Controlled Unclassified Information

What is Controlled Unclassified Information? Referred to as CUI and sometimes referred to as “controlled information” for short, this term describes government-created information or materials that requires protection even though it is not technically classified. This also applies to information the government owns but did not create.

The definition can also be expanded to include any information that is required by applicable laws, government regulations, or policy that would require this unclassified information to be protected or include restrictions on its dissemination.

This would not apply to information assigned a classification via Executive Order 13526, Classified National Security Information, Dec. 29, 2009. Other regulations or laws may also apply.

Why Protect CUI?

Most descriptions or definitions of CUI include mention that the information is not classified OR considered intellectual property, corporate property, etc.

Authority For Protecting CUI

The federal legal authority to require protection of information that falls under the Controlled Unclassified Information umbrella can be found in 32 CFR Part 2002 Controlled Unclassified Information. This guidance is meant to establish policy “for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI,” and includes instructions/requirements for oversight and self-inspection.

What Constitutes Controlled Unclassified Information

Some are confused by the nature of this type of information until they realize there are some common examples of CUI that make it clear–for example, every unit has a “recall roster” which is basically a central database of telephone numbers which must be contacted in case of a military recall, no-notice military mission requirements, and similar activities.

A recall roster is crucial for the readiness of the unit to deploy, participate in military exercises, etc. While the centralized list of phone numbers is not assigned a security classification level of Confidential, Secret, or Top Secret, that collection of phone numbers is rightly deemed as “sensitive.”

It provides a potential enemy any number of advantages to know this information, let alone what would happen if the data fell into the wrong hands intending to use it to hack or commit identity theft.

Recall rosters are only one example. The technical specifications of your installation may be considered controlled information even if the architectural plans are on file in a civilian government agency such as an assessor’s office.

You may be prohibited from disseminating lists of people who are on regular or medical leave without permission from a supervisor or you may be restricted from sharing digital information about an upcoming event that requires the base to open to civilians such as an air show; certain details will be sensitive and not intended for public review.

No matter what kind of information might be identified as CUI, that data or those materials must be safeguarded according to the instructions from your unit, command, etc.

Why It Matters

It’s true that this type of information is subject to fewer controls than classified information. And a list of phone numbers or even a roster of those scheduled to go on leave in the next six months might not sound like the espionage find of the century, the reason this information is restricted has more to do with denying a potential adversary any details they could use to their advantage to make plans that are hostile to the United States.

You may wonder why a leave roster might have strategic value to an adversary. Consider what happens if the adversary knows there are 12 people in your unit scheduled to go on leave within a six month period and suddenly there is information leaked or discovered through a lack of safeguards that reveals that all those leave dates had been cancelled?

Those two piece of information are more than enough to tell a careful observer that something might be going on within that unit that required all those leave dates to be cancelled. Add those details to any others harvested through espionage, eavesdropping, casual observance, etc. and you see how it would be very easy to develop an idea of future operations for that unit.

How Controlled Classified Information Is Protected

Some kinds of CUI are “on display” in a work center, SCIF, etc. These might include a list of contact phone numbers, instructions on work center disablement in case of an enemy attack where loss of the base or facility may be imminent, etc. Protecting such information can be as simple as covering up the publicly displayed information when outsiders come into the work center.

Other types of information may be stored in computer files, hard copies, analog tapes or hard drives, etc. This information may need to be physically secured or otherwise made unavailable to unauthorized users.

In some cases where public dissemination of a document is required but there is CUI contained within the document, redaction may be required. This may be physical or digital, as long as the end result is that the protected data remains protected.

How To Tell If Information Is Considered Controlled

In most cases, the documents, computer files, or objects may be labeled as “Controlled” or “CUI” or some other variation; the designation may vary but the notification is the same–you’re warned the items are controlled.

In other cases you may only be given the raw documents, disk drives, or other items with a verbal warning that the materials are controlled. No matter how you are notified, it’s your job to continue the protection of the CUI.

The Information Security Oversight Office (NIST.gov) reminds us that indicators are not necessarily standardized depending on the platform, website, or agency. “Agencies may authorize or require the use of alternate CUI indicators on IT systems, websites, browsers, or databases through agency CUI policy.” However the notifications are made, the goal is to raise awareness of the controlled nature of the information.

Disposing Of Outdated CUI

Recall rosters become obsolete. Old manuals, training guides, station disablement procedures, and emergency recall policies get revised and become outdated frequently. What are people meant to do with outdated controlled information?

The procedures in your specific unit may vary but the common requirement is that regardless of the platform, delivery system, digital or analog nature of the materials, they must all be completely destroyed in a manner that prevents the retrieval of the information.

What does this mean? A quick study of hacker culture (read the back issues of hacker magazines like 2600 to get an idea) reveals that running your recall roster through a shredder is NOT enough–determined dumpster divers and spies commonly (and painstakingly) reassemble these shredded documents to harvest their information.

But a PULPED or BURNED recall roster that has completely obliterated text and materials IS acceptable–there is no way to harvest the data out of an incinerated page, or a hard drive that has been disassembled, smashed into tiny pieces, degaussed or demagnetized, etc. Total destruction of the readable or accessible data is required.

Your command may have specific chain-of-custody and destruction procedures for CUI. Some may require the use of dedicated facilities or tools within the command to neutralize this material, others may simply require proof that the destruction was accomplished and that disposal was done according to local regulations.

Joe Wallace is a 13-year veteran of the United States Air Force and a former reporter for Air Force Television News