Executive Order 13556, CUI is a centralized platform under the federal government that stores sensitive unclassified information.
• Information may be CUI in accordance with a law, regulation, or government-wide policy, as per the official documents.
• Unless authorized and directed by the government or someone with superior power from the federal body, one cannot access or share CUI information.

In the DoD Training Program, there is one question that often gets highlighted. And that is about what truly makes information classified or categorized as CUI. What should that data or information be in accordance with?

Controlled Unclassified Information, or CUI, is a program that deals with government information that is sensitive but not classified. They do not have the same level of security or protection when we compare it to other classified data and information.

While these are not classified, the government does not want to risk losing them. Hence, it streamlines and categorizes this information under CUI. Some of the most common examples of CUI include Social Security Numbers, personal information, and proprietary information. 

In this article, I will explain:

• What is CUI?
• Which information may be CUI in accordance with what?
• What is the role of NARA?
• What does not fall under CUI?

Additionally, I will also talk about what the DoD Mandatory Training Program is about. So, if these are some of the things that you want to know, keep on reading till the end…

What Is CUI?

As I have already mentioned above, Controlled Unclassified Information (CUI) refers to government-originated or government-held information that needs safeguarding or controlled dissemination under law, regulation, or government-wide policy.

What makes it different from other types of sensitive information under the government is the fact that these are not classified. Which means even though they are very important, they do not receive the same amount of protection or categorization under the federal government.

However, what you should understand is the fact that even though they are not classified, the government still would not want to risk losing them. Hence, in the year 2010, the then-president Barack Obama created CUI under the Executive Order 13556.

This portal, or centralized platform, which was completely new, had an ulterior motive. The marking system used in CUI categorization aimed to replace the old methods.

As per Summit 7, before the existence of CUI, “every agency used a different set of markings (FOUO, LES, SBU, UCTI, etc.), information classifications, and rules for how to manage and control the information.”

Furthermore, DoD CUI states that it is a control marking system and not a classification marking. They go on to state that these markings “alert recipients that special handling may be required to comply with law, regulation, or Government-wide policy.”

With the help of CUI, everything could be streamlined. Additionally, this also ensured that the sharing and accessing of such sensitive information is done in a safer manner.

Understanding The Executive Order 13556

Back in November 2010, President Barack Obama implemented Executive Order 13556, aiming to establish “an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended.”

The data in question were those that needed safeguarding or dissemination controls. These were called by different names, and agencies had their own terminologies. For example, some of them coined labels like “Sensitive but Unclassified” or “For Official Use Only”.

The way these naming conventions were implemented, the requirements for handling, marking, dissemination, safeguarding, etc., of the documents were basically situation-driven and agency-specific.

The purpose of EO 13556 is to remove the inefficiencies and reduce the number of misunderstandings that arise from the elimination of the patchwork system by performing two things that are necessary.

Firstly, EO13556 defines the Controlled Unclassified Information (CUI) Program. And secondly, it assigns the National Archives and Record Administration (NARA) the position of CUI Executive Agent (EA). 

What Is The Role Of NARA?

It is the National Archives and Records Administration (NARA) that is primarily in charge of the identification, setting up the security measures, and safeguarding the controlled unclassified information (CUI).

NARA is a United States government independent agency set up in 1934, that, apart from other tasks, does the following:

• Preserves the historical record of the country.
• Leads and conducts research on records management.
• Facilitates access to historical data.

As stated in EO 13556, NARA is authorized as the CUI Executive Agent (EA) and is responsible for ensuring that the mandate of the Executive Order is fully met.

Here are some of the roles and responsibilities of NARA:

• Amending the overall program, announcing the program, and setting up the CUI Program.
• Agency actions to implement the CUI program will be reviewed, evaluated, and supervised by NARA.
• The management planning framework and the associated deadlines for phased implementation should be established.
• Approve existing subcategories and categories.
• An entity that maintains and updates the registry of CUI details.
• Prescribe oversight and agency self-inspection standards, procedures, and instructions.
• Respond and solve all kinds of issues, including disputes, complaints, and suggestions.

It is true that NARA is the one who is ultimately in charge of the CUI Program. However, the executive agency heads must also share the burden.

As stated by Tech Pros, a CUI senior agency official (SAO) must be appointed. They are the ones responsible for the supervision of the implementation, management, and adherence to the program.

In a sense, NARA supervises the program and draws the high-level guidelines, while the actual implementation and details are left at the discretion of executive agencies, their heads, and their respective SAOs.

Information May Be CUI In Accordance With What?

For information to be classified as CUI, it should be in accordance with “law, regulation, or government-wide policy.” In other words, for any information to be categorized as CUI, it needs to meet the following criteria:

• It’s unclassified but still requires safeguarding or controlled dissemination.
• It is governed by a specific law, regulation, or government-wide policy mandating or permitting such controls.
• It’s included in the CUI Registry maintained by NARA.

Therefore, if a federal law or a specific policy requires protection, and the particular category is listed in the CUI Registry, it can be classified as CUI.

What Is The DoD Mandatory Training Program?

The Department of Defense (DoD) requires all personnel with access to CUI—including contractors—to complete a mandatory training course that covers its full life cycle:

• Recognizing, marking, safeguarding, disseminating, and decontrolling CUI.
• Reporting security incidents.
• Proper destruction methods.

This training aligns with the CUI Program and includes 11 key requirements necessary to maintain compliance. Upon successful completion (70% passing score), participants earn a certification. 

The training also helps personnel understand distinctions between CUI Basic and CUI Specified. Additionally, it teaches about the procedures tied to the CUI Registry and implementation guidance under DODI 5200.48, the DoD instruction governing CUI.

Read Also:

• AT&T Data Breach: What Affected Customers of This $13 Million Class Action Should Know
• Section Officers in the US: Clerical Job or a Powerful Position?
• Is Section 8 Getting Cut Off: Answering The Most Asked!