Categories of CUI
*not every category and authority listed is applicable to ODU*
- Critical Infrastructure
- Defense
- Export Control
- Financial & Tax
- Immigration
- Intelligence
- International Agreements
- Law Enforcement
- Legal
- Natural & Cultural Resources
- NATO
- Nuclear
- Patent
- Privacy
- Procurement & Acquisition
- Proprietary Business Information
- Statistical
- Tax
- Transportation
A complete list of categories, sub-categories, and descriptions can be found at https://www.dodcui.mil/
What is CUI?
Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. Federal government that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. The CUI program was created by Executive Order 13556, which established a program for managing CUI across the Executive branch and designated the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Information Security Oversight Office (ISOO) was delegated the responsibilities of the Executive Agent by the Archivist of the United States.
The CUI program establishes uniform policies and procedures for safeguarding and disseminating information that is deemed sensitive but unclassified, including information related to national security, law enforcement, privacy, and other areas of government operations. This information can also include trade secrets, financial data, and personally identifiable information provided to the government by private sector entities. The CUI program also provides guidance on how to handle CUI throughout its lifecycle, including how to designate, mark, safeguard, disseminate, decontrol, and dispose of CUI. This includes establishing consistent practices for controlling access, providing training and oversight, and reporting incidents involving unauthorized disclosure or loss of CUI.
Entities that handle CUI must comply with the policies and procedures established by the CUI program. This includes implementing specific security controls and training programs to ensure that employees and contractors understand the importance of protecting CUI. Entities are also required to report vany suspected or actual incidents of unauthorized disclosure or loss of CUI to the appropriate authorities. The CUI program is designed to balance the need for sharing information among government agencies and with private sector partners, while also safeguarding against potential security risks.
Controlled Unclassified Information (CUI) is important because it plays a critical role in protecting national security, privacy, and other important interests, while also promoting collaboration and information sharing among government agencies and private sector partners. The management of CUI is governed by a set of policies and procedures designed to balance the need for sharing information with the need for safeguarding against potential security risks. These policies and procedures are established to ensure that CUI is protected from unauthorized disclosure or misuse.
The importance of CUI is reflected in its scope, which encompasses a wide range of information types, including sensitive but unclassified information related to national security, law enforcement, privacy, and other areas of government operations. This information can also include trade secrets, financial data, and personally identifiable information provided to the government by private sector entities. The handling of this information requires specific security controls and training programs to ensure that employees and contractors understand the importance of protecting this information.
In addition to protecting sensitive but unclassified information, the CUI program also promotes collaboration and information sharing among government agencies and private sector partners. This is important for ensuring effective communication and coordination among different entities that may be working on similar issues. The CUI program also provides guidance on how to handle CUI throughout its lifecycle, including how to designate, mark, safeguard, disseminate, decontrol, and dispose of CUI. This helps ensure that CUI is managed consistently across government agencies and with private sector partners. Overall, the CUI program is an essential component of the U.S. government's efforts to balance the need for sharing information with the need for safeguarding against potential security risks.
Controlled Unclassified Information (CUI) is important to Old Dominion University (ODU) for the responsibility of safeguarding and properly disseminating CUI that is received or created during all operations. The University may receive CUI from various sources such as research collaborations with government agencies, contracting with government entities, or even by handling student data. It is essential for the University to maintain compliance with applicable laws, regulations, and government-wide policies for safeguarding and disseminating CUI. Failure to do so may result in legal and financial consequences, as well as reputational damage for the University.
ODU has implemented policies and procedures to ensure that CUI is properly handled and protected. The University’s Secure Research office supports researchers in complying with the CUI program and provides training and guidance on best practices for handling and safeguarding CUI. Additionally, the University’s Office of Information Technology ensures that systems and networks are secured to protect CUI from unauthorized access or disclosure. As ODU continues to engage in research collaborations with government entities and handle sensitive data, it is imperative that the University remains vigilant in its handling of CUI to ensure the protection of this information and the continued trust of its stakeholders.
Furthermore, ODU’s compliance with the CUI program supports the University’s commitment to data security and privacy. By properly handling CUI, the University demonstrates its dedication to protecting sensitive information and maintaining the confidentiality and integrity of data. This not only benefits the University and its stakeholders, but also the larger community. Proper handling of CUI helps prevent unauthorized access, misuse, or disclosure of sensitive information, which can have serious consequences for individuals and organizations. As such, ODU’s adherence to the CUI program is an important component of the University’s overall data security and privacy efforts and ensures that it is doing its part in promoting responsible and ethical handling of sensitive information.
Frequently Asked Questions
CUI is government created or owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations and government wide policies. CUI is not classified information. It is not corporate intellectual property unless created for or included in requirements related to a government contract.
CUI includes certain types of information such as financial, legal, privacy, and procurement, and replaces old markings such as FOUO (For Official Use Only), SBU (Sensitive But Unclassified), PII (Personally Identifiable Information), Private, Confidential, etc. Classified information is separate from the CUI Program.
Yes, Personally Identifiable Information (PII) falls into one of the CUI Privacy categories and will be marked and protected as CUI. The Privacy Act and other applicable Privacy policies still apply.
Federal agencies routinely generate, use, store, and share information that, while not meeting the threshold for classification as national security or atomic energy information, requires some level of protection from unauthorized access and release.
Historically, each agency developed its own practices for sensitive unclassified information, resulting in a patchwork of systems across the Executive branch, in which similar information might be defined or labeled differently, or where dissimilar information might share a definition and/or label. CUI was established to standardize the way the Executive branch handles sensitive information that requires dissemination controls.
Yes, but do not put CUI in the body of the email; it must be in an encrypted attachment. When sending a CUI email, the banner marking must appear at the top portion of the email, like a heading. You can add “Contains CUI” at the end of the subject line to alert your recipients. When forwarding or responding to email containing CUI, copy the banner markings and past them at the top of your new email.
Report disclosures of CUI as soon as you realized it has occurred by emailing ODUFSO@odu.edu.
A federal sponsor may determine that a project which is not subject to EAR or ITAR is sensitive and requires additional protections. This could be work in fields other than “applied sciences” (linguistics, social sciences, anthropology), require research and study of sensitive locations (such as military installations or government facilities), and/or involves cyber security or emerging technology.
Definitively everyone, but mainly the project PI is responsible for CUI compliance throughout the project from start to finish. CUI agreements can take the shape of a contract, grant, license, memoranda of agreement, or information-sharing agreement.
Understand the data categories on your contract, what data/widget/device you or your team may create during the performance of a contract, the requirements to protect that data/widget/device, and the costs associated with that protection before you sign the contact.