Organizations that work in close proximity to government entities, like the US military, come into contact with several protected forms of information. One of the most critical kinds, for national security, is controlled unclassified information (CUI). It’s imperative to understand the processes and logistics of controlling and decontrolling CUI, such as who can decontrol CUI and who has a responsibility to protect it (and how). Read on to learn what your organization may need to do.
Who Is In Charge of Decontrolling CUI?
There are three primary parties that decontrol CUI, per the Department of Defense’s (DoD) Instruction 5200.48. They are the information’s originator, the original classification authority (OCA), if the information is in a classification guide, and designated offices for decontrolling CUI.
To understand why these parties are in charge of decontrolling, and why it matters, you also need to grasp the context around CUI and why it’s so critical to the national security of the US:
- What decontrolling CUI means
- Why CUI needs to be protected
- How DoD-specific CUI is protected
If your organization is seeking a DoD contract, working with a qualified compliance partner can help you protect CUI and other sensitive information and achieve preferred contractor status.
What Does it Mean to Decontrol CUI?
According to 32 CFR § 2002.4, decontrolling CUI means removing any controls designed to safeguard or limit the dissemination of CUI. This may happen automatically or through direct action by the Office of the Director of National Intelligence (ODNI) or any of its components.
Agencies are encouraged to decontrol CUI as soon as they can, absent any conflicts of interest. There are four other conditions that authorize decontrolling, according to 32 CFR § 2002.18:
- When laws or policies no longer apply or require the CUI to be controlled
- When the OCA or designating agency makes a proactive public disclosure
- When a Freedom of Information Act (FOIA) or Privacy Act disclosure applies
- When a pre-determined date or event necessitates disclosure, per the law
Beyond these, the OCA or other authority may decontrol CUI in response to a request from an authorized holder or in conjunction with wider declassification (e.g., by Executive Order 13526).
When a piece of CUI is decontrolled, authorized holders are no longer required to apply safeguards to it and must remove CUI markings on any CUI that is decontrolled. However, decontrolling is not an authorization for immediate public release.
What is CUI, and Why is it Critical to Protect?
The decontrolling of CUI is a sensitive manner that is highly regulated, as detailed above. But even more sensitive is the actual controlling—or safeguarding—of CUI, which is carried out by many more stakeholders than the limited parties who can decontrol CUI. This is because CUI is defined as information created or owned by the government that is not officially classified but nonetheless could compromise national or international security if inappropriately accessed.
In fact, it is because CUI is officially unclassified that it is so critical to protect.
Official classification effectively makes information impossible to access for even the most sophisticated criminals. Without that designation, information pertaining to defense, national infrastructure, trade secrets, law enforcement, and other sectors is all potentially dangerous.
That’s why several industries’ governing regulations specify controls for CUI.
In particular, the Defense Federal Acquisition Regulation Supplement (DFARS) requires the protection of CUI for any entities that come into contact with it. That protection comprises DFARS compliance, which in turn requires the implementation of several National Institute of Standards and Technology (NIST) controls from Special Publications 800-171 and 800-172.
How Do DoD Stakeholders Safeguard CUI?
Although CUI spans multiple sectors, its most critical applications and the most stringent regulations regarding it all concern defense. The practical question to ask is not about who decontrols all CUI, but about who can decontrol DoD CUI—and who can protect it, and how.
If your organization is in the DIB and seeking a contract with the DoD, you’ll need to undergo Cybersecurity Maturity Model Certification (CMMC). As of its 2021 update, there are three levels organizations may need to achieve, depending on their DoD contract. Their requirements are:
- Level 1: “Foundational” – 17 Practices from NIST SP 800-171
- Level 2: “Advanced” – All 110 Practices from NIST SP 800-171
- Level 3: “Expert” – A subset of Practices from NIST SP 800-172
Beyond implementing all controls for your required level, your organization will need to assess and verify its cybersecurity maturity with a self, third-party, or government-led assessment.
Protect CUI and Sensitive Data with RSI Security
Finally, to return to one of our first questions from above, who can decontrol CUI? The OCA, the originator of the CUI, or the designated offices for decontrolling. Put differently, the DoD entities with whom DIB contractors work are primarily responsible for decontrolling CUI. However, your organization may still be responsible for removing safeguards and CUI markings on its files.
Even more critical, however, is ensuring that all CUI you are authorized to hold is fully protected up until the point that it gets decontrolled. Implementing NIST and CMMC controls is the best way to do that, and working with a DoD compliance partner will streamline the entire process.
To learn more about how your organization can protect CUI, contact RSI Security today!