The responsibility for protecting Controlled Unclassified Information (CUI) primarily lies with the individuals or organizations who possess or handle the CUI. This includes Department of Defense (DoD) military personnel, civilians, contractors, and any employees or contractors within organizations that manage CUI
. More specifically:
- The DoD oversees safeguarding classified national security information and sets policies and procedures that government contractors must follow to protect CUI
- Contractors working under DoD contracts that include the DFARS 252.204-7012 clause are responsible for protecting CUI. This responsibility extends to ensuring that any Managed Service Providers or Cloud Service Providers they use also comply with the required protection standards
- Within federal agencies, CUI Designating Officials determine what information qualifies as CUI, while Information Owners and Program Managers ensure proper marking and handling of CUI
- Authorized holders of the information at the time of creation are responsible for applying CUI markings and dissemination instructions
- Organizations must identify specific persons responsible for protecting CUI, who must have authorized access, complete required CUI training, and ensure all personnel supporting contracts with CUI requirements are trained and that adequate resources are in place to safeguard CUI
In summary, while the DoD provides oversight and policy, the ultimate responsibility for protecting CUI rests with the individuals and organizations who create, handle, or possess the information, including contractors and their subcontractors, who must implement and enforce appropriate security measures and training
