Controlled Unclassified Information (CUI) Program Frequently Asked Questions (FAQs)
Everything you need to know about Controlled Unclassified Information (CUI). The questions are broken into the following sections:
General CUI
What is CUI?
Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and Government-wide policies, but is not classified under Executive Order 13526 “Classified National Security Information” or the Atomic Energy Act, as amended.
What are examples of CUI?
CUI is an umbrella term that encompasses many different markings to identify information that is not classified but which should be protected. Some examples you may be familiar with:
- Personally Identifiable Information (PII)
- Sensitive Personally Identifiable Information (SPII)
- Proprietary Business Information (PBI) or currently known within EPA as Confidential Business Information (CBI)
- Unclassified Controlled Technical Information (UCTI)
- Sensitive but Unclassified (SBU)
- For Official Use Only (FOUO)
- Law Enforcement Sensitive (LES), and others.
What is the Federal CUI Registry?
The Federal CUI Registry, shows authorized categories and associated markings, as well as applicable safeguarding, dissemination, and decontrol procedures. The Registry is updated as agencies continue to submit governing authorities that authorize the protection and safeguarding of sensitive information.
Program Background
What is the CUI Program?
Executive Order 13556, Controlled Unclassified Information, requires the Executive Branch to “establish an open and uniform program for managing [unclassified] information that requires safeguarding or dissemination controls pursuant to and consistent with laws, regulations, and Government-wide policies.” The National Archives and Records Administration (NARA) was named the Executive Agent responsible for overseeing the CUI Program.
On September 14, 2016, NARA issued a final rule amending 32 CFR Part 2002 to establish a uniform policy for all Federal agencies. This created Government-wide CUI standards including designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI; self-inspection and oversight requirements; and other facets of the CUI Program.
Why was CUI established?
Federal agencies often generate, use, store, and share information that requires protection from unauthorized access and release, but does not meet the thresholds for classification as national security or atomic energy information.
In the past, each agency developed its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch. Similar information might be defined or labeled differently, or dissimilar information might share a the same label. CUI was established to standardize the way the Executive branch handles sensitive information that requires dissemination controls.
How does the CUI Program help Federal agencies, including EPA?
The CUI Program is an initiative to standardize practices across more than 100 separate departments and agencies, as well as state, local, tribal and, private sector entities; academic entities; and industry. This will enable timely and consistent information sharing and increase transparency throughout the Federal government and with non-Federal stakeholders.
Program Governance
What is the Federal CUI governance structure?
The National Archives and Records Administration (NARA) serves as the Executive Agent for CUI. NARA has the authority to manage CUI Programs across the Federal government.
NARA issues policy directives and publishes an annual report to the President of the United States on the status of agency CUI Programs in accordance with Executive Order 13556, Controlled Unclassified Information.
What is EPA’s CUI governance structure?
EPA's CUI Program is located in EPA's Office of Mission Support. The CUI Program is responsible for issuing CUI policy, procedures, training, and guidance to program offices and regions, along with providing oversight and reporting on the Agency’s progress on meeting NARA’s CUI deadlines.
CUI at EPA
When did EPA transition to CUI markings?
In February 2023, the EPA officially began CUI practices (designating, marking, safeguarding, disseminating, and decontrolling). The EPA will phase out legacy markings and safeguarding practices as needed.
What changes can be expected as a result of this transition to CUI markings?
EPA changes may include:
- Amendments to EPA regulations
- Amendments to a variety of policy documents as well as others referencing Confidential Business Information (CBI) submissions or handling
- Changes to paper and e-forms and instructions for their submission to EPA
- Changes to various data systems that store and sometimes share sensitive information outside EPA.
Resources and Contacts
Who should I talk to regarding EPA CUI?
For programmatic questions regarding Controlled Unclassified Information (CUI), including any challenges to CUI marked by EPA, please contact EPA's CUI Program Office.