Security Awareness – Spring 2020
What is CUI and How to Protect It
Controlled Unclassified Information (CUI) is Government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and Government wide policies.
- CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a Government contract.
- CUI designations include, but are not limited to:
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES)
- Sensitive But Unclassified (SBU)
Why is it important?
Because there are fewer controls over CUI as compared to classified information, CUI is the path of least resistance for adversaries. Loss of aggregated CUI is the one of the most significant risks to national security, directly affecting lethality of our warfighters. There are over 1 million contracts in the NISP alone with DFARS Clause 252.204-7012, “Safeguarding Covered Defense Information and Cyber Incident Reporting for the protection of DoD CUI” and over 3 million with CUI in the cleared industrial base overall.
Safeguarding For Official Use Only (FOUO) Information:
- FOUO information should be handled in a manner that provides reasonable assurance that unauthorized persons do not gain access.
- During working hours, reasonable steps should be taken to minimize risk of access by unauthorized personnel. After working hours, FOUO may be stored as a minimum in unlocked containers, desks or cabinets if Government or Government-contract building security is provided. If Government or Government –contract building security is not provided, it must be stored at a minimum in a locked desk, file cabinet, bookcase, locked room, or similar place.
- FOUO documents may be destroyed by shredding or tearing into pieces and discarding the pieces in a regular trash container unless circumstances suggest a need for more careful protection.
- While in TMB spaces, if you send an FOUO document to the copier, please ensure you pick it up promptly. If it is found unattended, it will be placed in the Shred It bin immediately.
- FOUO documents and material may be transmitted via first class mail, parcel post, or for bulk shipments – fourth class mail.
- Fax or email transmission of FOUO information (voice, data or facsimile) should be by encrypted communications systems whenever practical. FOUO information may be put on an Internet web site only if access to the site is limited to a specific target audience and the information is encrypted.
- Administrative penalties may be imposed for misuse of FOUO information. Criminal penalties may be imposed depending on the actual content of the information (privacy, export control, etc.)
