Everything you need to know about Controlled Unclassified Information (CUI). The questions are broken into the following sections:
General CUI
What is CUI?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and Government-wide policies, but is not classified under Executive Order 13526 “Classified National Security Information” or the Atomic Energy Act, as amended.
What are examples of CUI?
CUI is an umbrella term that encompasses many different markings to identify information that is not classified but which should be protected. Some examples you may be familiar with:
- Personally Identifiable Information (PII)
- Sensitive Personally Identifiable Information (SPII)
- Proprietary Business Information (PBI) or currently known within EPA as Confidential Business Information (CBI)
- Unclassified Controlled Technical Information (UCTI)
- Sensitive but Unclassified (SBU)
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES), and others.
What is the Federal CUI Registry?
The Federal CUI Registry, shows authorized categories and associated markings, as well as applicable safeguarding, dissemination, and decontrol procedures. The Registry is updated as agencies continue to submit governing authorities that authorize the protection and safeguarding of sensitive information.
Program Background
What is the CUI Program?
Executive Order 13556, Controlled Unclassified Information, requires the Executive Branch to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government-wide policies.” The National Archives and Records Administration (NARA) was named the Executive Agent (EA) responsible for overseeing the CUI Program.
On September 14, 2016, NARA issued a final rule amending 32 CFR Part 2002 to establish a uniform policy for all Federal agencies and prescribe Government-wide program implementation standards, including designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI; self-inspection and oversight requirements; and other facets of the CUI Program.
Why was CUI established?
Federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release.
Historically, each agency developed its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch, in which similar information might be defined or labeled differently, or where dissimilar information might share a definition and/or label. CUI was established to standardize the way the Executive branch handles sensitive information that requires dissemination controls.
How does the CUI Program help Federal agencies, including EPA?
The CUI Program is an unprecedented initiative to standardize practices across more than 100 separate departments and agencies, as well as state, local, tribal and, private sector entities; academia; and industry. This will enable timely and consistent information sharing and increase transparency throughout the Federal government and with non-Federal stakeholders.
Program Governance
What is the Federal CUI governance structure?
The National Archives and Records Administration (NARA) serves as the Controlled Unclassified Information (CUI) Executive Agent (EA). NARA has the authority and responsibility to manage the CUI Program across the Federal government.
NARA issues policy directives and publishes an annual report to the President of the United States on the status of agency CUI Program implementation in accordance with Executive Order 13556, Controlled Unclassified Information.
What is EPA’s CUI governance structure?
At EPA, the CUI Program is housed in the Libraries and Accessibility Division (LAD) within the Office of Mission Support’s (OMS), Office of Enterprise Information Programs (OEIP).
EPA’s CUI Program is responsible for issuing CUI policy, procedures, training, and guidance to program offices and regions, along with providing oversight and reporting on the Agency’s progress on meeting NARA’s CUI deadlines.
EPA Implementation
When will EPA transition to CUI markings?
The EPA’s Controlled Unclassified Information (CUI) Program issued its Interim CUI Policy in December 2020. EPA anticipates beginning CUI practices (designating, marking, safeguarding, disseminating, destroying, and decontrolling) starting in FY2023. The date of full implementation of the CUI Program will be announced by the EPA’s CUI Senior Agency Official (CUI SAO) and updated here on EPA’s public web page. The EPA will phase out legacy markings and safeguarding practices as implementation proceeds.
What changes can be expected as a result of this transition to CUI markings?
EPA changes may include:
- Amendments to EPA regulations
- Amendments to a variety of policy documents as well as others referencing Confidential Business Information (CBI) submissions or handling
- Changes to paper and e-forms and instructions for their submission to EPA
- Changes to various data systems that store and sometimes share sensitive information outside EPA.
Resources and Contacts
Who should I talk to regarding EPA CUI?
For programmatic questions regarding Controlled Unclassified Information (CUI), including any challenges to CUI marked by EPA, please contact EPA's CUI Program Office.