Title 32 Part 2002 → Subpart B
Title 32 → Subtitle B → Chapter XX → Part 2002 → Subpart B
Electronic Code of Federal Regulations e-CFR
Title 32 Part 2002 → Subpart B
Subpart B—Key Elements of the CUI Program
§2002.10 The CUI Registry.
§2002.12 CUI categories and subcategories.
§2002.16 Accessing and disseminating.
§2002.22 Limitations on applicability of agency CUI policies.
§2002.24 Agency self-inspection program.
§2002.10 The CUI Registry.
(a) The CUI EA maintains the CUI Registry, which:
(1) Is the authoritative central repository for all guidance, policy, instructions, and information on CUI (other than the Order and this part);
(2) Is publicly accessible;
(3) Includes authorized CUI categories and subcategories, associated markings, applicable decontrolling procedures, and other guidance and policy information; and
(4) Includes citation(s) to laws, regulations, or Government-wide policies that form the basis for each category and subcategory.
(b) Agencies and authorized holders must follow the instructions contained in the CUI Registry in addition to all requirements in the Order and this part.
§2002.12 CUI categories and subcategories.
(a) CUI categories and subcategories are the exclusive designations for identifying unclassified information that a law, regulation, or Government-wide policy requires or permits agencies to handle by means of safeguarding or dissemination controls. All unclassified information throughout the executive branch that requires any kind of safeguarding or dissemination control is CUI. Agencies may not implement safeguarding or dissemination controls for any unclassified information other than those controls permitted by the CUI Program.
(b) Agencies may use only those categories or subcategories approved by the CUI EA and published in the CUI Registry to designate information as CUI.
(a) General safeguarding policy. (1) Pursuant to the Order and this part, and in consultation with affected agencies, the CUI EA issues safeguarding standards in this part and, as necessary, in the CUI Registry, updating them as needed. These standards require agencies to safeguard CUI at all times in a manner that minimizes the risk of unauthorized disclosure while allowing timely access by authorized holders.
(2) Safeguarding measures that agencies are authorized or accredited to use for classified information and national security systems are also sufficient for safeguarding CUI in accordance with the organization's management and acceptance of risk.
(3) Agencies may increase CUI Basic's confidentiality impact level above moderate only internally, or by means of agreements with agencies or non-executive branch entities (including agreements for the operation of an information system on behalf of the agencies). Agencies may not otherwise require controls for CUI Basic at a level higher than permitted in the CUI Basic requirements when disseminating the CUI Basic outside the agency.
(4) Authorized holders must comply with policy in the Order, this part, and the CUI Registry, and review any applicable agency CUI policies for additional instructions. For information designated as CUI Specified, authorized holders must also follow the procedures in the underlying laws, regulations, or Government-wide policies.
(b) CUI safeguarding standards. Authorized holders must safeguard CUI using one of the following types of standards:
(1) CUI Basic. CUI Basic is the default set of standards authorized holders must apply to all CUI unless the CUI Registry annotates that CUI as CUI Specified.
(2) CUI Specified. (i) Authorized holders safeguard CUI Specified in accordance with the requirements of the underlying authorities indicated in the CUI Registry.
(ii) When the laws, regulations, or Government-wide policies governing a specific type of CUI Specified are silent on either a safeguarding or disseminating control, agencies must apply CUI Basic standards to that aspect of the information's controls, unless this results in treatment that does not accord with the CUI Specified authority. In such cases, agencies must apply the CUI Specified standards and may apply limited dissemination controls listed in the CUI Registry to ensure they treat the information in accord with the CUI Specified authority.
(c) Protecting CUI under the control of an authorized holder. Authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions:
(1) Establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments;
(2) Reasonably ensure that unauthorized individuals cannot access or observe CUI, or overhear conversations discussing CUI;
(3) Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment; and
(4) Protect the confidentiality of CUI that agencies or authorized holders process, store, or transmit on Federal information systems in accordance with the applicable security requirements and controls established in FIPS PUB 199, FIPS PUB 200, and NIST SP 800-53, (incorporated by reference, see §2002.2), and paragraph (g) of this section.
(d) Protecting CUI when shipping or mailing. When sending CUI, authorized holders:
(1) May use the United States Postal Service or any commercial delivery service when they need to transport or deliver CUI to another entity;
(2) Should use in-transit automated tracking and accountability tools when they send CUI;
(3) May use interoffice or interagency mail systems to transport CUI; and
(4) Must mark packages that contain CUI according to marking requirements contained in this part and in guidance published by the CUI EA. See §2002.20 for more guidance on marking requirements.
(e) Reproducing CUI. Authorized holders:
(1) May reproduce (e.g., copy, scan, print, electronically duplicate) CUI in furtherance of a lawful Government purpose; and
(2) Must ensure, when reproducing CUI documents on equipment such as printers, copiers, scanners, or fax machines, that the equipment does not retain data or the agency must otherwise sanitize it in accordance with NIST SP 800-53 (incorporated by reference, see §2002.2).
(f) Destroying CUI. (1) Authorized holders may destroy CUI when:
(i) The agency no longer needs the information; and
(ii) Records disposition schedules published or approved by NARA allow.
(2) When destroying CUI, including in electronic form, agencies must do so in a manner that makes it unreadable, indecipherable, and irrecoverable. Agencies must use any destruction method specifically required by law, regulation, or Government-wide policy for that CUI. If the authority does not specify a destruction method, agencies must use one of the following methods:
(i) Guidance for destruction in NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and NIST SP 800-88, Guidelines for Media Sanitization (incorporated by reference, see §2002.2); or
(ii) Any method of destruction approved for Classified National Security Information, as delineated in 32 CFR 2001.47, Destruction, or any implementing or successor guidance.
(g) Information systems that process, store, or transmit CUI. In accordance with FIPS PUB 199 (incorporated by reference, see §2002.2), CUI Basic is categorized at no less than the moderate confidentiality impact level. FIPS PUB 199 defines the security impact levels for Federal information and Federal information systems. Agencies must also apply the appropriate security requirements and controls from FIPS PUB 200 and NIST SP 800-53 (incorporated by reference, see §2002.2) to CUI in accordance with any risk-based tailoring decisions they make. Agencies may increase CUI Basic's confidentiality impact level above moderate only internally, or by means of agreements with agencies or non-executive branch entities (including agreements for the operation of an information system on behalf of the agencies). Agencies may not otherwise require controls for CUI Basic at a level higher or different from those permitted in the CUI Basic requirements when disseminating the CUI Basic outside the agency.
(h) Information systems that process, store, or transmit CUI are of two different types:
(1) A Federal information system is an information system used or operated by an agency or by a contractor of an agency or other organization on behalf of an agency. An information system operated on behalf of an agency provides information processing services to the agency that the Government might otherwise perform itself but has decided to outsource. This includes systems operated exclusively for Government use and systems operated for multiple users (multiple Federal agencies or Government and private sector users). Information systems that a non-executive branch entity operates on behalf of an agency are subject to the requirements of this part as though they are the agency's systems, and agencies may require these systems to meet additional requirements the agency sets for its own internal systems.
(2) A non-Federal information system is any information system that does not meet the criteria for a Federal information system. Agencies may not treat non-Federal information systems as though they are agency systems, so agencies cannot require that non-executive branch entities protect these systems in the same manner that the agencies might protect their own information systems. When a non-executive branch entity receives Federal information only incidental to providing a service or product to the Government other than processing services, its information systems are not considered Federal information systems. NIST SP 800-171 (incorporated by reference, see §2002.2) defines the requirements necessary to protect CUI Basic on non-Federal information systems in accordance with the requirements of this part. Agencies must use NIST SP 800-171 when establishing security requirements to protect CUI's confidentiality on non-Federal information systems (unless the authorizing law, regulation, or Government-wide policy listed in the CUI Registry for the CUI category or subcategory of the information involved prescribes specific safeguarding requirements for protecting the information's confidentiality, or unless an agreement establishes requirements to protect CUI Basic at higher than moderate confidentiality).
§2002.16 Accessing and disseminating.
(a) General policy—(1) Access. Agencies should disseminate and permit access to CUI, provided such access or dissemination:
(i) Abides by the laws, regulations, or Government-wide policies that established the CUI category or subcategory;
(ii) Furthers a lawful Government purpose;
(iii) Is not restricted by an authorized limited dissemination control established by the CUI EA; and,
(iv) Is not otherwise prohibited by law.
(2) Dissemination controls. (i) Agencies must impose dissemination controls judiciously and should do so only to apply necessary restrictions on access to CUI, including those required by law, regulation, or Government-wide policy.
(ii) Agencies may not impose controls that unlawfully or improperly restrict access to CUI.
(3) Marking. Prior to disseminating CUI, authorized holders must label CUI according to marking guidance issued by the CUI EA, and must include any specific markings required by law, regulation, or Government-wide policy.
(4) Reasonable expectation. To disseminate CUI to a non-executive branch entity, authorized holders must reasonably expect that all intended recipients are authorized to receive the CUI and have a basic understanding of how to handle it.
(5) Agreements. Agencies should enter into agreements with any non-executive branch or foreign entity with which the agency shares or intends to share CUI, as follows (except as provided in paragraph (a)(7) of this section):
(i) Information-sharing agreements. When agencies intend to share CUI with a non-executive branch entity, they should enter into a formal agreement (see §2004.4(c) for more information on agreements), whenever feasible. Such an agreement may take any form the agency head approves, but when established, it must include a requirement to comply with Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267) or any successor order (the Order), this part, and the CUI Registry.
(ii) Sharing CUI without a formal agreement. When an agency cannot enter into agreements under paragraph (a)(6)(i) of this section, but the agency's mission requires it to disseminate CUI to non-executive branch entities, the agency must communicate to the recipient that the Government strongly encourages the non-executive branch entity to protect CUI in accordance with the Order, this part, and the CUI Registry, and that such protections should accompany the CUI if the entity disseminates it further.
(iii) Foreign entity sharing. When entering into agreements or arrangements with a foreign entity, agencies should encourage that entity to protect CUI in accordance with the Order, this part, and the CUI Registry to the extent possible, but agencies may use their judgment as to what and how much to communicate, keeping in mind the ultimate goal of safeguarding CUI. If such agreements or arrangements include safeguarding or dissemination controls on unclassified information, the agency must not establish a parallel protection regime to the CUI Program: For example, the agency must use CUI markings rather than alternative ones (e.g., such as SBU) for safeguarding or dissemination controls on CUI received from or sent to foreign entities, must abide by any requirements set by the CUI category or subcategory's governing laws, regulations, or Government-wide policies, etc.
(iv) Pre-existing agreements. When an agency entered into an information-sharing agreement prior to November 14, 2016, the agency should modify any terms in that agreement that conflict with the requirements in the Order, this part, and the CUI Registry, when feasible.
(6) Agreement content. At a minimum, agreements with non-executive branch entities must include provisions that state:
(i) Non-executive branch entities must handle CUI in accordance with the Order, this part, and the CUI Registry;
(ii) Misuse of CUI is subject to penalties established in applicable laws, regulations, or Government-wide policies; and
(iii) The non-executive branch entity must report any non-compliance with handling requirements to the disseminating agency using methods approved by that agency's SAO. When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency.
(7) Exceptions to agreements. Agencies need not enter a written agreement when they share CUI with the following entities:
(i) Congress, including any committee, subcommittee, joint committee, joint subcommittee, or office thereof;
(ii) A court of competent jurisdiction, or any individual or entity when directed by an order of a court of competent jurisdiction or a Federal administrative law judge (ALJ) appointed under 5 U.S.C. 3501;
(iii) The Comptroller General, in the course of performing duties of the Government Accountability Office; or
(iv) Individuals or entities, when the agency releases information to them pursuant to a FOIA or Privacy Act request.
(b) Controls on accessing and disseminating CUI—(1) CUI Basic. Authorized holders should disseminate and encourage access to CUI Basic for any recipient when the access meets the requirements set out in paragraph (a)(1) of this section.
(2) CUI Specified. Authorized holders disseminate and allow access to CUI Specified as required or permitted by the authorizing laws, regulations, or Government-wide policies that established that CUI Specified.
(i) The CUI Registry annotates CUI that requires or permits Specified controls based on law, regulation, and Government-wide policy.
(ii) In the absence of specific dissemination restrictions in the authorizing law, regulation, or Government-wide policy, agencies may disseminate CUI Specified as they would CUI Basic.
(3) Receipt of CUI. Non-executive branch entities may receive CUI directly from members of the executive branch or as sub-recipients from other non-executive branch entities.
(4) Limited dissemination. (i) Agencies may place additional limits on disseminating CUI only through use of the limited dissemination controls approved by the CUI EA and published in the CUI Registry. These limited dissemination controls are separate from any controls that a CUI Specified authority requires or permits.
(ii) Using limited dissemination controls to unnecessarily restrict access to CUI is contrary to the goals of the CUI Program. Agencies may therefore use these controls only when it furthers a lawful Government purpose, or laws, regulations, or Government-wide policies require or permit an agency to do so. If an authorized holder has significant doubt about whether it is appropriate to use a limited dissemination control, the authorized holder should consult with and follow the designating agency's policy. If, after consulting the policy, significant doubt still remains, the authorized holder should not apply the limited dissemination control.
(iii) Only the designating agency may apply limited dissemination controls to CUI. Other entities that receive CUI and seek to apply additional controls must request permission to do so from the designating agency.
(iv) Authorized holders may apply limited dissemination controls to any CUI for which they are required or permitted to restrict access by or to certain entities.
(v) Designating entities may combine approved limited dissemination controls listed in the CUI Registry to accommodate necessary practices.
(c) Methods of disseminating CUI. (1) Before disseminating CUI, authorized holders must reasonably expect that all intended recipients have a lawful Government purpose to receive the CUI. Authorized holders may then disseminate the CUI by any method that meets the safeguarding requirements of this part and the CUI Registry and ensures receipt in a timely manner, unless the laws, regulations, or Government-wide policies that govern that CUI require otherwise.
(2) To disseminate CUI using systems or components that are subject to NIST guidelines and publications (e.g., email applications, text messaging, facsimile, or voicemail), agencies must do so in accordance with the no-less-than-moderate confidentiality impact value set out in FIPS PUB 199, FIPS PUB 200, NIST SP 800-53 (incorporated by reference, see §2002.2).
(a) Agencies should decontrol as soon as practicable any CUI designated by their agency that no longer requires safeguarding or dissemination controls, unless doing so conflicts with the governing law, regulation, or Government-wide policy.
(b) Agencies may decontrol CUI automatically upon the occurrence of one of the conditions below, or through an affirmative decision by the designating agency:
(1) When laws, regulations or Government-wide policies no longer require its control as CUI and the authorized holder has the appropriate authority under the authorizing law, regulation, or Government-wide policy;
(2) When the designating agency decides to release it to the public by making an affirmative, proactive disclosure;
(3) When the agency discloses it in accordance with an applicable information access statute, such as the FOIA, or the Privacy Act (when legally permissible), if the agency incorporates such disclosures into its public release processes; or
(4) When a pre-determined event or date occurs, as described in §2002.20(g), unless law, regulation, or Government-wide policy requires coordination first.
(c) The designating agency may also decontrol CUI:
(1) In response to a request by an authorized holder to decontrol it; or
(2) Concurrently with any declassification action under Executive Order 13526 or any predecessor or successor order, as long as the information also appropriately qualifies for decontrol as CUI.
(d) An agency may designate in its CUI policies which agency personnel it authorizes to decontrol CUI, consistent with law, regulation, and Government-wide policy.
(e) Decontrolling CUI relieves authorized holders from requirements to handle the information under the CUI Program, but does not constitute authorization for public release.
(f) Authorized holders must clearly indicate that CUI is no longer controlled when restating, paraphrasing, re-using, releasing to the public, or donating it to a private institution. Otherwise, authorized holders do not have to mark, review, or take other actions to indicate the CUI is no longer controlled.
(1) Agency policy may allow authorized holders to remove or strike through only those CUI markings on the first or cover page of the decontrolled CUI and markings on the first page of any attachments that contain CUI.
(2) If an authorized holder uses the decontrolled CUI in a newly created document, the authorized holder must remove all CUI markings for the decontrolled information.
(g) Once decontrolled, any public release of information that was formerly CUI must be in accordance with applicable law and agency policies on the public release of information.
(h) Authorized holders may request that the designating agency decontrol certain CUI.
(i) If an authorized holder publicly releases CUI in accordance with the designating agency's authorized procedures, the release constitutes decontrol of the information.
(j) Unauthorized disclosure of CUI does not constitute decontrol.
(k) Agencies must not decontrol CUI in an attempt to conceal, or to otherwise circumvent accountability for, an identified unauthorized disclosure.
(l) When laws, regulations, or Government-wide policies require specific decontrol procedures, authorized holders must follow such requirements.
(m) The Archivist of the United States may decontrol records transferred to the National Archives in accordance with §2002.34, absent a specific agreement otherwise with the designating agency. The Archivist decontrols records to facilitate public access pursuant to 44 U.S.C. 2108 and NARA's regulations at 36 CFR parts 1235, 1250, and 1256.
(a) General marking policy. (1) CUI markings listed in the CUI Registry are the only markings authorized to designate unclassified information requiring safeguarding or dissemination controls. Agencies and authorized holders must, in accordance with the implementation timelines established for the agency by the CUI EA:
(i) Discontinue all use of legacy or other markings not permitted by this part or included in the CUI Registry; and
(ii) Uniformly and conspicuously apply CUI markings to all CUI exclusively in accordance with the part and the CUI Registry, unless this part or the CUI EA otherwise specifically permits. See paragraph (a)(6) of this section and §§2002.38, Waivers of CUI requirements, and 2002.36, Legacy materials, for more information.
(2) Agencies may not modify CUI Program markings or deviate from the method of use prescribed by the CUI EA (in this part and the CUI Registry) in an effort to accommodate existing agency marking practices, except in circumstances approved by the CUI EA. The CUI Program prohibits using markings or practices not included in this part or the CUI Registry. If legacy markings remain on information, the legacy markings are void and no longer indicate that the information is protected or that it is or qualifies as CUI.
(3) An agency receiving an incorrectly marked document should notify either the disseminating entity or the designating agency, and request a properly marked document.
(4) The designating agency determines that the information qualifies for CUI status and applies the appropriate CUI marking when it designates that information as CUI.
(5) If an agency has information within its control that qualifies as CUI but has not been previously marked as CUI for any reason (for example, pursuant to an agency internal marking waiver as referenced in §2002.38 (a)), the agency must mark it as CUI prior to disseminating it.
(6) Agencies must not mark information as CUI to conceal illegality, negligence, ineptitude, or other disreputable circumstances embarrassing to any person, any agency, the Federal Government, or any of their partners, or for any purpose other than to adhere to the law, regulation, or Government-wide policy authorizing the control.
(7) The lack of a CUI marking on information that qualifies as CUI does not exempt the authorized holder from abiding by applicable handling requirements as described in the Order, this part, and the CUI Registry.
(8) When it is impractical for an agency to individually mark CUI due to quantity or nature of the information, or when an agency has issued a limited CUI marking waiver, authorized holders must make recipients aware of the information's CUI status using an alternate marking method that is readily apparent (for example, through user access agreements, a computer system digital splash screen (e.g., alerts that flash up when accessing the system), or signs in storage areas or on containers).
(b) The CUI banner marking. Designators of CUI must mark all CUI with a CUI banner marking, which may include up to three elements:
(1) The CUI control marking (mandatory). (i) The CUI control marking may consist of either the word “CONTROLLED” or the acronym “CUI,” at the designator's discretion. Agencies may specify in their CUI policy that employees must use one or the other.
(ii) The CUI Registry contains additional, specific guidance and instructions for using the CUI control marking.
(iii) Authorized holders who designate CUI may not use alternative markings to identify or mark items as CUI.
(2) CUI category or subcategory markings (mandatory for CUI Specified). (i) The CUI Registry lists the category and subcategory markings, which align with the CUI's governing category or subcategory.
(ii) Although the CUI Program does not require agencies to use category or subcategory markings on CUI Basic, an agency's CUI SAO may establish agency policy that mandates use of CUI category or subcategory markings on CUI Basic.
(iii) However, authorized holders must include in the CUI banner marking all CUI Specified category or subcategory markings that pertain to the information in the document. If law, regulation, or Government-wide policy requires specific marking, disseminating, informing, distribution limitation, or warning statements, agencies must use those indicators as those authorities require or permit. However, agencies must not include these additional indicators in the CUI banner marking or CUI portion markings.
(iv) The CUI Registry contains additional, specific guidance and instructions for using CUI category and subcategory markings.
(3) Limited dissemination control markings. (i) CUI limited dissemination control markings align with limited dissemination controls established by the CUI EA under §2002.16(b)(4).
(ii) Agency policy should include specific criteria establishing which authorized holders may apply limited dissemination controls and their corresponding markings, and when. Such agency policy must align with the requirements in §2002.16(b)(4).
(iii) The CUI Registry contains additional, specific guidance and instructions for using limited dissemination control markings.
(c) Using the CUI banner marking. (1) The content of the CUI banner marking must apply to the whole document (i.e., inclusive of all CUI within the document) and must be the same on each page of the document that includes CUI.
(2) The CUI Registry contains additional, specific guidelines and instructions for using the CUI banner marking.
(d) CUI designation indicator (mandatory). (1) All documents containing CUI must carry an indicator of who designated the CUI within it. This must include the designator's agency (at a minimum) and may take any form that identifies the designating agency, including letterhead or other standard agency indicators, or adding a “Controlled by” line (for example, “Controlled by: Division 5, Department of Good Works.”).
(2) The designation indicator must be readily apparent to authorized holders and may appear only on the first page or cover. The CUI Registry contains additional, specific guidance and requirements for using CUI designation indicators.
(e) CUI decontrolling indicators. (1) Where feasible, designating agencies must include a specific decontrolling date or event with all CUI. Agencies may do so in any manner that makes the decontrolling schedule readily apparent to an authorized holder.
(2) Authorized holders may consider specific items of CUI as decontrolled as of the date indicated, requiring no further review by, or communication with, the designator.
(3) If using a specific event after which the CUI is considered decontrolled:
(i) The event must be foreseeable and verifiable by any authorized holder (e.g., not based on or requiring special access or knowledge); and
(ii) The designator should include point of contact and preferred method of contact information in the decontrol indicator when using this method, to allow authorized holders to verify that a specified event has occurred.
(4) The CUI Registry contains additional, specific guidance and instructions for using limited dissemination control markings.
(f) Portion marking CUI. (1) Agencies are permitted and encouraged to portion mark all CUI, to facilitate information sharing and proper handling.
(2) Authorized holders who designate CUI may mark CUI only with portion markings approved by the CUI EA and listed in the CUI Registry.
(3) CUI portion markings consist of the following elements:
(i) The CUI control marking, which must be the acronym “CUI”;
(ii) CUI category/subcategory portion markings (if required or permitted); and
(iii) CUI limited dissemination control portion markings (if required).
(4) When using portion markings:
(i) CUI category and subcategory portion markings are optional for CUI Basic. Agencies may manage their use by means of agency policy.
(ii) Authorized holders permitted to designate CUI must portion mark both CUI and uncontrolled unclassified portions.
(5) In cases where portions consist of several segments, such as paragraphs, sub-paragraphs, bullets, and sub-bullets, and the control level is the same throughout, designators of CUI may place a single portion marking at the beginning of the primary paragraph or bullet. However, if the portion includes different CUI categories or subcategories, or if the portion includes some CUI and some uncontrolled unclassified information, authorized holders should portion mark all segments separately to avoid improper control of any one segment.
(6) Each portion must reflect the control level of only that individual portion. If the information contained in a sub-paragraph or sub-bullet is a different CUI category or subcategory from its parent paragraph or parent bullet, this does not make the parent paragraph or parent bullet controlled at that same level.
(7) The CUI Registry contains additional, specific guidance and instructions for using CUI portion markings and uncontrolled unclassified portion markings.
(g) Commingling CUI markings with Classified National Security Information (CNSI). When authorized holders include CUI in documents that also contain CNSI, the decontrolling provisions of the Order and this part apply only to portions marked as CUI. In addition, authorized holders must:
(1) Portion mark all CUI to ensure that authorized holders can distinguish CUI portions from portions containing classified and uncontrolled unclassified information;
(2) Include the CUI control marking, CUI Specified category and subcategory markings, and limited dissemination control markings in an overall banner marking; and
(3) Follow the requirements of the Order and this part, and instructions in the CUI Registry on marking CUI when commingled with CNSI.
(h) Commingling restricted data (RD) and formerly restricted data (FRD) with CUI. (1) To the extent possible, avoid commingling RD or FRD with CUI in the same document. When it is not practicable to avoid such commingling, follow the marking requirements in the Order and this part, and instructions in the CUI Registry, as well as the marking requirements in 10 CFR part 1045, Nuclear Classification and Declassification.
(2) Follow the requirements of 10 CFR part 1045 when extracting an RD or FRD portion for use in a new document.
(3) Follow the requirements of the Order and this part, and instructions in the CUI Registry if extracting a CUI portion for use in a new document.
(4) The lack of declassification instructions for RD or FRD portions does not eliminate the requirement to process commingled documents for declassification in accordance with the Atomic Energy Act, or 10 CFR part 1045.
(i) Packages and parcels containing CUI. (1) Address packages that contain CUI for delivery only to a specific recipient.
(2) Do not put CUI markings on the outside of an envelope or package, or otherwise indicate on the outside that the item contains CUI.
(j) Transmittal document marking requirements. (1) When a transmittal document accompanies CUI, the transmittal document must include a CUI marking on its face (“CONTROLLED” or “CUI”), indicating that CUI is attached or enclosed.
(2) The transmittal document must also include conspicuously on its face the following or similar instructions, as appropriate:
(i) “When enclosure is removed, this document is Uncontrolled Unclassified Information”; or
(ii) “When enclosure is removed, this document is (control level); upon removal, this document does not contain CUI.”
(k) Working papers. Mark working papers containing CUI the same way as the finished product containing CUI would be marked and as required for any CUI contained within them. Handle them in accordance with this part and the CUI Registry.
(l) Using supplemental administrative markings with CUI. (1) Agency heads may authorize the use of supplemental administrative markings (e.g. “Pre-decisional,” “Deliberative,” “Draft”) for use with CUI.
(2) Agency heads may not authorize the use of supplemental administrative markings to establish safeguarding requirements or disseminating restrictions, or to designate the information as CUI. However, agencies may use these markings to inform recipients of the non-final status of documents under development to avoid confusion and maintain the integrity of an agency's decision-making process.
(3) Agencies must detail requirements for using supplemental administrative markings with CUI in agency policy that is available to anyone who may come into possession of CUI with these markings.
(4) Authorized holders must not incorporate or include supplemental administrative markings in the CUI marking scheme detailed in this part and the CUI Registry.
(5) Supplemental administrative markings must not duplicate any CUI marking described in this part or the CUI Registry.
(m) Unmarked CUI. Treat unmarked information that qualifies as CUI as described in the Order, §2002.8(c), and the CUI Registry.
§2002.22 Limitations on applicability of agency CUI policies.
(a) Agency CUI policies do not apply to entities outside that agency unless a law, regulation, or Government-wide policy requires or permits the controls contained in the agency policy to do so, and the CUI Registry lists that law, regulation, or Government-wide policy as a CUI authority.
(b) Agencies may not include additional requirements or restrictions on handling CUI other than those permitted in the Order, this part, or the CUI Registry when entering into agreements.
§2002.24 Agency self-inspection program.
(a) The agency must establish a self-inspection program pursuant to the requirement in §2002.8(b)(4).
(b) The self-inspection program must include:
(1) At least annual review and assessment of the agency's CUI program. The agency head or CUI SAO should determine any greater frequency based on program needs and the degree to which the agency engages in designating CUI;
(2) Self-inspection methods, reviews, and assessments that serve to evaluate program effectiveness, measure the level of compliance, and monitor the progress of CUI implementation;
(3) Formats for documenting self-inspections and recording findings when not prescribed by the CUI EA;
(4) Procedures by which to integrate lessons learned and best practices arising from reviews and assessments into operational policies, procedures, and training;
(5) A process for resolving deficiencies and taking corrective actions; and
(6) Analysis and conclusions from the self-inspection program, documented on an annual basis and as requested by the CUI EA.