[Federal Register Volume 80, Number 89 (Friday, May 8, 2015)]
[Proposed Rules]
[Pages 26501-26511]
[FR Doc No: 2015-10260]
=======================================================================
-----------------------------------------------------------------------
NATIONAL ARCHIVES AND RECORDS ADMINISTRATION
Information Security Oversight Office
32 CFR Part 2002
[FDMS No. NARA-15-0001; NARA-2015-037]
RIN 3095-AB80
Controlled Unclassified Information
AGENCY: Information Security Oversight Office, NARA.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: As the Federal Government's Executive Agent for Controlled
Unclassified Information (CUI), the Information Security Oversight
Office (ISOO) of the National Archives and Records Administration
(NARA) implements the Federal Government-wide CUI Program. As part of
that responsibility, ISOO proposes this rule to establish policy for
agencies on designating, safeguarding, disseminating, marking,
decontrolling, and disposing of CUI, self-inspection and oversight
requirements, and other facets of the Program.
DATES: Submit comments on or before July 7, 2015.
ADDRESSES: You may submit comments, identified by RIN 3095-AB80, by any
of the following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
Email: [email protected]. Include RIN 3095-AB80
in the subject line of the message.
Fax: 301-837-0319. Include RIN 3095-AB80 in the subject
line of the fax cover sheet.
Mail (for paper, disk, or CD-ROM submissions. Include RIN
3095-AB80 on the submission): Regulations Comment Desk, Strategy
Division (SP); Suite 4100; National and Archives Records
Administration; 8601 Adelphi Road; College Park, MD 20740-6001.
Hand delivery or courier: Deliver comments to front desk
at the address above.
Instructions: All submissions must include NARA's name and the
regulatory information number for this rulemaking (RIN 3095-AB80). We
may publish any comments we receive without changes, including any
personal information you include.
FOR FURTHER INFORMATION CONTACT: Kimberly Keravuori, by email at
[email protected], or by telephone at 301-837-3151. You may
also find more information about the CUI Program, and some FAQs, on
[[Page 26502]]
NARA's Web site at http://www.archives.gov/cui/.
SUPPLEMENTARY INFORMATION: Background. The President is committed to
making the Government more open to the American people, as outlined in
his January 21, 2009, memorandum to the heads of executive branch
agencies. However, the Government must still protect some unclassified
information, pursuant to and consistent with applicable laws,
regulations, and Government-wide policies. This information is called
Controlled Unclassified Information (CUI).
Prior to Executive Order 13556, Controlled Unclassified
Information, 75 FR 68675 (November 4, 2010) (the Order), more than 100
different markings for such information existed across the executive
branch. This ad hoc, agency-specific approach created inefficiency and
confusion, led to a patchwork system that failed to adequately
safeguard information requiring protection, and unnecessarily
restricted information-sharing.
As a result, the Order established the CUI Program to standardize
the way the executive branch handles information that requires
safeguarding or dissemination controls (excluding information that is
classified under Executive Order 13526, Classified National Security
Information, 75 FR 707 (December 29, 2009), or any predecessor or
successor order; or the Atomic Energy Act of 1954 (42 U.S.C. Sec.
2011, et seq.), as amended.
To develop policy and provide oversight for the CUI Program, the
Order also appointed NARA as the CUI Executive Agent. NARA has
delegated this authority to the Director of ISOO, a NARA component.
Regulatory Analysis
Review Under Executive Orders 12866 and 13563
Executive Order 12866, Regulatory Planning and Review, 58 FR 51735
(September 30, 1993), and Executive Order 13563, Improving Regulation
and Regulation Review, 76 FR 23821 (January 18, 2011), direct agencies
to assess all costs and benefits of available regulatory alternatives
and, if regulation is necessary, to select regulatory approaches that
maximize net benefits (including potential economic, environmental,
public health and safety effects, distributive impacts, and equity).
This proposed rule is ``significant'' under section 3(f) of Executive
Order 12866 because it sets out a new program for Federal agencies. The
Office of Management and Budget (OMB) has reviewed this regulation.
Review Under the Regulatory Flexibility Act (5 U.S.C. 601, et seq.)
This review requires an agency to prepare an initial regulatory
flexibility analysis and publish it when the agency publishes the
proposed rule. This requirement does not apply if the agency certifies
that the rule will not, if promulgated, have a significant economic
impact on a substantial number of small entities (5 U.S.C. 603). NARA
certifies, after review and analysis, that this proposed rule will not
have a significant adverse economic impact on small entities. However,
information on the number of small entities contracting, or wishing to
contract, with the executive branch that have not already implemented
appropriate information systems standards for handling CUI is
unreported and difficult to collect, in part because it could reflect
adversely on a contractor in other ways. As a result, while NARA
believes from all available information that the economic impact would
be minimal, if any, we are opening this issue to public comment in
addition to the content of the proposed rule, in case reviewers have
additional information to the contrary that was not available to NARA.
The CUI Program provides a unified system for handling unclassified
information that requires safeguarding or dissemination controls, and
sets consistent, executive branch-wide standards and markings for doing
so. The CUI Program has established controls pursuant to and consistent
with already-existing applicable law, Federal regulations, and
Government-wide policy. However, because those authorities, as well as
ad hoc agency policies and practices, were often applied in different
ways by different agencies, the CUI Program also establishes
unambiguous policy, requirements, and consistent standards.
The Order establishes that the CUI Executive Agent, designated as
NARA, ``shall develop and issue such directives as are necessary'' to
implement the CUI Program (Section 4b). NARA has delegated this
authority to the Director of the Information Security Oversight Office
(ISOO). Consistent with this tasking, and with the CUI Program's
mission to establish uniform policies and practices across the Federal
Government, NARA is issuing a regulation, to establish the required
controls and markings Government-wide. There is no viable alternative
to a rule for meeting the Order's mandate to establish consistent
information security standards Government-wide. A regulation binds
agencies throughout the executive branch to uniformly apply the
Program's standard safeguards, markings, and disseminating and
decontrol requirements. The proposed rule contains a consistent program
that NARA developed in consultation with affected stakeholders,
including private industry and Federal agencies. While developing this
program, NARA conducted working group discussions and surveys,
consolidated and streamlined current practices, and developed initial
drafts that underwent both formal and informal agency comment and CUI
Executive Agent comment adjudication for individual policy elements.
NARA believes that this proposed rule will benefit industry that
contracts with the Federal Government, including small businesses. In
the present contractor environment, differing requirements and
conflicting guidance from agencies for the same types of information
gives rise to confusion and inefficiencies for contractors working with
more than one agency or handling information originating from different
agencies. A single standard that de-conflicts requirements for
contractors or potential contractors when contracting with multiple
Government agencies will be simpler to execute and reduce costs.
Because the regulation's uniform controls derive from already-required
laws, regulations, and Government-wide policies, the standards are
already ones with which businesses should be complying and the impact
of the rule should be minimal or non-existent.
Those entities that currently do not implement information systems
security controls for CUI consistent with requirements contained in the
regulation will need to make changes and implement new practices, which
could therefore have an impact on such businesses. Consistent with the
Order, these requirements are based on applicable Government-wide
standards and guidelines issued by the National Institute of Standards
and Technology (NIST), and applicable policies established by OMB
(Section 6a3). These standards, which OMB and NIST established, have
been in effect for some time, and were not created by this proposed
rule. Rather, the proposed rule requires use of these standards in the
same way throughout the executive branch, thereby reducing current
complexity for agencies and contractors. The potential impact on
businesses currently not in compliance with these standards arises from
the possibility that some might need to take actions to bring
themselves into compliance with
[[Page 26503]]
already-existing requirements if they are not already. From all
available information, NARA believes this impact will be minimal, but
reporting on non-compliance with these OMB and NIST standards is
limited. If any businesses are not in compliance with these
requirements, or are substantially out of compliance, the impact on
those entities may be significant.
NARA has taken steps, however, to alleviate the difficulty for
contractors and small businesses of complying with information systems
requirements, whether they already comply or will need to comply in
future. Many of the security controls contained in the NIST guidelines
are specific to Government systems, and thus have been difficult for
contractors to implement with their own already-existing systems. This
has also limited some businesses from competing for Federal contracts.
Non-Federal systems are often built using different processes from the
Government-specific ones outlined in the NIST guidelines, even while
achieving the same standard of protection as set forth in the Federal
Information Processing Standards (FIPS). NARA has therefore partnered
with NIST to develop a special publication on applying the information
systems security requirements in the contractor environment. Doing so
should make it easier for businesses to comply with the standards using
the systems they already have in place, rather than trying to use the
Government-specific approaches currently described. This publication
has already undergone one round of public comment as NIST SP-800-171
and is undergoing a second round of public comment until May 12, 2015;
we expect to finalize it in June 2015.
The CUI Executive Agent is also planning a single Federal
Acquisitions Regulation (FAR) clause that will apply the requirements
of the proposed rule to the contractor environment and further promote
standardization to benefit a substantial number of businesses,
including small entities that may be struggling to meet the current
range and type of contract clauses. In the process of this three-part
plan (rule, NIST publication, standard FAR clause), businesses will not
only receive streamlined and uniform requirements for any unclassified
information security needs, but will have information systems
requirements tailored to contractor systems, allowing the businesses to
help develop the requirements and to be in compliance with Federal
uniform standards with less difficulty than currently. Businesses that
currently meet all standards will have a clearer and easier time doing
so in the future with virtually no negative impact, and businesses that
do not currently meet standards will be able to bring themselves into
compliance more easily as well, thus reducing the potential impact
coming into compliance would have on them.
Despite all of this, there may still be a significant impact on
small businesses, related to bringing themselves into compliance with
existing standards that will be applied uniformly under this rule. NARA
does not have data on how many small businesses may be impacted by this
rule, or to what degree, because such information on compliance with
the standards involved is not tracked for small businesses. NARA
therefore opens this topic for input from small businesses during the
public comment period.
Review Under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et
seq.)
This proposed rule does not contain any information collection
requirements subject to the Paperwork Reduction Act.
Review Under Executive Order 13132, Federalism, 64 FR 43255 (August 4,
1999)
Review under Executive Order 13132 requires that agencies review
regulations for Federalism effects on the institutional interest of
states and local governments, and, if the effects are sufficiently
substantial, prepare a Federal assessment to assist senior policy
makers. This proposed rule will not have any direct effects on State
and local governments within the meaning of the Executive Order.
Therefore, no Federalism assessment is required.
List of Subjects in 32 CFR Part 2002
Administrative practice and procedure, Archives and records,
Controlled unclassified information, Freedom of information, Government
in the Sunshine Act, Information, Information security, National
security information, Open government, Privacy.
For the reasons stated in the preamble, NARA proposes to amend 32
CFR, Chapter XX, by adding part 2002 to read as follows:
PART 2002--CONTROLLED UNCLASSIFIED INFORMATION (CUI)
Subpart A--General Information
Sec.
2002.1 Purpose and scope.
2002.2 Definitions.
2002.3 CUI Executive Agent.
2002.4 Roles and responsibilities.
Subpart B--Key Elements of the CUI Program
2002.10 The CUI Registry.
2002.11 CUI categories and subcategories.
2002.12 Safeguarding.
2002.13 Accessing and disseminating.
2002.14 Decontrolling.
2002.15 Marking.
2002.16 Waivers of CUI requirements in exigent circumstances.
2002.17 Limitations on applicability of agency CUI policies.
Subpart C--CUI Program Management
2002.20 Education and training.
2002.21 Agency self-inspection program.
2002.22 Challenges to designation of information as CUI.
2002.23 Dispute resolution.
2002.24 Misuse of CUI.
2002.25 Sanctions for misuse of CUI.
2002.26 Transfer of records.
2002.27 CUI and the Freedom of Information Act (FOIA).
2002.28 CUI and the Privacy Act.
Authority: E.O. 13556, 75 FR 68675, 3 CFR, 2010 Comp., pp. 267-
270.
Subpart A--General Information
Sec. 2002.1 Purpose and scope.
(a) This part describes the executive branch's Controlled
Unclassified Information (CUI) Program (the CUI Program) and
establishes policy for designating, handling, and decontrolling
information that qualifies as CUI.
(b) The CUI Program standardizes the way the executive branch
handles sensitive information that requires protection under laws,
regulations, or Government-wide policies, but that does not qualify as
classified under Executive Order 13526, Classified National Security
Information, December 29, 2009 (3 CFR, 2010 Comp., p. 298), or the
Atomic Energy Act of 1954 (42 U.S.C. 2011, et seq.), as amended.
(c) Prior to the CUI Program, agencies often employed ad hoc,
agency-specific policies, procedures, and markings to handle this
information. This patchwork approach caused agencies to mark and handle
information inconsistently, implement unclear or unnecessarily
restrictive disseminating policies, and create obstacles to sharing
information.
(d) An executive branch-wide CUI policy balances the need to
safeguard CUI with the public interest in sharing information
appropriately and without unnecessary burdens.
(e) This part applies to all executive branch agencies that
designate or handle information that meets the standards for CUI. This
part also applies, by extension, to agency practices involving non-
executive branch CUI recipients, as follows:
(1) Contractors handling CUI for an agency. Executive branch
agencies must
[[Page 26504]]
include a requirement to comply with Executive Order 13556, Controlled
Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267)
(the Order), and this part in all contracts that require a contractor
to handle CUI for the agency. The contractual requirement must be
consistent with standards prescribed by the CUI Executive Agent.
(2) Other non-executive branch entities. When feasible, executive
branch agencies should enter formal information-sharing agreements and
include a requirement that any non-executive branch party to the
agreement comply with the Order, this part, and the CUI Registry. When
an agency's mission requires it to disseminate CUI without entering
into an information-sharing agreement, the agency must communicate to
the recipient that because of the sensitive nature of the information,
the Government strongly encourages the non-executive branch entity to
protect CUI consistent with the Order, this part, and the CUI Registry.
(f) This part rescinds Controlled Unclassified Information (CUI)
Office Notice 2011-01: Initial Implementation Guidance for Executive
Order 13556 (June 9, 2011).
(g) This part creates no right or benefit, substantive or
procedural, enforceable by law or in equity by any party against the
United States, its departments, agencies, or entities, its officers,
employees, or agents, or any other person.
(h) Nothing in this part alters, limits, or supersedes a
requirement stated in laws, regulations, or Government-wide policies.
Where laws, regulations, or Government-wide policies articulate the
requirements for protection of unclassified information, this part
accommodates and recognizes those requirements as ``CUI Specified.''
However, where agency-specific policy or ad hoc practices articulate
requirements for protection of unclassified information, the CUI
Executive Agent has the authority under the Order to establish control
policy. In such cases, this part would override such agency-specific or
ad hoc requirements if they are in conflict.
Sec. 2002.2 Definitions.
Agency includes any ``executive agency,'' as defined in 5 U.S.C.
105; the United States Postal Service; and any other independent entity
within the executive branch that designates or handles CUI.
Authorized holder is an individual, organization, or group of users
that is permitted to designate or handle CUI, consistent with this
part.
Classified information is information that Executive Order 13526,
``Classified National Security Information,'' December 29, 2009 (3 CFR,
2010 Comp., p. 298), or the Atomic Energy Act of 1954, as amended,
requires to have classified markings and protection against
unauthorized disclosure.
Controlled environment is any area or space an authorized holder
deems to have adequate physical or procedural controls (e.g., barriers
and managed access controls) to protect CUI from unauthorized access or
disclosure.
Control level is a general term that encompasses the category or
subcategory of specific CUI, along with any specific safeguarding and
disseminating requirements.
Controlled Unclassified Information (CUI) is information that laws,
regulations, or Government-wide policies require to have safeguarding
or dissemination controls, excluding classified information (see
definition of classified information, above).
CUI Basic is the default, uniform set of standards for handling all
categories and subcategories of CUI. CUI Basic differs from CUI
Specified in that, although laws, regulations, or Government-wide
policies establish the CUI Basic information as protected, it does not
specifically spell out any handling standards for that information. The
CUI Basic standards therefore apply whenever CUI Specified standards do
not cover the involved CUI.
CUI categories and subcategories are those types of information for
which laws, regulations, or Government-wide policies requires
safeguarding or dissemination controls, and which the CUI Executive
Agent has approved and listed in the CUI Registry.
CUI category or subcategory markings are the markings approved by
the CUI Executive Agent for the categories and subcategories listed in
the CUI Registry.
CUI Executive Agent is the National Archives and Records
Administration (NARA), which implements the executive branch-wide CUI
Program and oversees Federal agency actions to comply with the Order.
NARA has delegated this authority to the Director of the Information
Security Oversight Office (ISOO).
CUI Program is the executive branch-wide program to standardize CUI
handling by all Federal agencies. The Program includes the rules,
organization, and procedures for CUI, established by the Order, this
part, and the CUI Registry.
CUI Program manager is an agency official, designated by the agency
head or CUI senior agency official, to serve as the official
representative to the CUI Executive Agent on the agency's day-to-day
CUI Program operations, both within the agency and in interagency
contexts.
CUI Registry is the online repository for all information,
guidance, policy, and requirements on handling CUI, including
everything issued by the CUI Executive Agent other than this part.
Agencies and authorized holders must follow the requirements in the CUI
Registry. Among other information, the CUI Registry identifies all
approved CUI categories and subcategories, provides general
descriptions for each, identifies the basis for controls, and sets out
handling procedures.
CUI senior agency official is a senior official designated in
writing by an agency head and responsible to that agency head for
implementation of the CUI Program within that agency. The CUI senior
agency official is the primary point of contact for official
correspondence, accountability reporting, and other matters of record
between the agency and the CUI Executive Agent.
CUI Specified are the sets of standards that apply to CUI
categories and subcategories that have specific handling standards
required or permitted by authorizing laws, regulations, or Government-
wide policies. Only CUI categories and subcategories the CUI Executive
Agent approves and designates in the CUI Registry as CUI Specified may
use the specified standards rather than CUI Basic standards. Agencies
must apply CUI Basic standards to all CUI that is not included in a CUI
Specified category in the Registry, or when a CUI Specified authority
is silent on any aspect of handling the involved CUI. CUI Specified
standards may be more stringent than, or may simply differ from, those
required by CUI Basic; the distinction is that the underlying authority
spells out the standards for CUI Specified categories and does not for
CUI Basic ones.
Decontrolling occurs when an agency removes safeguarding or
dissemination controls from CUI that no longer requires such controls.
Designating occurs when an authorized holder determines that a CUI
category or subcategory covers a specific item of information and then
marks that item as CUI.
Designating agency is the executive branch agency that designates a
specific item of information as CUI.
Disseminating occurs when authorized holders transmit, transfer, or
provide access to CUI to other authorized holders through any means.
[[Page 26505]]
Document means any tangible thing, which constitutes or contains
information, and means the original and any copies (whether different
from the originals because of notes made on such copies or otherwise)
of all writings of every kind and description over which an agency has
authority, whether inscribed by hand or by mechanical, facsimile,
electronic, magnetic, microfilm, photographic, or other means, as well
as phonic or visual reproductions or oral statements, conversations, or
events, and including, but not limited to: Correspondence, email,
notes, reports, papers, files, manuals, books, pamphlets, periodicals,
letters, memoranda, notations, messages, telegrams, cables, facsimiles,
records, studies, working papers, accounting papers, computer disks,
computer tapes, telephone logs, computer mail, computer printouts,
worksheets, sent or received communications of any kind, teletype
messages, agreements, diary entries, calendars and journals, printouts,
drafts, tables, compilations, tabulations, recommendations, accounts,
work papers, summaries, address books, other records and recordings or
transcriptions of conferences, meetings, visits, interviews,
discussions, or telephone conversations, charts, graphs, indexes,
tapes, minutes, contracts, leases, invoices, records of purchase or
sale correspondence, electronic or other transcription of taping of
personal conversations or conferences, and any written, printed, typed,
punched, taped, filmed, or graphic matter however produced or
reproduced. Document also includes the file, folder, exhibits, and
containers, and the labels on them, associated with each original or
copy. Document also includes voice records, film, tapes, video tapes,
email, personal computer files, electronic matter, and other data
compilations from which information can be obtained, including
materials used in data processing.
Handling is any use of CUI, including but not limited to marking,
safeguarding, transporting, disseminating, re-using, and disposing of
the information.
Lawful Government purpose is any activity, mission, function,
operation, or endeavor that the U.S. Government authorizes or
recognizes within the scope of its legal authorities.
Legacy material is unclassified information that was marked or
otherwise controlled prior to implementation of the CUI Program.
Limited dissemination is any type of control on disseminating CUI
approved for use by the CUI Executive Agent.
Misuse of CUI occurs when someone uses CUI in a manner inconsistent
with the policy contained in the Order, this part, and the CUI
Registry, or any of the laws, regulations, and Government-wide policy
that establish CUI categories and subcategories. This may include
intentional violations or unintentional errors in safeguarding or
disseminating CUI.
Non-executive branch entity is a person or organization
established, operated, and controlled by individual(s) acting outside
the scope of any official capacity as officers, employees, or agents of
the executive branch of the Federal Government. Such entities may
include elements of the legislative or judicial branches of the Federal
government; State, interstate, Tribal, local, or foreign government
elements; and private or international organizations, including
contractors and vendors.
Portion is ordinarily a section within a document, and may include
subjects, titles, graphics, tables, charts, bullet statements, sub-
paragraphs, bullets points, or other sections, including those within
slide presentations.
Protection includes all controls an agency applies or must apply
when handling information that qualifies as CUI.
Public release occurs when an agency makes information formerly
designated as CUI available to members of the public through the
agency's official release processes. Disseminating CUI to non-executive
branch entities as authorized does not constitute public release; nor
does releasing information to an individual pursuant to the Privacy Act
of 1974.
Records are agency records and Presidential papers or Presidential
records (or Vice-Presidential), as those terms are defined in 44 U.S.C.
3301 and 44 U.S.C. 2201 and 2207. Records also include such items
created or maintained by a Government contractor, licensee, certificate
holder, or grantee that are subject to the sponsoring agency's control
under the terms of the contract, license, certificate, or grant.
Re-use means incorporating, disseminating, restating, or
paraphrasing CUI from its originally designated form into a newly
created document.
Self-inspection is an agency's internally managed review and
evaluation of its activities to implement the CUI Program.
Unauthorized disclosure occurs when individuals or entities that do
not have a lawful Government purpose to access the CUI gain access to
it. Unauthorized disclosure may be intentional or unintentional.
Uncontrolled unclassified information is information that neither
the Order nor classified information authorities cover as protected.
Although this information is not controlled or classified, agencies
must still handle it consistently with Federal Information Security
Modernization Act (FISMA) requirements.
Working papers are documents or materials, regardless of form, that
an agency or user expects to revise prior to creating a finished
product.
Sec. 2002.3 CUI Executive Agent.
(a) Section 2(c) of the Order designates NARA as the CUI Executive
Agent to implement this Order and to oversee agency efforts to comply
with the Order, this part, and the CUI Registry.
(b) NARA's Director of the Information Security Oversight Office
(ISOO) performs the duties assigned to NARA as the CUI Executive Agent.
Sec. 2002.4 Roles and responsibilities.
(a) The CUI Executive Agent:
(1) Develops and issues policy, guidance, and other materials, as
needed, to implement the Order and this part, and to establish and
maintain the CUI Program.
(2) Consults with affected agencies, State, local, Tribal, and
private sector partners, and representatives of the public on matters
pertaining to CUI.
(3) Establishes, convenes, and chairs the CUI Advisory Council (the
Council) to address matters pertaining to the CUI Program. The CUI
Executive Agent consults with affected agencies to develop and document
the Council's structure and procedures, and submits the details to OMB
for approval.
(4) Reviews and approves agency policies implementing this part
before agencies issue them to ensure their consistency with the Order,
this part, and the CUI Registry.
(5) Reviews, evaluates, and oversees agencies' actions to implement
the CUI Program, to ensure compliance with the Order, this part, and
the CUI Registry.
(6) Establishes a management and planning framework, including
associated deadlines for phased implementation, based on agency
compliance plans submitted pursuant to section 5(b) of the Order, and
in consultation with affected agencies and the Office of Management and
Budget (OMB).
(7) Approves categories and subcategories of CUI as needed and
publishes them in the CUI Registry.
(8) Prescribes standards, procedures, guidance, and instructions
for oversight
[[Page 26506]]
and agency self-inspection programs, to include performing on-site
inspections.
(9) Standardizes forms and procedures to implement the CUI Program.
(10) Considers and resolves, as appropriate, disputes, complaints,
and suggestions about the CUI Program from entities in or outside the
Government; and
(11) Reports to the President on implementation of the Order and
the requirements of this part. This includes publishing a report on the
status of agency implementation at least biennially, or more frequently
at the discretion of the CUI Executive Agent.
(b) Agency heads:
(1) Ensure agency senior leadership support, and make adequate
resources available to implement, manage, and comply with the CUI
Program as administered by the CUI Executive Agent.
(2) Designate a CUI senior agency official responsible for ensuring
agency implementation, management, and oversight of the CUI Program.
(3) Approve agency policies, as required, to implement the CUI
Program.
(c) CUI senior agency officials:
(1) Must be at the Senior Executive Service level or equivalent;
(2) Direct and oversee the agency's CUI Program;
(3) Designate a CUI Program manager;
(4) Ensure the agency has CUI implementing policies and plans, as
needed;
(5) Implement an education and training program pursuant to Sec.
2002.20 of this part;
(6) Upon request of the CUI Executive Agent under section 5(c) of
the Order, provide an update of CUI implementation efforts for
subsequent reporting;
(7) Develop and implement the agency's self-inspection program;
(8) Establish a process to accept and manage challenges to CUI
status, consistent with existing processes based in laws, regulations,
and Government-wide policies; and
(9) Establish processes and criteria for reporting and
investigating misuse of CUI.
(d) The Director of National Intelligence: After consultation with
the heads of affected agencies and the Director of the Information
Security Oversight Office, may issue directives to implement this part
with respect to the protection of intelligence sources, methods, and
activities. Such directives must be consistent with the Order, this
part, and the CUI Registry.
Subpart B--Key Elements of the CUI Program
Sec. 2002.10 The CUI Registry.
(a) The CUI Executive Agent maintains the CUI Registry, which
serves as the central repository for all information, guidance, policy,
and requirements on handling CUI, including authorized CUI categories
and subcategories, associated markings, and applicable decontrolling
procedures.
(b) The CUI Registry:
(1) Is the sole authoritative repository for information on CUI
except the Order and this part;
(2) Is publicly accessible;
(3) Includes citation(s) to laws, regulations, or Government-wide
policies that form the basis for each category and subcategory; and
(4) Notes any sanctions or penalties for misuse of each category or
subcategory of CUI that are included in applicable statutes or
regulations.
Sec. 2002.11 CUI categories and subcategories.
(a) CUI categories and subcategories are the exclusive means of
designating CUI throughout the executive branch. They identify
unclassified information that requires safeguarding or dissemination
controls, pursuant to and consistent with applicable laws, regulations,
and Government-wide policies. Agencies may not control any unclassified
information outside of the CUI Program.
(b) Agencies must designate CUI only by use of a category or
subcategory approved by the CUI Executive Agent and published in the
CUI Registry.
Sec. 2002.12 Safeguarding.
(a) General safeguarding policy. (1) Agencies must safeguard CUI at
all times in a manner that minimizes the risk of unauthorized
disclosure while allowing for access by authorized holders.
(2) Agency personnel must comply with policy in the Order, this
part, and the CUI Registry, and review their agency's CUI policies for
additional instructions. For categories designated as CUI Specified,
employees must also follow the procedures in the underlying laws,
regulations, or Government-wide policies that established the specific
category or subcategory involved.
(3) Safeguarding measures that are authorized or accredited for
classified information are also sufficient for safeguarding CUI.
(4) Pursuant to the Order and this part, and in consultation with
affected agencies, the CUI Executive Agent issues safeguarding
standards in the CUI Registry, and updates them as needed.
(b) CUI safeguarding standards. Agencies must safeguard CUI using
one of two types of standards:
(1) CUI Basic. CUI Basic is the default set of standards agencies
must apply to all CUI unless the CUI Registry annotates the relevant
information as CUI Specified.
(2) CUI Specified. (i) Agencies safeguard CUI using CUI Specified
standards only when the involved information falls into a category or
subcategory designated in the CUI Registry as CUI Specified. In such
cases, agencies should apply the specified set of standards required by
the underlying authorities, as indicated in the CUI Registry.
(ii) When the authorizing laws, regulations, or Government-wide
policies for a specific CUI Specified category or subcategory is silent
on a safeguarding or disseminating requirement, agencies must handle
that requirement using the CUI Basic standards, unless this results in
any treatment that is inconsistent with the CUI Specified authority. If
such a conflict occurs, agencies follow the CUI Specified authority's
requirements.
(c) Protecting CUI under the control of an authorized holder. (1)
Authorized holders must have access to controlled environments in which
to protect CUI from unauthorized access or observation.
(2) When discussing CUI, you must reasonably ensure that
unauthorized individuals cannot overhear the conversation.
(3) When outside a controlled environment, you must keep the CUI
under your direct control or protect it with at least one physical
barrier. You or the physical barrier must reasonably protect the CUI
from unauthorized access or observation.
(4) Agencies must protect the confidentiality of CUI that is
processed, stored, or transmitted on Federal information systems
consistently with the security requirements and controls established in
FIPS Publication 199, FIPS Publication 200, and NIST SP 800-53.
(d) Protecting CUI not under control of an authorized holder. (1)
You may use the United States Postal Service or any commercial delivery
service when you need to transport or deliver CUI to another
organization.
(2) We encourage you to use in-transit automated tracking and
accountability tools when you send CUI.
(3) You may use interoffice or interagency mail systems to
transport CUI.
(4) Mark packages that contain CUI to indicate that they are
intended for the
[[Page 26507]]
recipient only and should not be forwarded.
(5) Do not put CUI markings on the outside of an envelope or
package.
(e) Reproducing CUI. (1) You may reproduce (e.g., copy, scan,
print, electronically duplicate) CUI in furtherance of a lawful
Government purpose.
(2) When reproducing CUI documents on equipment such as printers,
copiers, scanners, or fax machines, you must ensure that the equipment
does not retain data or you must otherwise sanitize it in accordance
with NIST SP 800-53.
(f) Destroying CUI. (1) You may destroy CUI when:
(i) Your agency no longer needs the information; and
(ii) Records disposition schedules published or approved by NARA or
other applicable laws, regulations, or Government-wide policies no
longer require your agency to retain the records.
(2) When destroying CUI, including in electronic form, you must do
so in a manner that makes it unreadable, indecipherable, and
irrecoverable, using any of the following:
(i) Guidance for destruction in NIST SP 800-53, Security and
Privacy Controls for Federal Information Systems and Organizations, and
NIST SP 800-88, Guidelines for Media Sanitization;
(ii) Any method of destruction approved for Classified National
Security Information, as delineated in 32 CFR 2001.47, Destruction, or
any implementing or successor guidance; or
(iii) Any specific destruction methods required by laws,
regulations, or Government-wide policies for that item.
(g) Information systems that process, store, or transmit CUI.
(1) Agencies must apply information system requirements to CUI that
are consistent with already-required NIST standards and guidelines and
OMB policies. The Federal Information Security Modernization Act
(FISMA) of 2014, 44 U.S.C. 3541, et seq., requires all Federal agencies
to apply the standards in FIPS Publication 199 and FIPS Publication
200. FIPS Publication 200 and OMB Memorandum-14-04, November 18, 2013,
require all Federal agencies to also apply the appropriate security
requirements and controls from NIST SP 800-53. All three sets of
publications are free and available from the NIST Web site at http://www.nist.gov/publication-portal.cfm.
(2) Consistent with this already-established framework governing
all Federal information systems, CUI is categorized at the moderate
confidentiality impact level in accordance with FIPS Publication 199.
Likewise, agencies must also apply the appropriate security
requirements and controls from FIPS Publication 200 and NIST SP 800-53
consistently with any risk-based tailoring decisions. Agencies may
increase the confidentiality impact level above moderate and apply
additional security requirements and controls only internally; they may
not require anyone outside the agency to use a higher impact level or
more stringent security requirements and controls.
Sec. 2002.13 Accessing and disseminating.
(a) General policy. (1) Agencies should disseminate and permit
access to CUI, provided such access or dissemination:
(i) Abides by the laws, regulations, or Government-wide policies
that established the CUI category or subcategory;
(ii) Furthers a lawful Government purpose;
(iii) Is not restricted by an authorized limited dissemination
control established by the CUI Executive Agent; and,
(iv) Is not otherwise prohibited by law.
(2) Agencies should impose controls only as necessary to abide by
restrictions on access to CUI. Agencies may not impose controls that
unlawfully or improperly restrict access to CUI.
(3) Prior to disseminating CUI, you must mark CUI according to
marking guidance issued by the CUI Executive Agent.
(4) Non-executive branch entities may receive CUI directly from
members of the executive branch or as sub-recipients from other non-
executive branch entities.
(5) In order to disseminate CUI to a non-executive branch entity,
you must have a reasonable expectation that the recipient will continue
to control the information in accordance with the Order, this part, and
the CUI Registry.
(6) When feasible, agencies should enter into a written agreement
with any intended non-executive branch entity. At a minimum, such
agreements must specify that:
(i) CUI remains under the legal control of the Federal Government
and its misuse is subject to penalties permitted under applicable laws,
regulations, or Government-wide policies;
(ii) Non-executive branch entities must handle CUI consistently
with the Order, this part, and the CUI Registry; and
(iii) The non-executive branch entity must report any non-
compliance with handling requirements to the disseminating agency's CUI
senior agency official. When the disseminating agency is not the
designating agency, the disseminating agency must notify the
designating agency.
(b) Controls on accessing and disseminating CUI--(1) CUI Basic. You
should disseminate and encourage access to CUI Basic for any recipient
when it meets the requirements set out in paragraph (a)(1) of this
section.
(2) CUI Specified. You may disseminate and allow access to CUI
Specified as permitted by the authorizing laws, regulations, or
Government-wide policies that established that category or subcategory
of CUI Specified.
(i) The CUI Registry annotates CUI categories and subcategories
that contain Specified controls.
(ii) In the absence of specific dissemination restrictions,
agencies may disseminate and allow access to the CUI as they would for
CUI Basic.
(3) Limited dissemination. (i) You may place limits on
disseminating CUI only through the use of limited dissemination
controls approved by the CUI Executive Agent and published in the CUI
Registry.
(ii) Use of limited dissemination controls to unnecessarily
restrict access to CUI is contrary to the stated goals of the CUI
Program. You may therefore use these controls only when it serves a
lawful Government purpose, or you are required by laws, regulations, or
Government-wide policies to do so.
(iii) You may apply limited dissemination controls to any CUI that
is required or permitted to have restricted access by or to certain
entities.
(iv) You may combine the approved limited dissemination controls
listed in the CUI Registry to accommodate necessary practices.
(c) Methods of disseminating CUI. (1) Before disseminating CUI, you
must reasonably expect that all intended recipients are authorized to
receive the CUI. You may then disseminate the CUI by any method that
meets the safeguarding requirements of this part and ensures receipt in
a timely fashion, unless the laws, regulations, or Government-wide
policies that govern that category or subcategory of CUI requires
otherwise.
(2) To disseminate CUI using systems or components that are subject
to NIST guidelines and publications (e.g., email applications, text
messaging, facsimile, or voicemail), you must do so consistently with
the moderate confidentiality value set out in the
[[Page 26508]]
FISMA-mandated FIPS Publication 199, FIPS Publication 200, and NIST SP
800-53.
Sec. 2002.14 Decontrolling.
(a) Agencies may decontrol CUI that they have designated:
(1) When laws, regulations or Government-wide policies no longer
require its control as CUI;
(2) In response to a request by an authorized holder to decontrol
it, if the agency is the designating agency;
(3) When the designating agency decides to release it to the public
by making an affirmative, proactive disclosure;
(4) When the agency releases it in accordance with an applicable
information access statute, such as the Freedom of Information Act
(FOIA);
(5) Consistent with any declassification action under Executive
Order 13526 or any predecessor or successor order; or
(6) When a pre-determined event or date occurs, as described in the
decontrol indicators section of this part.
(b) Decontrolling may occur automatically upon the occurrence of
one of the conditions in paragraph (a) of this section, or through an
affirmative decision by the designating agency.
(c) Only personnel that an agency authorizes may decontrol CUI.
(d) Decontrolling CUI relieves authorized holders from requirements
to handle the information under the CUI Program, but does not
constitute authorization for public release.
(e) Agencies should decontrol any CUI designated by their agency
that no longer requires CUI controls as soon as practicable.
(f) You must remove or strike through with a single straight line
all CUI markings when restating, paraphrasing, re-using, releasing to
the public, or donating CUI to a private institution. Otherwise, you
are not required to mark, review, or take other actions to indicate the
CUI is no longer controlled.
(1) Agencies may establish policy that allows holders to remove or
strike through only those markings on the first or cover page of the
CUI.
(2) If you use the decontrolled CUI in a newly created document,
you must remove all CUI markings for the decontrolled information.
(g) Once decontrolled, any public release of information that was
formerly CUI must be in accordance with existing agency policies on the
public release of information.
(h) You may request that the designating agency decontrol certain
CUI. Agency heads or the CUI senior agency official must establish
processes for handling CUI decontrol requests submitted by authorized
holders.
(i) If an authorized holder publicly releases CUI in accordance
with the designating agency's authorized procedures, the release
constitutes decontrol of the information.
(j) Unauthorized disclosure of CUI does not constitute decontrol.
(k) You must not decontrol CUI in an attempt to conceal,
circumvent, or mitigate an identified unauthorized disclosure.
(l) When laws, regulations, and Government-wide policies require
specific decontrol procedures, you must follow such requirements.
(m) The Archivist of the United States may decontrol records
transferred to the National Archives in accordance with Sec. 2002.26
of this part, absent a specific agreement otherwise with the
originating agency. The Archivist decontrols records to facilitate
public access pursuant to 44 U.S.C. 2108 and NARA's regulations at 36
CFR parts 1235, 1250, and 1256.
Sec. 2002.15 Marking.
(a) General marking policy. (1) CUI markings listed in the CUI
Registry are the only control markings authorized to designate
unclassified information requiring safeguarding or dissemination
controls. You must mark CUI exclusively in accordance with this part
and the CUI Registry.
(2) You must uniformly and conspicuously apply CUI markings to all
CUI prior to disseminating it unless otherwise specifically permitted
by the CUI Executive Agent or as provided below.
(3) The CUI Program prohibits using markings or practices not
included in this part or the CUI Registry. Agencies must take active
measures to discontinue use of any other markings, in accordance with
guidance from the CUI Executive Agent. Agencies may not modify CUI
Program markings or deviate from the method of use prescribed by the
CUI Executive Agent in an effort to accommodate existing agency marking
practices, except in extraordinary circumstances approved by the CUI
Executive Agent.
(4) The designating agency determines that the information
qualifies for CUI status and applies the appropriate CUI marking at the
time of designation.
(5) You must not mark information as CUI to conceal illegality,
negligence, ineptitude, or other disreputable circumstances
embarrassing to any person, any agency, the Federal Government, or any
partners thereof.
(6) The CUI Program does not require agencies to redact or re-mark
documents that bear legacy markings. However, agencies must mark as CUI
any information they derive from such documents and re-use in a new
document, if the information qualifies as CUI.
(7) When marking is excessively burdensome, an agency's CUI senior
agency official may approve waivers of all or some of the marking
requirements for CUI designated within that agency. However, all CUI
must be marked when disseminated outside of that agency.
(i) When CUI senior agency officials grant such waivers, they must
still ensure that the agency appropriately safeguards and disseminates
the CUI.
(ii) The CUI senior agency official must detail in each waiver the
alternate protection methods the agency must employ to ensure
protection of the CUI in question.
(iii) All such waivers apply to CUI only while in possession of
employees of that agency.
(8) The lack of a CUI marking on information does not exempt the
information from applicable handling requirements set forth in laws,
regulations, or Government-wide policies.
(b) The CUI banner marking. You must mark all CUI with a CUI banner
marking, which may include up to three elements:
(1) The CUI control marking (mandatory). (i) The CUI control
marking may consist of either the word ``CONTROLLED'' or the acronym
``CUI'' (at the designator's discretion). You may not use alternative
markings to identify or mark items as CUI.
(ii) If you include in the banner marking other authorized CUI
markings in addition to the CUI control marking (as set out below),
separate those elements from the CUI control marking by a single slash
(``/'').
(2) CUI category and subcategory markings (mandatory for CUI
Specified). (i) The CUI Registry lists the category and subcategory
markings, which align with the CUI's designated category or
subcategory.
(ii) The CUI senior agency official may approve optional use of CUI
category and subcategory markings for CUI Basic, through agency policy.
The policy may also address whether to include these markings in the
CUI banner marking. When the CUI senior agency official has approved
CUI Basic category or subcategory markings through agency policy, you
may include those markings in the CUI banner marking when multiple
categories or subcategories are present.
(iii) You must use CUI category and subcategory markings for CUI
Specified.
[[Page 26509]]
If laws, regulations, or Government-wide policies require specific
marking, disseminating, informing, or warning statements, you must use
those indicators as required by those authorities. However, you must
not include these additional indicators in the CUI banner marking or
portion markings.
(iv) Include in the CUI banner marking all CUI Specified category
or subcategory markings; other category or subcategory markings that
may apply are optional.
(v) List category or subcategory markings in alphabetical order,
using the approved abbreviations listed in the CUI Registry, and
separate multiple categories or subcategories from each other by a
single slash (``/'').
(3) Limited dissemination control markings. (i) CUI limited
dissemination control markings align with limited dissemination
controls established under Sec. 2002.13(b)(3) of this part.
(ii) Designating agencies must establish agency policy that
includes specific criteria for when, and by whom, they will allow the
use of limited dissemination controls and control markings, and ensure
the policy aligns with the requirements in Sec. 2002.13(b)(3) of this
part.
(iii) In accordance with its policy, the designating agency may
apply limited dissemination control markings when it designates
information as CUI and may approve later requests by authorized holders
to apply them. Authorized holders may apply limited dissemination
control markings only with the approval of the designating agency.
(iv) When including limited dissemination control markings in the
CUI banner marking, use a double slash (``//'') to separate them from
the previous element of the CUI banner marking (e.g. ``CUI//NOFORN'' or
``CONTROLLED/LEI//NOFORN'').
(v) List limited dissemination control markings in alphabetical
order, using the approved abbreviations listed in the CUI Registry, and
separate them from each other by a single slash (``/'').
(c) Using the CUI banner marking. (1) The content of the CUI banner
marking must apply to the whole document (e.g., inclusive of all CUI
within the document) and must be the same on every page on which you
use it.
(2) The CUI banner marking must appear, at a minimum, at the top
center of each page containing CUI.
(3) For non-document formats, the container or portion of the item
that is first visible must carry the banner.
(d) CUI designation indicator (mandatory). (1) All media containing
CUI must carry an indicator of who designated the CUI within it. This
should include:
(i) The designator's agency (at a minimum); and
(ii) If not otherwise evident, the designating agency or office via
a ``Controlled by'' line. For example, ``Controlled by: Division 5,
Department of Good Works.''
(2) The designation indicator must be readily apparent to
authorized holders and may appear only on the first page or cover.
(e) CUI decontrolling indicators. (1) Where feasible, designating
agencies must include a specific decontrolling date or event with all
media containing CUI. This may be accomplished in any manner that makes
the decontrolling schedule readily apparent to an authorized holder.
(2) When used, decontrolling indicators must use the format:
``Decontrol On:'' followed by a date or name of a specific event.
(3) If using a specific decontrolling date, list it in the format
``YYYYMMDD.''
(i) Decontrol is presumed at midnight local time on the date
indicated.
(ii) Authorized holders may consider specific items of CUI as
decontrolled as of the date indicated, requiring no further review by,
or communication with, the designator.
(4) If using a specific event after which the CUI is considered
decontrolled:
(i) The event must be foreseeable and verifiable by any authorized
holder (e.g., not based on or requiring special access or knowledge);
(ii) State the event title in bullet format rather than a narrative
statement; and
(iii) Include point of contact and preferred method of contact
information in the decontrol indicator when using this method, to allow
authorized holders to verify that a specified event has occurred.
(f) Portion marking CUI. (1) Agencies are permitted and encouraged
to portion mark all CUI, to facilitate information sharing and proper
handling.
(2) You may mark CUI only with portion markings approved by the CUI
Executive Agent and listed in the CUI Registry.
(3) CUI portion markings consist of the following elements:
(i) The CUI control marking, which must be the acronym ``CUI'';
(ii) CUI category/subcategory portion markings (if required); and
(iii) CUI limited dissemination control portion markings (if
required).
(4) When using portion markings:
(i) You must indicate CUI portions by placing the required portion
marking for each portion inside parentheses, immediately before the
portion to which it applies (e.g. ``(CUI)'' or ``(CUI/LEI//NF).''
(ii) CUI category and subcategory markings are optional for CUI
Basic. Agencies should manage their use by means of agency policy.
(iii) You must portion mark both CUI and uncontrolled unclassified
portions. Indicate the uncontrolled unclassified portions by using a
``(U)'' immediately preceding the portion to which it applies.
(5) In cases where portions consist of several segments, such as
paragraphs, sub-paragraphs, bullets, and sub-bullets, and the control
level is the same throughout, you may place a single portion marking at
the beginning of the primary paragraph or bullet. However, if the
portion includes different CUI categories or subcategories, you must
portion mark all segments separately to avoid improper control of any
one segment.
(6) Each portion must reflect the control level of that individual
portion and not any other portions. If the information contained in a
sub-paragraph or sub-bullet is a different CUI category or subcategory
from its parent paragraph or parent bullet, this does not make the
parent paragraph or parent bullet controlled at that same level.
(g) Commingling CUI markings with classified information. (1) When
you include CUI in documents that also contain classified information,
you must make the following changes to the CUI marking scheme:
(i) Portion mark all CUI to ensure that CUI portions can be
distinguished from portions containing classified and uncontrolled
unclassified information;
(ii) Include CUI Specified category and subcategory markings in the
overall banner marking;
(iii) Include the CUI control marking (``CUI'') in the overall
marking banner directly before the CUI category and subcategory
markings (e.g., ``CUI/SP-PCII''). This applies only when CUI category
and subcategory markings are included in the banner;
(iv) Separate category and subcategory markings from each other by
a single slash (e.g. ``CUI/SP-PCII/SP-UCNI'');
(v) Include all CUI limited dissemination controls with each CUI
portion and in the CUI section of the overall classified marking
banner, if applicable. Separate limited dissemination markings from
each other by a single slash (``/''); and
[[Page 26510]]
(vi) Separate the entire CUI marking string for the CUI banner
marking from other parts of the overall classified marking banner by
using a double slash (``//'') on either end. However, if the CUI
marking string is the final portion of the overall classified marking
banner, do not use an ending double slash (``//'').
(2) Commingling restricted data (RD) and formerly restricted data
(FRD) with CUI. (i) To the extent possible, avoid commingling RD or FRD
with CUI in the same document. When it is not practicable to avoid such
commingling, follow the marking requirements in the Order, this part,
and the CUI Registry, as well as the marking requirements in 10 CFR
part 1045, Nuclear Classification and Declassification.
(ii) The decontrolling provisions of the Order do not apply to
portions marked as containing RD or FRD.
(iii) Add ``Not Applicable (or N/A) to RD/FRD portions'' to the
``Decontrol On'' line for commingled documents.
(iv) Follow the requirements of 10 CFR part 1045 when extracting an
RD or FRD portion for use in a new document.
(v) Follow the requirements of the Order, this part, and the CUI
Registry if extracting a CUI portion for use in a new document.
(vi) The lack of declassification instructions for RD or FRD
portions does not eliminate the requirement to process commingled
documents for declassification in accordance with the Atomic Energy
Act, or 10 CFR part 1045.
(h) Transmittal document marking requirements. (1) When a
transmittal document accompanies CUI, the transmittal document must
include a CUI marking on its face (``CONTROLLED'' or ``CUI''),
indicating that CUI is attached or enclosed.
(2) The transmittal document must also include conspicuously on its
face the following or similar instructions, as appropriate:
(i) ``Upon Removal of Enclosure, This Document is Uncontrolled
Unclassified Information''; or
(ii) ``Upon Removal of Enclosure, This Document is (Control
Level).''
(i) Working papers. Mark working papers containing CUI as required
for any CUI contained within them and handle them in accordance with
this part and the CUI Registry.
(j) Using supplemental administrative markings with CUI. (1) Agency
heads may authorize the use of supplemental administrative markings
(e.g. ``Pre-decisional,'' ``Deliberative,'' ``Draft'') for use with
CUI.
(2) Agency heads may not authorize the use of supplemental
administrative markings to establish safeguarding requirements or
disseminating restrictions, or to designate the information as CUI.
(3) To be eligible for use with CUI, agencies must detail use and
requirements for supplemental administrative markings in agency policy
that is available to anyone who may come into possession of CUI
carrying these markings.
(4) Do not incorporate or include supplemental administrative
markings in the CUI markings.
(5) Supplemental administrative markings must not duplicate any CUI
marking described in this part and the CUI Registry.
(k) Unmarked CUI. Treat unmarked information that qualifies as CUI
as described in the Order, this part, and the CUI Registry.
Sec. 2002.16 Waivers of CUI requirements in exigent circumstances.
(a) In exigent circumstances, the agency head or the CUI senior
agency official may waive the requirements established in this part or
the CUI Registry for any CUI within the agency's possession or control,
unless specifically prohibited by applicable laws, regulations, or
Government-wide policies.
(b) When the circumstances requiring the waiver end, the agency
must reinstitute the requirements for all CUI covered by the waiver.
Sec. 2002.17 Limitations on applicability of agency CUI policies.
(a) Agency policies pertaining to CUI do not apply to entities
outside that agency unless the CUI Executive Agent approves their
application and publishes them in the CUI Registry.
(b) Agencies may not include any requirements on handling CUI other
than those contained in the Order, this part, or the CUI Registry when
entering into contracts, treaties, or other agreements with entities
outside of that agency.
Subpart C--CUI Program Management
Sec. 2002.20 Education and training.
(a) The agency head or CUI senior agency official must establish
policies that address the means, methods, and frequency of agency CUI
training.
(b) At a minimum, agencies must ensure that personnel who have
access to CUI receive training on creating CUI, relevant CUI categories
and subcategories, the CUI Registry, associated markings, and
applicable safeguarding, disseminating, and decontrolling policies and
procedures. Agencies must ensure that it trains employees on these
matters when the employees first begin working for the agency and at
least once every two years thereafter, at a minimum.
(c) The CUI Executive Agent may review agency training materials to
ensure consistency and compliance with the Order, this part, and the
CUI Registry.
Sec. 2002.21 Agency self-inspection program.
(a) Agency heads must establish and maintain a self-inspection
program to ensure compliance with the principles and requirements of
the Order, this part, and the CUI Registry.
(b) The self-inspection program must include no less than annual
periodic review and assessment of the agency's CUI program. The agency
head or CUI senior agency official should determine frequency based on
program needs and the degree of designation activity.
(c) The self-inspection program must include:
(1) Self-inspection methods, reviews, and assessments that serve to
evaluate program effectiveness, measure the level of compliance, and
monitor the progress of CUI implementation;
(2) Formats for documenting self-inspections and recording
findings, when not prescribed by the CUI Executive Agent;
(3) Procedures by which to integrate lessons learned and best
practices arising from reviews and assessments into operational
policies, procedures, and training;
(4) A process for resolving deficiencies and taking corrective
actions in an accountable manner; and
(5) Analysis and conclusions from the self-inspection program,
documented on an annual basis and as requested by the CUI Executive
Agent.
Sec. 2002.22 Challenges to designation of information as CUI.
(a) Authorized holders of CUI who, in good faith, believe that its
designation as CUI is improper or incorrect should notify the
designating agency of this belief.
(b) Agency CUI senior agency officials must create a process within
their agency to accept and manage challenges to CUI status. At a
minimum, this process must include a timely response to the challenger
that:
(1) Acknowledges receipt of the challenge;
(2) States an expected timetable for response to the challenger;
(3) Provides an opportunity for the challenger to define their
rationale for belief that the CUI in question is inappropriately
designated;
(4) Gives contact information for the official making the agency's
decision in this matter; and
[[Page 26511]]
(5) Ensures that challengers are not subject to retribution for
bringing such challenges.
(c) Until the challenge is resolved, continue to safeguard and
disseminate the challenged CUI at the control level indicated in the
markings.
(d) If a challenging party disagrees with the response to their
challenge, that party may use the Dispute Resolution procedures
described in Sec. 2002.23 of this part.
Sec. 2002.23 Dispute resolution.
(a) All parties to a dispute arising from implementation or
interpretation of the Order, this part, or the CUI Registry should make
every effort to resolve the dispute expeditiously. Disputes should be
resolved within a reasonable, mutually acceptable time period, taking
into consideration the mission, sharing, and protection requirements of
the parties concerned.
(b) If parties to a dispute cannot reach a mutually acceptable
resolution, either party may refer the matter to the CUI Executive
Agent.
(c) The CUI Executive Agent is the impartial arbiter of the dispute
and has the authority to render a decision on the dispute after
consultation with all affected parties, unless laws, regulations, or
Government-wide policies otherwise specifically govern requirements for
the involved category or subcategory of information. If a party to the
dispute is also a member of the Intelligence Community, the CUI
Executive Agent must consult with the Office of the Director of
National Intelligence beginning when the CUI Executive Agent receives
the dispute for resolution.
(d) Until the dispute is resolved, continue to safeguard and
disseminate any disputed CUI at the control level indicated in the
markings.
(e) Per section 4(e) of the Order, parties may appeal the CUI
Executive Agent's decision through the Director of OMB to the President
for resolution.
Sec. 2002.24 Misuse of CUI.
(a) CUI senior agency officials establish agency processes and
criteria for reporting and investigating misuse of CUI.
(b) The CUI Executive Agent reports findings on any incident
involving misuse of CUI to the offending agency's CUI senior agency
official or CUI Program manager for action, as appropriate.
Sec. 2002.25 Sanctions for misuse of CUI.
(a) To the extent that agency heads are otherwise authorized to
take administrative action against agency personnel who misuse CUI,
agency CUI policy governing misuse should reflect that authority.
(b) Where laws, regulations, or Government-wide policies governing
certain categories or subcategories of CUI specifically establishes
sanctions, agencies must adhere to such sanctions.
Sec. 2002.26 Transferring records.
(a) When feasible, agencies must decontrol records containing CUI
prior to transferring them to NARA.
(b) When an agency cannot decontrol records before transferring
them to NARA, the agency must:
(1) Indicate on a Transfer Request (TR) in NARA's Electronic
Records Archives (ERA) or on an SF 258 paper transfer form, that the
records should continue to be controlled as CUI (subject to NARA's
regulations on transfer, public availability, and access; see 36 CFR
parts 1235, 1250, and 1256); and
(2) For hard copy transfer, place the appropriate CUI marking on
the outside of the container to indicate that it contains information
designated as CUI.
(c) If the agency does not indicate the CUI status on both the
container and the TR or SF 258, NARA may assume the information was
decontrolled prior to transfer, regardless of any CUI markings on the
actual records.
Sec. 2002.27 CUI and the Freedom of Information Act (FOIA).
(a) The mere fact that information is designated as CUI has no
bearing on determinations pursuant to any law requiring the disclosure
of information or permitting disclosure as a matter of discretion.
(b) Accordingly, agencies must ensure that:
(1) They do not cite the FOIA as a CUI safeguarding or
disseminating control authority for CUI; and
(2) Agency FOIA reviewers use FOIA release standards and exemptions
to determine whether or not to release records in response to a FOIA
request; they do not use CUI markings and designations as a dispositive
factor in making a FOIA disclosure determination.
Sec. 2002.28 CUI and the Privacy Act.
The fact that records are subject to the Privacy Act of 1974 does
not mean that agencies must mark them as CUI. Consult agency guidance
to determine which records may be subject to the Privacy Act. However,
information contained in Privacy Act systems of records may be subject
to controls under other CUI categories or subcategories and the agency
may need to mark that information as CUI for that reason.
Dated: April 27, 2015.
David S. Ferriero,
Archivist of the United States.
[FR Doc. 2015-10260 Filed 5-7-15; 8:45 am]
BILLING CODE 7515-01-P
