Controlled Unclassified Information (CUI) Policy

Purpose

To establish a General Services Administration (GSA) policy and framework for Controlled Unclassified Information (CUI). CUI is unclassified information that requires safeguarding and dissemination controls pursuant to law, regulation, or Government-wide policy, as listed in the CUI Registry by the National Archives and Records Administration (NARA).

Cancellation

This Order cancels and supersedes CIO 2103.1, Controlled Unclassified Information (CUI) Policy, dated May 16, 2017.

Revisions

The following updates have been made:

1. Updated links and terminology;
2. Added policy-related sections that were previously in the CUI Guide;
3. Added responsibilities previously in the CUI Guide; and
4. Added additional policies in the References section. 

Background

1. Executive Order (EO) 13556, Controlled Unclassified Information, establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, or Government-wide policies, excluding information that is classified under Executive Order 13526 of December 29, 2009, or the Atomic Energy Act, as amended (hereinafter described as Controlled Unclassified Information (CUI)).
2. In the past, agencies employed ad hoc, agency-specific policies, procedures, and markings to safeguard and control sensitive information and there was no Government-wide direction on what information should or should not be protected. EO 13556 established a uniform program for managing CUI. Under the CUI Program, only the categories of information listed in the CUI Registry will be marked and handled as CUI.
3. On September 14, 2016, NARA issued a final rule amending 32 C.F.R. §  2002 to establish a uniform policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the program.
4. The CUI Program covers any information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that is required to be protected under law, regulation, or Government-wide policy. This information does not include classified information or information a non-executive branch entity possesses or maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an executive branch agency. Specific details about the types of information considered to be CUI are listed in the CUI Registry which can be found at archives.gov/cui.

Applicability

This Order applies to:

1. All GSA employees;
2. All persons or entities that handle GSA CUI under agreements that include CUI provisions, to include contracts, grants, licenses, certificates, memoranda of agreement or understanding, and information-sharing agreements, as required by the amended 32 C.F.R.  § 2002.4(c);
3. Anyone responsible for GSA-controlled space or for managing or procuring Government owned or leased space on behalf of GSA, as required in PBS 3490.3 CHGE 1 Security for Sensitive Building Information Related to Federal Buildings, Grounds, or Property [PDF];
4. The Office of Inspector General (OIG) to the extent that the OIG determines it is consistent with the OIG’s independent authority under the IG Act, and it does not conflict with other OIG policies or the OIG mission; and 
5. The Civilian Board of Contract Appeals (CBCA) to the extent that the CBCA determines it is consistent with the CBCA’s independent authority under the Contract Disputes Act and other authorities and it does not conflict with the CBCA’s policies or the CBCA mission.