Office of the Press Secretary
(Crawford, Texas)

May 7, 2008


SUBJECT: Designation and Sharing of Controlled Unclassified Information (CUI)


(1) This memorandum (a) adopts, defines, and institutes "Controlled Unclassified Information" (CUI) as the single, categorical designation henceforth throughout the executive branch for all information within the scope of that definition, which includes most information heretofore referred to as "Sensitive But Unclassified" (SBU) in the Information Sharing Environment (ISE), and (b) establishes a corresponding new CUI Framework for designating, marking, safeguarding, and disseminating information designated as CUI. The memorandum's purpose is to standardize practices and thereby improve the sharing of information, not to classify or declassify new or additional information.

Background -- The Current SBU Environment

(2) The global nature of the threats facing the United States requires that (a) our Nation's entire network of defenders be able to share information more rapidly so those who must act have the information they need, and (b) the United States Government protect sensitive information, information privacy, and other legal rights of Americans. A uniform and more standardized governmentwide framework for what has previously been known as SBU information is essential for the ISE to succeed. Accordingly, this memorandum establishes a standardized framework designed to facilitate and enhance the sharing of Controlled Unclassified Information.


(3) In this memorandum, the following terms have the meaning indicated:

Policy -- The CUI Framework

(4) The uniform use of CUI is essential to fostering an effective ISE. All departments and agencies shall apply the CUI Framework, which consists of the following policies and standards, as outlined in paragraphs 5-19 for the designation, marking, safeguarding, and dissemination of any CUI terrorism-related information within the ISE that originates in departments and agencies, regardless of the medium used for its display, storage, or transmittal.

(5) All CUI shall merit one of two levels of safeguarding procedures: standard (marked "Controlled") or enhanced (marked "Controlled Enhanced").

(6) All CUI shall merit one of two levels of dissemination controls: "Standard Dissemination" or "Specified Dissemination."

(7) All CUI shall be (a) categorized into one of three combinations of safeguarding procedures and dissemination controls, and (b) so indicated through the use of the following corresponding markings:

(8) Any additional CUI markings may be prescribed only by the Executive Agent. Use of additional CUI markings is prohibited unless the Executive Agent determines that extraordinary circumstances warrant the use of additional markings.

(9) Departments and agencies shall apply the CUI Registry's standards. The originator of CUI may not impose any additional safeguarding or dissemination requirements upon the recipient(s). No department or agency shall create CUI categories or rules outside the CUI Framework.

(10) Recipients of CUI shall report any unauthorized or inadvertent disclosures to the designating agency.

(11) All CUI shall be marked in a clear manner and conform to statutory and regulatory requirements, if any, regarding markings. Recipients of CUI that is not marked shall mark the information appropriately and inform the originator that it has been so marked.

(12) Wherever possible, it is expected that departments and agencies will re-mark archived or legacy material when it is incorporated into the ISE.

(13) CUI markings may inform but do not control the decision of whether to disclose or release the information to the public, such as in response to a request made pursuant to the Freedom of Information Act (FOIA).

(14) Originating departments and agencies shall retain control of decisions regarding whether to disseminate CUI materials beyond their Standard or Specified Dissemination instructions, including any dissemination to the media or general public.

(15) Material that contains both CUI and non-CUI information, or that contains multiple categories of CUI, should be marked accordingly by portions such that those categorical distinctions are apparent.

(16) The CUI markings shall be incorporated into ISE-related information technology (IT) projects under development or developed in the future and shall be reflected in plans for new information technologies.

(17) The CUI markings shall be used regardless of the medium through which the information appears or conveys. Oral communications should be prefaced with a statement describing the controls when necessary to ensure that recipients are aware of the information's status.

(18) Departments or agencies shall not impose safeguarding requirements or dissemination controls on information in the ISE that is neither classified nor CUI.

(19) When a department or agency receives CUI originating from a State, local, tribal, private sector, or foreign partner, any nonfederal legacy markings shall be retained, unless the originator authorizes its removal.

(20) Implementation of the CUI Framework shall commence upon the date of this memorandum and shall be completed within 5 years.

CUI Framework Implementation

(21) The Executive Agent shall be responsible for overseeing and managing implementation of this CUI Framework.

(22) The Executive Agent shall have the following authorities and responsibilities:

(23) A CUI Council is hereby established as a subcommittee of the ISC. Its members shall be drawn from the ISC's membership. The CUI Council shall:

(24) The head of each department and agency with possession of terrorism-related information shall:

Designating CUI

(25) Information shall be designated as CUI and carry an authorized CUI marking if:

(26) Notwithstanding the above, information shall not be designated as CUI:

Exceptions to CUI

(27) This memorandum requires that all CUI originated by departments and agencies and shared within the ISE shall conform to the policies and standards for the designating, marking, safeguarding, and disseminating established in accordance with this memorandum. However, infrastructure protection agreements not fully accommodated under the CUI Framework (and its associated markings, safeguarding requirements, and dissemination limitations) shall be considered exceptions to this CUI Framework. Infrastructure protection exceptions include and apply to information governed by or subject to the following regulations:

(28) The CUI Framework shall be used for such information to the maximum extent possible, but shall not affect or interfere with specific regulatory requirements for marking, safeguarding, and disseminating.

(29) The affected department or agency is authorized to select the most applicable CUI safeguarding marking for the regulation. Any additional requirements for the safeguarding beyond that specified under the CUI Framework shall be appropriately registered in the CUI Registry. Any regulatory marking shall follow the CUI marking, and a specified dissemination instruction shall articulate any additional regulatory requirements.

General Provisions

(30) This memorandum: