Control of Unclassified Information (CUI)
DFARS 252.204-7012, NIST SP 800-171
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. It is a data classification below Classified, but still pertinent to data sensitive to national security.
Executive Order 13556 "Controlled Unclassified Information" (the Order), establishes a program for managing CUI across the Executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 "Controlled Unclassified Information" was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. The rule affects Federal executive branch agencies that handle CUI and all organizations (sources) that handle, possess, use, share, or receive CUI—or which operate, use, or have access to Federal information and information systems on behalf of an agency.
As of the writing of this page, the Department of Defense (DoD) has been the first agency to adopt controls regarding the safeguarding of CUI, which they have enacted through specific regulations that specify how certain federal and nonfederal organizations must control CUI in their environment. This regulation comes as a specific clause within the Defense Federal Acquisition Regulation Supplement (DFARS), known as DFARS 252.204-7012 “Safeguarding Covered Defense Information and Cyber Incident Reporting”.