• Home
  • Military Discounts
    • Military & Veteran Discount List
    • Local Military and Veterans Discounts
    • Apple Military Discount
    • Veteran & Military Cell Phone Discounts
    • Gym and Health Club Discounts
  • Benefits
    • 10 Veterans Benefits You May Not Know About
    • Top Military Spouse Benefits
    • Medal of Honor: Benefits, History and Facts
    • Purple Heart Benefits
    • Veterans Health A to Z
  • Housing & Home Ownership
    • VA Loan Calculator
    • VA Loan Limits by County
    • VA Home Loan Guide
    • 5 Benefits of a VA Loan
    • 2022 BAH Rates
    • BAH Calculator
  • Money & Finance
    • 2022 Military Pay Charts
    • 2022 Defense Budget
    • 2022 Military Pay
    • 2022 Military Pay Charts
    • COLA Watch 2022-2023
    • Military Pay Calculator
    • Military Pay Dates
    • VA Disability Rates
  • Jobs
    • Veteran Friendly Employers
    • Military Spouse Employment Preference
    • Veterans Employment and Training Service (VETS)
    • Security Clearance Jobs After the Military
  • Education
    • Veteran Friendly Colleges
    • Online Colleges with Military Discounts
    • Veteran Friendly Colleges Guide
    • Military Spouse Career Advancement Accounts (MyCAA)
    • Monthly Housing Allowance (MHA) for the GI Bill
    • Forever GI Bill
  • Resources
    • How to Get a Veterans ID Card
    • Veterans ID on Driver’s License or ID Card by State
    • Military ID Cards
    • Military Calendar
    • State Veteran’s Benefits
Home » Controlled Unclassified Information

Controlled Unclassified Information

What is Controlled Unclassified Information? Referred to as CUI and sometimes referred to as “controlled information” for short, this term describes government-created information or materials that requires protection even though it is not technically classified. This also applies to information the government owns but did not create.

Controlled Unclassified InformationThe definition can also be expanded to include any information that is required by applicable laws, government regulations, or policy that would require this unclassified information to be protected or include restrictions on its dissemination.

This would not apply to information assigned a classification via Executive Order 13526, Classified National Security Information, Dec. 29, 2009. Other regulations or laws may also apply.

Why Protect CUI?

Most descriptions or definitions of CUI include mention that the information is not classified OR considered intellectual property, corporate property, etc.

Authority For Protecting CUI

The federal legal authority to require protection of information that falls under the Controlled Unclassified Information umbrella can be found in 32 CFR Part 2002 Controlled Unclassified Information. This guidance is meant to establish policy “for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI,” and includes instructions/requirements for oversight and self-inspection.


What Constitutes Controlled Unclassified Information

Some are confused by the nature of this type of information until they realize there are some common examples of CUI that make it clear–for example, every unit has a “recall roster” which is basically a central database of telephone numbers which must be contacted in case of a military recall, no-notice military mission requirements, and similar activities.

A recall roster is crucial for the readiness of the unit to deploy, participate in military exercises, etc. While the centralized list of phone numbers is not assigned a security classification level of Confidential, Secret, or Top Secret, that collection of phone numbers is rightly deemed as “sensitive.”

It provides a potential enemy any number of advantages to know this information, let alone what would happen if the data fell into the wrong hands intending to use it to hack or commit identity theft.

Recall rosters are only one example. The technical specifications of your installation may be considered controlled information even if the architectural plans are on file in a civilian government agency such as an assessor’s office.

You may be prohibited from disseminating lists of people who are on regular or medical leave without permission from a supervisor or you may be restricted from sharing digital information about an upcoming event that requires the base to open to civilians such as an air show; certain details will be sensitive and not intended for public review.

No matter what kind of information might be identified as CUI, that data or those materials must be safeguarded according to the instructions from your unit, command, etc.

Why It Matters

It’s true that this type of information is subject to fewer controls than classified information. And a list of phone numbers or even a roster of those scheduled to go on leave in the next six months might not sound like the espionage find of the century, the reason this information is restricted has more to do with denying a potential adversary any details they could use to their advantage to make plans that are hostile to the United States.

You may wonder why a leave roster might have strategic value to an adversary. Consider what happens if the adversary knows there are 12 people in your unit scheduled to go on leave within a six month period and suddenly there is information leaked or discovered through a lack of safeguards that reveals that all those leave dates had been cancelled?

Those two piece of information are more than enough to tell a careful observer that something might be going on within that unit that required all those leave dates to be cancelled. Add those details to any others harvested through espionage, eavesdropping, casual observance, etc. and you see how it would be very easy to develop an idea of future operations for that unit.

How Controlled Classified Information Is Protected

Some kinds of CUI are “on display” in a work center, SCIF, etc. These might include a list of contact phone numbers, instructions on work center disablement in case of an enemy attack where loss of the base or facility may be imminent, etc. Protecting such information can be as simple as covering up the publicly displayed information when outsiders come into the work center.

Other types of information may be stored in computer files, hard copies, analog tapes or hard drives, etc. This information may need to be physically secured or otherwise made unavailable to unauthorized users.

In some cases where public dissemination of a document is required but there is CUI contained within the document, redaction may be required. This may be physical or digital, as long as the end result is that the protected data remains protected.

How To Tell If Information Is Considered Controlled

In most cases, the documents, computer files, or objects may be labeled as “Controlled” or “CUI” or some other variation; the designation may vary but the notification is the same–you’re warned the items are controlled.

In other cases you may only be given the raw documents, disk drives, or other items with a verbal warning that the materials are controlled. No matter how you are notified, it’s your job to continue the protection of the CUI.

The Information Security Oversight Office (NIST.gov) reminds us that indicators are not necessarily standardized depending on the platform, website, or agency. “Agencies may authorize or require the use of alternate CUI indicators on IT systems, websites, browsers, or databases through agency CUI policy.” However the notifications are made, the goal is to raise awareness of the controlled nature of the information.

Disposing Of Outdated CUI

Recall rosters become obsolete. Old manuals, training guides, station disablement procedures, and emergency recall policies get revised and become outdated frequently. What are people meant to do with outdated controlled information?

The procedures in your specific unit may vary but the common requirement is that regardless of the platform, delivery system, digital or analog nature of the materials, they must all be completely destroyed in a manner that prevents the retrieval of the information.

What does this mean? A quick study of hacker culture (read the back issues of hacker magazines like 2600 to get an idea) reveals that running your recall roster through a shredder is NOT enough–determined dumpster divers and spies commonly (and painstakingly) reassemble these shredded documents to harvest their information.

But a PULPED or BURNED recall roster that has completely obliterated text and materials IS acceptable–there is no way to harvest the data out of an incinerated page, or a hard drive that has been disassembled, smashed into tiny pieces, degaussed or demagnetized, etc. Total destruction of the readable or accessible data is required.

Your command may have specific chain-of-custody and destruction procedures for CUI. Some may require the use of dedicated facilities or tools within the command to neutralize this material, others may simply require proof that the destruction was accomplished and that disposal was done according to local regulations.

Security Clearance Jobs


About The AuthorJoe Wallace is a 13-year veteran of the United States Air Force and a former reporter for Air Force Television News


Related Articles
What Is A SCIF? What Is OPSEC?
Cybersecurity Education Requirements Can I Be A Hacker In The Military?
Security Clearance Levels What Is Information Warfare?

Military + Veteran Discounts

Want 30+ Mil/Vet discounts to use today? Enter your email for updates and we'll send it!
Name(Required)

VA Home Loans

Popular Articles

2022 VA Disability Rates

2022 Military Pay

Military Pay Calculator

VA Loan Calculator

2022 BAH Rates

Search Veteran.com

Military Benefits Logo

Company

  • About
  • Contact Us
  • Add a Discount
  • Privacy Policy
  • Terms of Use
  • Disclosure
  • Unsubscribe

Quick Links

  • Home
  • Military Discounts
  • Benefits
  • Housing & Ownership
  • Money & Finance
  • Employment
  • Education
  • Resources

Connect With Us

  • facebook
  • instagram
  • pinterest
  • twitter
  • youtube
Copyright © 2022 Three Creeks Media, LLC

Veteran.com is a property of Three Creeks Media. Neither Veteran.com nor Three Creeks Media are associated with or endorsed by the U.S. Departments of Defense or Veterans Affairs. The content on Veteran.com is produced by Three Creeks Media, its partners, affiliates and contractors, any opinions or statements on Veteran.com should not be attributed to the Dept. of Veterans Affairs , the Dept. of Defense or any governmental entity. If you have questions about Veteran programs offered through or by the Dept. of Veterans Affairs, please visit their website at va.gov. The content offered on Veteran.com is for general informational purposes only and may not be relevant to any consumer’s specific situation, this content should not be construed as legal or financial advice. If you have questions of a specific nature consider consulting a financial professional, accountant or attorney to discuss. References to third-party products, rates and offers may change without notice.

Advertising Notice: Veteran.com and Three Creeks Media, its parent and affiliate companies, may receive compensation through advertising placements on Veteran.com; For any rankings or lists on this site, Veteran.com may receive compensation from the companies being ranked and this compensation may affect how, where and in what order products and companies appear in the rankings and lists. If a ranking or list has a company noted to be a “partner” the indicated company is a corporate affiliate of Veteran.com. No tables, rankings or lists are fully comprehensive and do not include all companies or available products.

Editorial Disclosure: Editorial content on Veteran.com may include opinions. Any opinions are those of the author alone, and not those of an advertiser to the site nor of Veteran.com.