Who is Responsible for CUI Markings?  

Controlled Unclassified Information (CUI) is a category of information that requires safeguarding or dissemination controls according to law, regulation, or government-wide policy, but is not classified under Executive Order 13526 or the Atomic Energy Act. Properly marking this CUI information is crucial for protecting sensitive information from unauthorized access, misuse, or disclosure. But you may wonder, who is responsible for CUI markings?

Let’s explore where that responsibility lies, the importance of these markings, and best practices for implementing them effectively.

Understanding CUI and Its Importance

CUI was established to standardize how the U.S. government handles sensitive information that doesn’t fall under classified information protocols but still needs protection. The National Archives and Records Administration (NARA) oversees the CUI Program and has issued guidance on how CUI should be handled, marked, and protected.

Before delving into who is responsible for CUI markings, it’s essential to understand what CUI is and why it’s important. CUI includes information such as Personally Identifiable Information (PII), sensitive financial data, proprietary business information, and certain government or defense-related information.

“Determining what CUI exists on a government contract is an inherently government function,” says Jeff Baldwin, Chief Information Security Officer for Beryllium InfoSec and Cuick Trac. “If there is no law, regulation, or government-wide policy identified, then it may not be CUI. But if it is nonpublic information related to the contract, then it might be Federal Contract Information (FCI). Unfortunately, FCI is not marked so if you receive unmarked information from a customer or prime, then it could be FCI or unmarked CUI, which is why it’s critical to have good guidance on the type of CUI on the contract.”

So…Who Is Responsible for CUI Markings?

The goal of CUI markings is to ensure that sensitive but unclassified information is adequately protected from exposure that could cause potential harm to national security, individuals, or organizations.

The responsibility for CUI markings primarily falls on those Authorized Holders who create, handle, and disseminate CUI within federal agencies, as well as contractors and other third parties that work with federal data. The key stakeholders include:

1. CUI Designating Officials: These are individuals within federal agencies who have the authority to determine whether information qualifies as CUI based on the laws, regulations, and policies that govern the information. They play a pivotal role in identifying what needs to be marked as CUI.
   
2. Information Owners: Information owners or data stewards are responsible for the information they produce or manage. They must ensure that any CUI under their control is appropriately marked according to the CUI guidelines. This includes determining the correct category and subcategory of CUI, applying the necessary safeguarding controls, and ensuring the information is marked consistently.
   
3. Program Managers and Supervisors: Within federal agencies, program managers and supervisors are responsible for ensuring that their teams understand CUI requirements and adhere to marking protocols. They must provide guidance and oversight to their teams to ensure compliance with CUI policies.
   
4. Employees and Contractors: All employees and contractors who handle CUI have a responsibility to ensure that the information is correctly marked and protected. They must be trained on how to recognize CUI, apply the correct markings, and understand the safeguarding requirements. Failure to properly mark CUI can lead to unauthorized disclosure, which can have serious consequences, including legal action.
   
5. CUI Program Managers and Coordinators: These individuals oversee the implementation of the CUI program within their respective organizations. They are responsible for developing policies, procedures, and training programs to ensure compliance with CUI marking requirements. They also serve as the point of contact for any questions or issues related to CUI handling and marking.

The Marking Process: How CUI Is Identified and Labeled

The process of marking CUI involves several steps:

1. Identification: First, information that meets the criteria for CUI must be identified. This is typically done by reviewing the information against a list of CUI categories provided by NARA.
   
2. Categorization: Once identified, the information is categorized into one of the CUI categories. This helps determine the level of safeguarding and dissemination controls required.
   
3. Marking: After categorization, the information is marked with the appropriate CUI markings. This usually includes a header or footer on the document indicating that the information is CUI, along with the specific category or subcategory. For example, a document might be marked as “CUI//PRIVACY//PII” to indicate that it contains personally identifiable information.
   
4. Training and Awareness: Those responsible for handling CUI must be trained in recognizing CUI and understanding how to apply the correct markings. Training programs should be comprehensive and ongoing to keep up with changes in CUI categories or marking procedures.

Best Practices for CUI Markings

To ensure CUI is properly marked and protected, organizations should implement the following best practices:

1. Regular Training and Refreshers: Provide regular training sessions and refresher courses for all employees and contractors who handle CUI. This will help ensure that everyone is aware of the latest marking requirements and understands their responsibilities.
   
2. Clear Policies and Procedures: Develop clear, concise policies and procedures for CUI markings. These should outline the roles and responsibilities of individuals involved in the CUI process, as well as detailed instructions on how to identify, categorize, and mark CUI.
   
3. Consistent Application: Consistency is key when marking CUI. Ensure that markings are applied uniformly across all documents and forms of media. This helps prevent confusion and ensures that all CUI is adequately protected.
   
4. Audits and Compliance Checks: Conduct regular audits and compliance checks to ensure that CUI markings are being applied correctly. This can help identify any gaps or areas where additional training or resources may be needed.
   
5. Use of Automated Tools: Where possible, use automated tools to assist in identifying and marking CUI. Automated tools can help reduce human error and ensure that markings are applied consistently.

Challenges in CUI Markings

Despite the clear guidelines and the roles outlined, there are still challenges associated with marking CUI correctly:

1. Complexity of Regulations: The rules and categories for CUI can be complex, and keeping up with changes can be difficult. Organizations need to stay current with NARA’s guidelines and adjust their processes accordingly.
   
2. Lack of Awareness: Not everyone who handles CUI is fully aware of their responsibilities, especially in organizations where CUI is not a primary focus. Continuous education and awareness campaigns are necessary to address this issue.
   
3. Integration with Existing Systems: Integrating CUI marking requirements into existing information management systems can be challenging. Organizations may need to invest in new tools or modify existing systems to comply with CUI guidelines.
   
4. Missing Guidance: Per DODI 5200.48, whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective measures and dissemination controls, including those directed by relevant law, regulation, or government-wide policy, will be articulated in the contract, grant, or other legal agreement, as appropriate. However, this may not always be included in contracts, which makes marking difficult.

Protecting Sensitive Information

The responsibility for CUI markings is shared among multiple stakeholders, including designating officials, information owners, program managers, employees, and contractors. Ensuring that CUI is properly marked is crucial for protecting sensitive information and maintaining compliance with federal regulations. By following best practices and addressing common challenges, organizations can improve their CUI marking processes and safeguard important information effectively.

Talk to a Cuick Trac security expert today and learn how your organization can easily identify and mark CUI.