Information may be Controlled Unclassified Information (CUI) in accordance with a law, regulation, or Government-wide policy that requires or permits an agency to handle it using safeguarding or dissemination controls. This means CUI is information that the government creates, possesses, or an entity creates or possesses for the government, which must be protected but is not classified under Executive Order 13526. The handling and safeguarding of CUI are governed by specific legal or regulatory requirements that mandate controlling access and dissemination to authorized individuals only.
Explanation of CUI
- CUI is information that is not classified but still requires protection under law, regulation, or government policy.
- It can include varied types of information like Personally Identifiable Information (PII), sensitive technical data, and business proprietary information.
- The Federal CUI Registry lists categories of CUI and the laws or regulations that apply to each.
Governing Authority
- CUI designation is based on legal and policy authority, not simply on discretion.
- Executive Order 13526 governs classified national security information, while CUI covers sensitive but unclassified information.
- Agencies must follow safeguarding and dissemination procedures as mandated by the governing laws and policies.
Handling Requirements
- CUI must be protected from unauthorized access and disclosure.
- Specific handling requirements may vary depending on the type of CUI (basic vs. specified categories).
- Agencies and authorized holders must have procedures in place to manage CUI according to the applicable authorities.
