News

Controlled Unclassified Information: CDSE Develops CUI Training for all DoD Employees

By Adriene Brown

Center for Development of Security Excellence Controlled Unclassified Information (CUI) has been a part of our security lexicon for years. Its reach is expansive because it affects federal, state, local, and civilian entities. But what is it exactly? How should it be handled? What are the marking, release, and disclosure requirements?

CUI is not classified information. It is government created or owned information that requires safeguarding or dissemination controls. The CUI Program is a Department of Defense (DoD) program that standardizes how the executive branch manages unclassified information that requires safeguarding or dissemination controls required by law, federal regulation, and government-wide policy. The CUI Program replaces existing agency programs like For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and others. DoD personnel at all levels of responsibility and across all mission areas receive, handle, create, and disseminate CUI.

Before the CUI Program, each executive agency (Defense Department, State Department, etc.) would establish a marking system unique to its respective environment. The CUI Program addresses this confusing landscape, which included more than 100 agencyspecific policies that led to inconsistent marking and safeguarding, as well as restrictive dissemination policies. The Office of the Under Secretary of Defense for Intelligence and Security (OUSD(I&S)) CUI Program establishes an executive branch-wide policy to develop a uniform system to promote sharing, protect CUI, and prevent the loss of controlled technical information.

The key changes are:

1.  There is now one CUI marking system and one cover sheet versus different sets for each executive agency.
2. There are defined, secure configuration standards for federal and non-federal computer systems to share CUI.
3. All CUI must include a category and the origin of the information.

DCSA, through its training element, the Center for Development of Security Excellence (CDSE), developed mandatory training to explain CUI, in concert with the OUSD(I&S) and in accordance with DoD Instruction 5200.48, Controlled Unclassified Information. CDSE launched the training on October 16, on the DoD CUI Program website, which contains resources, policy documents, desktop aids, and more.

All DoD civilian, military personnel, and contractors are required to complete this mandatory CUI training by March 2021 and complete annual refresher training thereafter. Additionally, per DoDI 5200.48, Section 2.9, agencies are required to integrate training on safeguarding and handling CUI into updates of initial and annual cybersecurity awareness training.

EXAMPLES OF WHAT MAY QUALIFY AS CUI:

• Defense Critical Infrastructure Information (DCRIT)
• Export controlled information
• Information related to sensitive international agreements
• Law enforcement information
• Legal privilege
• Pre-decisional budget or policy information
• Privacy Act information
• Naval Nuclear Propulsion Information (NNPI)

For more information on CUI and to take training, visit www.DoDCUI.mil/.

Article Source: Official Magazine of the Defense Counterintelligence and Security Agency, Gatekeeper, Volume 1, Issue 1

www.dcsa.mil/Portals/91/Documents/about/err/DCSA_Gatekeeper_v1i1_web.pdf