Originating Component: Office of the Under Secretary of Defense for Intelligence and Security

Effective: March 6, 2020

Releasability: Cleared for public release. Available on the Directives Division Website
at https://www.esd.whs.mil/DD/.

Cancels: DoD Manual 5200.01, Volume 4, “DoD Information Security Program:

Controlled Unclassified Information,” February 24, 2012, as amended

Approved by: Joseph D. Kernan, Under Secretary of Defense for Intelligence and
Security (USD(I&S))

Purpose: In accordance with the authority in DoD Directive (DoDD) 5143.01 and the December 22,
2010 Deputy Secretary of Defense Memorandum, this issuance:
• Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD
in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations
(CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and
• Establishes the official DoD CUI Registry.
DoDI 5200.48, March 6, 2020

SECTION 1: GENERAL ISSUANCE INFORMATION .............................................................................. 4
1.1. Applicability. .................................................................................................................... 4
1.2. Policy. ............................................................................................................................... 4
SECTION 2: RESPONSIBILITIES ......................................................................................................... 6
2.1. USD(I&S) ......................................................................................................................... 6
2.2. Director for Defense Intelligence (Counterintelligence, Law Enforcement, and Security
(DDI(CL&S)). ..................................................................................................................... 6
2.3. Director, Defense Counterintelligence and Security Agency (DSCA). ............................ 7
2.4. Chief Management Officer of the Department of Defense (CMO). ................................. 8
2.5. PFPA. ................................................................................................................................ 8
2.6. Under Secretary of Defense for Policy. ............................................................................ 8
2.7. USD(A&S). ....................................................................................................................... 8
2.8. USD(R&E). ....................................................................................................................... 9
2.9. DoD CIO. .......................................................................................................................... 9
2.10. OSD and DoD Component Heads. ............................................................................... 10
2.11. Secretaries of the Military Departments. ...................................................................... 11
2.12. Chairman of the Joint Chiefs of Staff. .......................................................................... 11
SECTION 3: PROGRAMMATICS ....................................................................................................... 12
3.1. Background. .................................................................................................................... 12
3.2. Legacy Information Requirements. ................................................................................ 12
3.3. Handling Requirements. ................................................................................................. 13
3.4. Marking Requirements.................................................................................................... 14
3.5. General DoD CUI Administrative Requirements. .......................................................... 17
3.6. General DoD CUI Procedures. ....................................................................................... 17
3.7. General DoD CUI Requirements. ................................................................................... 19
3.8. OCA. ............................................................................................................................... 23
3.9. General Release and Disclosure Requirements. ............................................................. 23
3.10. General System and Network CUI Requirements. ....................................................... 24
4.1. General. ........................................................................................................................... 27
4.2. Dissemination Requirements for DoD CUI. ................................................................... 28
4.3. Legacy Distribution Statements. ..................................................................................... 28
4.4. Decontrolling. ................................................................................................................. 29
4.5. Destruction. ..................................................................................................................... 30
SECTION 5: APPLICATION OF DOD INDUSTRY ............................................................................... 31
5.1. General. ........................................................................................................................... 31
5.2. Misuse or UD of CUI. ..................................................................................................... 32
5.3. Requirements for DoD Contractors. ............................................................................... 32
GLOSSARY ..................................................................................................................................... 33
G.1. Acronyms. ...................................................................................................................... 33
G.2. Definitions. ..................................................................................................................... 34
REFERENCES .................................................................................................................................. 38

DoDI 5200.48, March 6, 2020

Table 1. DoD CUI Registry Category Examples ......................................................................... 22
Table 2. Dissemination Control and Distribution Statement Markings ....................................... 29

Figure 1. CUI Warning Box for Classified Material ................................................................... 15
Figure 2. CUI Designation Indicator for All Documents and Material ....................................... 16
Figure 3. Notice and Consent....................................................................................................... 26

DoDI 5200.48, March 6, 2020



This issuance applies to:

a. Office of the Secretary of Defense (OSD), the Military Departments, the Office of the
Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office
of the Inspector General of the Department of Defense (OIG DoD), the Defense Agencies, the
DoD Field Activities, and all other organizational entities within the DoD (referred to
collectively in this issuance as the “DoD Components”).

b. Arrangements, agreements, contracts, and other transaction authority actions requiring

access to CUI according to terms and conditions of such documents, as defined in Clause 2.101
of the Federal Acquisition Regulation and Section 2002.4 of Title 32, CFR, including, but not
limited to, grants, licenses, certificates, memoranda of agreement/arrangement or understanding,
and information-sharing agreements or arrangements.

1.2. POLICY.

It is DoD policy that:

a. As part of the phased DoD CUI Program implementation process endorsed by the CUI
Executive Agent (EA) pursuant to Information Security Oversight Office (ISOO) Memorandum
dated August 21, 2019, the designation, handling, and decontrolling of CUI (including CUI
identification, sharing, marking, safeguarding, storage, dissemination, destruction, and records
management) will be conducted in accordance with this issuance and Sections 252.204-7008 and
252.204-7012 of the DFARS when applied by a contract to non-DoD systems.

b. All DoD CUI must be controlled until authorized for public release in accordance with
DoD Instructions (DoDIs) 5230.09, 5230.29, and 5400.04, or DoD Manual (DoDM) 5400.07.
Official DoD information that is not classified or controlled as CUI will also be reviewed prior to
public release in accordance with DoDIs 5230.09 or5230.29.

c. Information will not be designated CUI in order to:

(1) Conceal violations of law, inefficiency, or administrative error.

(2) Prevent embarrassment to a person, organization, or agency.

(3) Prevent open competition.

(4) Control information not requiring protection under a law, regulation, or government-
wide policy, unless approved by the CUI EA at the National Archives and Records
Administration (NARA), through the Under Secretary of Defense for Intelligence and Security


DoDI 5200.48, March 6, 2020

d. In accordance with the DoD phased CUI Program implementation, all documents
containing CUI must carry CUI markings in accordance with this issuance.

e. Although DoD Components are not required to use the terms “Basic” or “Specified” to
characterize CUI at this time, DoD Components will apply:

(1) At least the minimum safeguards required to protect CUI.

(2) Terms and specific marking requirements will be promulgated by the USD(I&S) in
future guidance.

f. Nothing in this issuance alters or supersedes the existing authorities of the Director of
National Intelligence (DNI) regarding CUI.

g. Nothing in this issuance will infringe on the OIG DoD’s statutory independence and
authority, as articulated in the Inspector General Act of 1978 in the Title 5, United States Code
(U.S.C.) Appendix. In the event of any conflict between this instruction and the OIG DoD’s
statutory independence and authority, the Inspector General Act of 1978 in the Title 5, U.S.C.
Appendix takes precedence.


DoDI 5200.48, March 6, 2020


2.1. USD(I&S)

The USD(I&S):

a. As the DoD Senior Agency Official for Security, establishes policy and oversees the DoD
Information Security Program.

b. In coordination with the requesting DoD Component, submits changes to CUI categories
on behalf of DoD Components to the CUI EA at NARA.

c. Provides reports to the CUI EA on the DoD CUI Program status, as described in
Paragraph 3.6.c., in accordance with Part 2002 of Title 32, CFR.

d. Establishes protocol for resolving disputes about implementing or interpreting E.O.

13556, Part 2002 of Title 32, CFR, the CUI Registry, and this issuance, within and between the
DoD Components.

e. Coordinates with the Department of Defense Chief Information Officer (DoD CIO) on
CUI waiver requests for DoD information systems (IS) and networks.

f. Coordinates with the CUI EA on DoD Component CUI waiver requests.



The DDI(CL&S):

a. Oversees and manages the DoD CUI Program.

b. Reviews and signs all reports and other correspondence related to the DoD CUI Program.

c. Coordinates with the Secretaries of the Military Departments, Under Secretary of Defense
for Research and Engineering (USD(R&E)), Under Secretary of Defense for Acquisition and
Sustainment (USD(A&S)), and the DoD Component heads to:

(1) Recommend changes to national CUI policy relating to identifying, safeguarding,

disseminating, marking, storing, transmitting, reviewing, transporting, re-using, decontrolling,
and destroying CUI, and responding to unauthorized disclosure (UD) of CUI.

(2) Review and provide guidance on DoD Component implementation policy and CUI-
related matters.

d. Assists the USD(I&S) with overseeing the CUI policy and program execution via the
Defense Security Enterprise Executive Committee in accordance with DoDD 5200.43.

DoDI 5200.48, March 6, 2020

e. In coordination with the DoD CIO, USD(A&S), and USD(R&E), provides guidance on
implementing uniform standards to display TOP SECRET, SECRET, CONFIDENTIAL, and
UNCLASSIFIED for CNSI and CUI controls and banners for DoD systems and networks.



Under the authority, direction, and control of the USD(I&S) and in addition to the
responsibilities in Paragraph 2.10., the Director, DCSA:

a. Administers the DoD CUI Program for contractually established CUI requirements for
contractors in classified contracts in accordance with the May 17, 2018 Under Secretary of
Defense for Intelligence Memorandum.

b. Assesses contractor compliance with contractually established CUI system requirements

in DoD classified contracts associated with the National Industrial Security Program (NISP) in
accordance with Part 2003 of Title 32, CFR and National Institute of Standards and Technology
Special Publication (NIST SP) 800-171 guidelines.

c. Establishes and maintains a process to notify the DoD CIO, USD(R&E), and USD(A&S)
of threats related to CUI for further dissemination to DoD Components and contractors in
accordance with the Section 252.204-7012 of the DFARS.

d. Provides, in coordination with the USD(I&S), security education, training, and awareness
on the required topics identified in Section 2002.30 of Title 32, CFR, including protection and
management of CUI, to DoD personnel and contractors through the Center for Development of
Security Excellence (CDSE).

e. Provides security assistance and guidance to the DoD Components on the protection of
CUI when DoD Components establish CUI requirements in DoD classified contracts for NISP
contractors falling under DCSA security oversight.

f. Serves as the DoD-lead to report UDs of CUI, except for the reporting of cyber incidents
in accordance with Section 252.204-7012 of the DFARS, associated with contractually
established CUI system requirements in DoD classified contracts for NISP contractors falling
under DCSA security oversight.

g. Coordinates with the DoD CIO to implement uniform security requirements when the IS
or network security controls for unclassified and classified information are included in DoD
classified contracts for NISP contractors falling under DCSA security oversight.

h. Consolidates DoD Component input on the oversight of CUI protection requirements in

DoD classified contracts for NISP contractors under DCSA security oversight, as required by
Information Security Oversight Office (ISOO) Notice 2016-01.

DoDI 5200.48, March 6, 2020



In addition to the responsibilities in Paragraph 2.10., the CMO:

a. Serves as the subject matter expert on CUI containing personally identifiable information
and its release in accordance with Subsection 552 of Chapter 5 of Title 5, United States Code
(U.S.C.), also known as and referred to in this issuance as the “Freedom of Information Act
(FOIA),” implemented through DoDD 5400.07 and DoDI 5400.11, and Subsection 552a of
Chapter 5 of Title 5, U.S.C., also known and referred to in the issuance as the “Privacy Act of

b. Supports OSD with information security matters, as appropriate.

2.5. PFPA.

Under the authority, direction, and control of the CMO, through the Director for Administration
and Organizational Policy, and in addition to the responsibilities in Paragraph 2.10., the Director,

a. Provides information security administrative support to OSD.

b. Provides information on OSD CUI Program status and other formally requested assistance
to the USD(I&S) to support the CUI Program.

c. Conducts CUI staff assistance visits to OSD in the National Capital Region.


In addition to the responsibilities in Paragraph 2.10., the Under Secretary of Defense for Policy:

a. Establishes policy and procedures for disclosing DoD CUI to foreign governments, the
North Atlantic Treaty Organization, and international organizations based on formally signed
agreements and arrangements between the parties.

b. Requires CUI to be identified in international agreements, arrangements, and contracts

having licensing export controls for foreign partners.

2.7. USD(A&S).

In addition to the responsibilities in Paragraph 2.10., pursuant to Section 133b of Title 10,
U.S.C., and in coordination with the USD(I&S), DoD CIO, and USD(R&E), the USD(A&S):

a. Maintains, in accordance with Section 252.204-7012 of the DFARS, DoD acquisition

contracting processes, policies, and procedures for safeguarding DoD CUI in DoD procurement
arrangements, agreements, and contracts, including other transaction authority actions.

DoDI 5200.48, March 6, 2020

b. Supports the development and implementation of a Federal Acquisition Regulation clause

applying CUI requirements to defense contractors.

2.8. USD(R&E).

In addition to the responsibilities in Paragraph 2.10., pursuant to Section 133a of Title 10,
U.S.C., and in coordination with USD(I&S), the USD(R&E):

a. Establishes DoD CUI processes, policies, and procedures for grants and cooperative
research and development arrangements, agreements, and contracts involving controlled
technical information (CTI).

b. Establishes a standard process to identify CTI; guidelines for sharing, marking,

safeguarding, storing, disseminating, decontrolling, and destroying CTI; and CTI records
management requirements contained in contracts, as appropriate.

c. Oversees and ensures DoD CUI guidelines and requirements for sharing, marking,
safeguarding, storage, dissemination, decontrol, destruction, and records management of all
research, development, test, and evaluation information are properly executed for all DoD owned

d. In coordination with the USD(A&S), ensures:

(1) Contracts, arrangements, and agreements for research, development, testing, and
evaluation identify CUI at the time of award.

(2) USD(R&E) international agreements, arrangements, and contracts with foreign

partners identify CUI within the documents.

(3) DoD Components concluding international agreements, arrangements, and contracts

with foreign partners include U.S. Government-approved text on CUI.

2.9. DOD CIO.

In addition to the responsibilities in Paragraph 2.10., the DoD CIO:

a. Oversees CUI metadata tagging standards, consistent with federal data tagging approaches
in accordance with the National Strategy for Information Sharing and Safeguarding, to
implement the marking requirements in Paragraph 3.4.c. and in accordance with DoDI 8320.07.

b. Integrates CUI metadata tagging standards into DoD information technology content
management tools to support discovery, access, auditing, safeguarding, and records management
decisions regarding CUI (including monitoring CUI data for visibility, accessibility, trust,
interoperability, and comprehension).

c. Provides policy and standards recommendations to the USD(I&S) on updates for the
sharing, marking, safeguarding, storage, dissemination, decontrol, destruction, and records

DoDI 5200.48, March 6, 2020

management of DoD CUI residing on both DoD and non-DoD IS in accordance with DoDI

d. Oversees Defense Industrial Base Cybersecurity Activities, using the DoD Cyber Crime
Center as the single DoD focal point for receiving and disseminating all cyber incident reports
impacting unclassified networks of defense contractors.

e. Coordinates with the USD(I&S), USD(A&S), USD(R&E), and DoD Component heads to
develop uniform security requirements for industry partners’ IS and network security controls
adequate for the type of CUI identified in the contract in accordance with Part 2002 of Title 32,
CFR, Section 252.204-7012 of the DFARS, and NIST SP 800-171.

f. Coordinates with the Director, DCSA to implement uniform security requirements when
IS or network security controls for unclassified and classified information are included in DoD
classified contracts of NISP contractors falling under DCSA security oversight.

g. Coordinates with the USD(I&S) to:

(1) Implement information security policy standards for markings to display, CUI for
DoD classified and unclassified systems and networks.

(2) Integrate training on safeguarding and handling CUI into updates to initial and annual
cybersecurity awareness training.

h. Notifies the CUI EA in coordination with the USD(I&S) of CUI waivers impacting IS or
networks in accordance with Title 32 of the CFR.

i. Oversees and ensures DoD Component- and National Archives-approved disposition

authorities for CUI are implemented for DoD records and information.

j. Oversees and ensures the Director, DoD Cyber Crime Center:

(1) Manages and updates, as necessary and in coordination with DoD CIO, the policies
in Section 236.4 of Title 32, CFR and Section 252.204-7012 of the DFARS.

(2) Maintains the website at https://dibnet.dod.mil to receive contractor mandatory

incident reports in accordance with Paragraph 3.9.d(1).


OSD and DoD Component heads:

a. Identify, program, and commit the necessary resources to implement CUI Program
requirements as part of their overall information security programs.

b. Designate in writing (with copy to the USD(I&S)):

DoDI 5200.48, March 6, 2020

(1) A DoD Component senior agency official (CSAO) at the Senior Executive Service
level or equivalent to implement their CUI Program and perform the duties in Paragraph 3.5.

(2) A DoD Component program manager (CPM) to manage their CUI Program.

c. Ensure their subordinate organizations comply with DoD CUI Program requirements.

d. Ensure their personnel receive initial and annual refresher CUI education and training, and
maintain documentation of this training for audit purposes.

e. Report DoD Component training completion data to the USD(I&S) annually or as


f. Provide an annual report to the USD(I&S) on CUI implementation status in accordance

with Title 32, CFR, Part 2002.

g. Determine if any CUI documents or materials constitute permanently valuable records of

the government, which require maintenance and disposal in accordance with DoDI 5015.02.

h. As the requiring activity, oversee CUI requirements for contractor implementation in

partnership with the Defense Contract Management Agency, based on Defense Contract
Management Agency responsibilities, or DCSA for cleared contractors in accordance with the
NISP, as appropriate.

i. Ensure DoD Component- and National Archives-approved disposition authorities are

implemented for DoD records and information regardless of classification.

j. Manage their CUI programs in accordance with guidelines prescribed in this DoD


In addition to the responsibilities in Paragraph 2.10., the Secretaries of the Military Departments
oversee the implementation of their CUI programs.


In addition to the responsibilities in Paragraph 2.10., the Chairman of the Joint Chiefs of Staff
oversees the implementation of the CUI programs in the Joint Staff organizations and Combatant

DoDI 5200.48, March 6, 2020



The CUI EA at NARA, through the Information Security and Oversight Office (ISOO),
published and released Part 2002 of Title 32, CFR, which provides implementing requirements
for E.O. 13556.

a. Part 2002 of Title 32, CFR established a CUI EA office under NARA’s ISOO for
implementing and overseeing the CUI Program.

b. Designed as a response to the information sharing challenges from inconsistent definitions

and marking requirements applied to CUI, Part 2002 of Title 32 CFR standardized the definition
of CUI and codified the identification, sharing, safeguarding, marking, storage, distribution,
transmission, decontrol, destruction, training, monitoring, and reporting requirements across the
Executive branch of government.

c. In accordance with Part 2002 of Title 32, CFR, CUI requires safeguarding or
dissemination controls identified in a law, regulation, or government-wide policy for information
that does not meet the requirements for classification in accordance with E.O. 13526.

d. Unlike classified information, an individual or organization generally does not need to

demonstrate a need-to-know to access CUI, unless required by a law, regulation, or government-
wide policy, but must have a lawful governmental purpose for such access. One example of a
requirement for need-to-know established by law, regulation, or government-wide policy is
Section 223.6 of Title 32, CFR, which requires a person to have a need-to-know to be granted
access to DoD Unclassified Nuclear Information (UCNI).


This legacy information guidance applies to information contained across DoD in, among other
documents, security classification guides (SCGs), various policies, and other legacy materials
falling under the Science and Technology Information Program (DoDI 3200.12), in either
electronic or hardcopy format. The CUI Program does not require the redacting or re-marking of
documents bearing legacy markings. However, any new document created with information
derived from legacy material must be marked as CUI if the information qualifies as CUI.

a. DoD legacy material will not be required to be re-marked or redacted while it remains
under DoD control or is accessed online and downloaded for use within the DoD. However, any
such document or new derivative document must be marked as CUI if the information qualifies
as CUI and the document is being shared outside DoD. DoD legacy marked information stored
on a DoD access-controlled website or database does not need to be remarked as CUI, even if
other agencies and contractors are granted access to such websites or databases.

b. DoD legacy information does not automatically become CUI. It must be reviewed by the
owner of the information to determine if it meets the CUI requirements. If it is determined the

DoDI 5200.48, March 6, 2020

specific legacy information meets the CUI requirements, it will be marked in accordance with
this issuance and corresponding manual.

c. For federal systems, IS storing information identified as CUI must meet the minimum
network security standard in Part 2002 of Title 32, CFR. For nonfederal systems, IS must meet
the standards in the NIST SP 800-171, when established by contract.

d. When DoD legacy information is incorporated into, or cited in, another document or
material, it must be reviewed for CUI and marked in accordance with this issuance.


The DoD CUI Information Security Program will promote, to the maximum extent possible,
information sharing, facilitate informed resource use, and simplify its management and
implementation while maintaining required safeguarding and handling measures.

a. In accordance with DoDI 5230.09 and the August 14, 2014 Deputy Secretary of Defense

(1) The DoD originator or authorized CUI holder must ensure a prepublication and
security policy review is conducted, pursuant to the standard DoD Component process, before
CUI is approved for public release, which includes publication to a publicly accessible website.

(2) Decontrolling and releasing CUI records will be executed by the originator of the
information, the original classification authority (OCA) if identified in a security classification
guide, or designated offices for decontrolling CUI pursuant to the procedures for the review and
release of information under the FOIA in accordance with the November 19, 2018 ISOO Notice.
There are no specific timelines to decontrol CUI unless specifically required in a law, regulation,
or government-wide policy. Decontrol will occur when the CUI no longer requires safeguarding
and will follow DoD records management procedures.

b. OCAs will determine if aggregated CUI under their control should be classified in
accordance with Volume 1 of DoDM 5200.01 and will confirm the relevant SCGs address the

c. DoD information systems processing, storing, or transmitting CUI will be categorized at

the “moderate” confidentiality impact level and follow the guidance in DoDIs 8500.01 and
8510.01. Non-DoD information systems processing, storing, or transmitting CUI will provide
adequate security, and the appropriate requirements must be incorporated into all contracts,
grants, and other legal agreements with non-DoD entities in accordance with DoDI 8582.01. See
Section 5 of this issuance for more information on CUI and its application to industry.

d. The DoD CUI Registry provides an official list of the Indexes and Categories used to
identify the various types of DoD CUI. The DoD CUI Registry mirrors the National CUI
Registry, but provides additional information on the relationships to DoD by aligning each Index
and Category to DoD issuances.

DoDI 5200.48, March 6, 2020

(1) The official DoD CUI Registry of categories can be accessed on Intelink at

(2) The site will be updated as changes to the DoD CUI Registry are made based on
official notification from the CUI EA through the CUI Registry Working Group; changes to law,
regulation, or government-wide policy; or notification that the information no longer meets the
requirements for CUI.


This paragraph covers the essential marking requirements for initial phased implementation of
the DoD CUI Program.

a. At minimum, CUI markings for unclassified DoD documents will include the acronym
“CUI” in the banner and footer of the document.

b. If portion markings are selected, then all document subjects and titles, as well as individual
sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be
portion marked with “(CUI).” Use of the unclassified marking “(U)” as a portion marking for
unclassified information within CUI documents or materials is required.

(1) There is no requirement to add the “U,” signifying unclassified, to the banner and
footer as was required with the old FOUO marking (i.e., U//FOUO).

(2) Banners, footers, and portion marking will only be marked “Unclassified” or “(U)”
for unclassified information in accordance with the June 4, 2019 ISOO letter. If the document
also contains CUI, it will be marked in accordance with Paragraph 3.4.a. and additional
forthcoming guidance.

c. CUI markings in classified documents will appear in paragraphs or subparagraphs known

to contain only CUI and must be portion marked with “(CUI).” “CUI” will not appear in the
banner or footer.

(1) There will be an acknowledgement added to the warning box on the first page of
multi-page documents to alert readers to the presence of CUI in a classified DoD document, as
shown in Figure 1.

DoDI 5200.48, March 6, 2020

Figure 1. CUI Warning Box for Classified Material

This content is classified at the [insert highest classification level of the source
data] level and may contain elements of controlled unclassified information
(CUI), unclassified, or information classified at a lower level than the overall
classification displayed. This content shall not be used as a source of derivative
classification; refer instead to [cite specific reference, where possible, or state
“the applicable classification guide(s)”]. It must be reviewed for both
Classified National Security Information (CNSI) and CUI in accordance with
DoDI 5230.09 prior to public release. [Add a point of contact when needed.]

(2) Volume 2 of DoDM 5200.01 requires DoD intelligence producers to follow DNI
formats for intelligence production under the authority of the DNI. When DoD CUI is
incorporated into a Digital Access Policy under the authority of the DNI, the information and the
document will follow the Digital Access Policy standards established by the DNI.

d. The dissemination marking “not releasable to foreign nationals (NOFORN or NF)” is an

intelligence control marking used to identify intelligence information an originator has
determined meets the criteria of Intelligence Community Directive 710 and Intelligence
Community Policy Guidance 403.1, which provides guidance for further dissemination control
markings. It must be applied to controlled unclassified intelligence information that is properly
characterized as CUI with appropriate CUI markings. CUI identified with this marking will not
be provided, in any form, to foreign governments (including coalition partners), international
organizations, foreign nationals, or other non-U.S. persons without the originator’s approval in
accordance with E.O.s 13526 and 13556. If originator approval is required for further
dissemination, the originator will mark the requirement on the information in accordance with
Section 4.1(i)(1) of E.O. 13526.

(1) The application of the control marking “not releasable to foreign nationals”
(NOFORN or NF) will only be applied, when warranted, to unclassified intelligence information
properly categorized as CUI and reviewed by a Foreign Disclosure Officer to ensure there are no
international agreements in place to prohibit its use and prohibiting sharing.

(2) The control marking NOFORN or NF will be applied to Naval Nuclear Propulsion
Information (NNPI), Unclassified Controlled Nuclear Information (UCNI), National Disclosure
Policy (NDP-1), and cover and cover support information. When warranted, it can be applied to
unclassified information properly categorized as CUI having a licensing or export control
requirement. Before marking a document or material as NOFORN or NF, it will be reviewed by
the Foreign Disclosure Officer to ensure there are no agreements in place to prohibit its use and

(3) The application of “Releasable to” (“REL TO”) can only be applied, when warranted
and consistent with relevant law, regulation, or government-wide policy or DoD policy, to
information properly categorized as CUI with an export control or licensing requirement with a
foreign disclosure agreement in place.

DoDI 5200.48, March 6, 2020

(a) Export-controlled CUI transfers to foreign persons must be in accordance with

the Arms Export Control Act, International Traffic in Arms Regulations, Export Control Reform
Act, Export Administration Regulations, and DoDI 2040.02. In accordance with DoDDs
5230.11 and 5230.20, a positive foreign disclosure decision must be made before CUI is released
to a foreign entity.

(b) DoD operational CUI (not related to intelligence) may be marked as REL TO.

e. All classified documents, including legacy documents will be reviewed for CUI and
properly marked upon changes in the document’s classification level, particularly if the
documents are to be completely declassified.

f. The first page or cover of any document or material containing CUI, including a
document with commingled classified information, will include a CUI designation indicator, as
shown in Figure 2. This CUI designation indicator is similar to the classification-marking block
used for CNSI documents and materials. Documents and materials containing CUI will require a
generic “CUI” marking at the top and bottom of each page.

(1) In accordance with Part 2002 of Title 32, CFR, the CUI designation indicator must
contain, at minimum, the name of the DoD Component determining that the information is CUI.
If letterhead or another standard indicator of origination is used, this line may be omitted.

(2) The second line must identify the office making the determination.

(3) The third line must identify all types of CUI contained in the document.

(4) The fourth line must contain the distribution statement or the dissemination controls
applicable to the document.

(5) The fifth line must contain the phone number or office mailbox for the originating
DoD Component or authorized CUI holder.

Figure 2. CUI Designation Indicator for All Documents and Material

Controlled by: [Name of DoD Component] (Only if not on letterhead)

Controlled by: [Name of Office]
CUI Category: (List category or categories of CUI)
Distribution/Dissemination Control:
POC: [Phone or email address]

g. During DoD’s initial phased implementation of the CUI Program, there is no required
distinction that must be made between Basic and Specified CUI. All DoD information will be
protected in accordance with the requirements under the Basic level of safeguards and
dissemination unless specifically identified otherwise in a law, regulation, or government-wide
policy. Forthcoming guidance will address the distinction between the two levels of CUI,
including a list of which categories are Basic or Specified, what makes the category one or the
other, and the unique requirements, to include markings, for each.

DoDI 5200.48, March 6, 2020


Each DoD Component head must appoint, in writing, a CSAO for the Information Security
Program, who will:

a. Appoint, in writing, an official to serve as the CPM for CUI in accordance with ISSO
Notice 2019-02. To manage the DoD Component’s overall execution of the CUI program, the
CPM will:

(1) Coordinate directly with the USD(I&S) Information Security Directorate on CUI

(2) Manage and oversee CUI implementation for the DoD Component.

(3) Inform the CSAO of concerns identified by subordinate elements.

(4) Report misuse, mishandling, or UD of CUI to the Unauthorized Disclosure Program

Management Office. In addition, notify the appropriate Military Department Counterintelligence
Organization of all incidents.

(5) Submit the annual CUI Implementation Status Report to the DDI(CL&S) to evaluate
the effectiveness, compliance, and efficiency of the DoD Component’s implementation of CUI,
in accordance with Paragraph 3.6.c.

(6) Resolve CUI challenges in accordance with E.O. 13556 and Part 2002 of Title 32,
CFR. Refer all unresolved challenges to the DDI(CL&S).

b. Serve as the primary point of contact for official correspondence, accountability reporting,
and other matters of record between the DoD Component and the USD(I&S).


DoD CUI is clustered into organizational indexes (e.g., defense, privacy, proprietary) with
associated categories, and is categorized by the DoD according to the specific law, regulation, or
government-wide policy requiring control. Unclassified information associated with a law,
regulation, or government-wide policy and identified as needing safeguarding is considered CUI.
It requires access control, handling, marking, dissemination controls, and other protective
measures for safeguarding.

a. The authorized holder of a document or material is responsible for determining, at the

time of creation, whether information in a document or material falls into a CUI category. If so,
the authorized holder is responsible for applying CUI markings and dissemination instructions

b. In accordance with this issuance, every individual at every level, including DoD civilian
and military personnel as well as contractors providing support to the DoD pursuant to

DoDI 5200.48, March 6, 2020

contractual requirements, will comply with the requirements in Paragraph 3.6.f of this issuance
for initial and annual refresher CUI training.

c. Each OSD and DoD Component will annually submit the CUI Implementation Status
Report to the USD(I&S) for inclusion in the DoD CUI Program report to the CUI EA. A copy of
the report will be made available on Intelink at
The CUI Implementation Status Report will at least include:

(1) Implementation activities.

(2) Training statistics.

(3) Incident management.

(4) Implementation and sustainment costs.

(5) Self-inspection activities.

d. DoD and OSD Components will submit an initial report on the implementation status of
their CUI Programs. Once established, DoD Component heads will conduct inspections of their
programs, and the DoD Implementation Status Report will transition to an annual self-inspection

e. Some documents and materials containing CUI may constitute permanently valuable
government records and will be maintained and disposed of in accordance with the NARA-
approved record disposition schedules applicable to each DoD Component in accordance with
DoDI 5015.02. When other materials containing CUI no longer require safeguarding, they will
be decontrolled and either retained, if a permanent record, or destroyed in accordance with
Section 4 and ISOO Notice 2019-03.

f. Other Executive Branch Agencies in the U.S. Government have identified organizational
indexes and CUI categories related to a law, regulation, or government-wide policy. Some CUI
indexes and categories are unique to specific organizations. The Official CUI Registry is on the
NARA Website at https://www.archives.gov/cui. It identifies other CUI categories not specific
to the Defense Index, but that may apply or relate to the Executive Branch. Since various DoD
Components interact and share inter-dependencies with other departments, agencies, and
activities in the Executive Branch, it is important to know and understand these indexes and
categories, along with their associated markings, in order to recognize other agencies’ CUI and
handle the information accordingly. Of note, the CUI indexes and categories listed in the CUI
Registry and DoD CUI Registry identify the safeguarding and dissemination requirements as
identified by the related law, regulation, or government-wide policy. Moreover, the CUI
Registry is agile and subject to change based on changes in law, regulation, or government-wide

g. In accordance with ISOO Notice 2016-01, CUI training standards must, at minimum:

(1) Identify individual responsibilities for protecting CUI.

DoDI 5200.48, March 6, 2020

(2) Identify the organizational index with CUI categories routinely handled by DoD

(3) Describe the CUI Registry, including purpose, structure, and location

(4) Describe the differences between CUI Basic and CUI Specified.

(5) Identify the offices or organizations with DoD CUI Program oversight

(6) Address CUI marking requirements as described in this issuance.

(7) Address the required physical safeguards and CUI protection methods as described in
this issuance.

(8) Address the destruction requirements and methods as described in this issuance.

(9) Address the incident reporting procedures as described in this issuance.

(10) Address methods for properly disseminating CUI within the DoD and with external
entities inside and outside of the Executive Branch.

(11) Address the methods for properly decontrolling CUI as described in this issuance.


This section specifies initial requirements for implementing, marking, and managing the CUI
program. Table 1 contains a sample list of the categories found in the DoD CUI Registry and
Defense Index. A complete list of CUI Indexes and Categories can be found on Intelink at
Some significant points about DoD CUI include:

a. CUI does not include information lawfully and publicly available without restrictions.

b. CUI requires safeguarding measures identified by the CUI EA in Part 2002.14 of Title 32,
CFR and, as necessary, in the law, regulation, or government-wide policy with which it is
associated. DoD CUI may be disseminated to DoD personnel to conduct official DoD and U.S.
Government business in accordance with a law, regulation, or government-wide policy.

(1) No individual may have access to CUI information unless it is determined he or she
has an authorized, lawful government purpose.

(2) The person with authorized possession, knowledge, or control of CUI will determine
whether an individual has an authorized, lawful government purpose to access designated CUI.

(3) CUI information may be disseminated within the DoD Components and between
DoD Component officials and DoD contractors, consultants, and grantees to conduct official

DoDI 5200.48, March 6, 2020

business for the DoD, provided dissemination is consistent with controls imposed by a
distribution statement or limited dissemination controls (LDC).

(4) CUI designated information may be disseminated to a foreign recipient in order to

conduct official business for the DoD, provided the dissemination has been approved by a
disclosure authority in accordance with Paragraph 3.4.c. and the CUI is appropriately marked as
releasable to the intended foreign recipient.

c. CTI compiled or aggregated may become classified. Such classified CTI is subject to the
requirements of the National Industrial Security Program, which has different requirements than
Section 252.204-7012 of the DFARS for unclassified CTI.

(1) CTI is to be marked with one of the Distribution Statements B through F, in

accordance with DoDI 5230.24.

(2) Pursuant to section 252.204-7012 of the DFARS, scientific, technical, and

engineering information beyond basic research(known as pre-applied research and development
aligning with the Science, Technology, and Engineering Information Program policies, with
military or space application subject to controls on the access, use, reproduction, modification,
performance, transmission, display, release, disclosure, or dissemination) shall be treated as CUI.
This type of information or data can become classified by compilation or aggregation and is
subject to the National Disclosure Policy (NDP-1). Examples include preliminary research and
engineering data, engineering drawings, and associated specifications, lists, standards, process
sheets, manuals, technical reports, technical orders, studies and analyses on topics requested by
DoD Components, catalog-item identifications, data sets, and computer software with executable
or source code.

d. As DoD programs transition through the acquisition life cycle, the CUI category or
treatment of information may change. In accordance with Title 32, CFR, if the safeguarding
requirements for a CUI category or the original law, regulation, or government-wide policy
changes, there will be a cascading effect requiring changes for the particular category. These
changes will be implemented as soon as possible.

(1) For example, in the acquisition area, a program will begin in the basic research and
development phase. Once this program milestone is achieved, the project could transition to the
applied research and development or to the production phase.

(2) At this point, the original CUI must be reviewed for any necessary adjustments,
including potential changes to the CUI designation, category, subcategory or type, or controls.

e. CUI will be identified in SCGs to ensure such information receives appropriate protection.
If the SCG is canceled, a memorandum or other guidance document may be issued to identify
CUI instead.

f. DoD is required to provide documents and records requested by members of the public,
unless those records are exempt from disclosure in accordance with the procedures established
by Part 286 of Title 32, CFR and DoDD 5400.07.

DoDI 5200.48, March 6, 2020

g. Other CUI category information may qualify for withholding from public release based on
a specific FOIA exemption for the type of information in question. Determining whether
information meets the requirements for CUI shall be done separately and prior to identifying any
potential FOIA exemptions.

h. CUI requiring distribution statements in accordance with DODI 5230.24 or the LDC
identified in the related law, regulation, or government-wide policy, but does not qualify as
classified information in accordance with E.O. 13526 or Chapter 14 of Title 42, U.S.C, (also
known and referred to in this issuance as the “Atomic Energy Act of 1954”), will be
implemented in accordance with this issuance.

i. Table 1 is an example of the format for the list of all DoD CUI Registry Categories aligned
to the CUI National Registry published on Intelink at

j. Table 1 provides a sample of the cross-walk of the National CUI registry to the DoD
issuance(s) related to the category. The items in Table 1 identify the two unique types of data
used by the Department of Energy, the DoD, and the DoD Components. Both types satisfy the
CUI requirements and are subject to safeguarding and limited distribution control, and are
exempt from mandatory public disclosure in accordance with Exemption 3 of the FOIA.

DoDI 5200.48, March 6, 2020

Table 1. DoD CUI Registry Category Examples

Additional Information (How Miscellaneous
Category Proposed Defense Description Authority DoD Guidance
Used, Examples, etc.) Information
NNPI Related to the safety of reactors and associated Data and information related to Section 2013 Chief of Naval Sanctions: Section
naval nuclear propulsion plants, and control of the safety of reactors and of Title 42, Operations 2168 and 2168(b)
radiation and radioactivity associated with naval associated naval nuclear U.S.C.; Instruction of Title 42, U.S.C.
nuclear propulsion activities, including prescribing propulsion plants, the control of Section 2511 N9210.3, and
and enforcing standards and regulations for these radiation and radioactivity of Title 50, CG-RN-1, The DoD NNPI
areas as they affect the environment and the safety associated with Defense naval U.S.C. Revision 3. is unique as it is
and health of workers, operators, and the general nuclear propulsion activities exempt from
public. This subcategory of Defense CUI relates containing prescriptive and mandatory
to the protection of information concerning nuclear enforcement standards and public disclosure
reactors, materials, or security and concerns the regulations for these areas as under
safeguarding of nuclear reactors, materials, or they affect the environment and Exemption 3 of
security. Refer to Office of the Chief of Naval the safety and health of the FOIA.
Operations Instruction N9210.3, and CG-RN-1, workers, operators, and the
Revision 3, Department of Energy-DoD general public.
Classification Guide for the Naval Nuclear
Propulsion Program for guidance on determining
information as Unclassified Defense-NNPI.
Unclassified Relating to Department of Defense special nuclear This type of Defense CUI may Section 128(a) DoDD 5210.83; The DoD UCNI
Controlled material (SNM), equipment, and facilities, as be designated UCNI by the of Title 10, DoDI 5210.83; is unique as it is
Nuclear defined by Part 223 of Title 32, CFR. This type of Heads of the DoD Components U.S.C.; exempt from
Information Defense CUI is unclassified information about and individuals delegated Part 223 of mandatory
- Defense SNM security measures, DoD SNM equipment, authority in accordance with Title 32, CFR public disclosure
DoD SNM facilities, or nuclear weapons in DoD DoDD 5210.83. Some specific under
custody. Information is designated DoD examples include: Security Exemption 3 of
unclassified controlled nuclear information plans, procedures, and the FOIA.
(UCNI) in accordance with DoDI 5210.83 only equipment used for the physical
when it is determined its UD could reasonably be safeguarding of DoD SNM.
expected to have a significant adverse effect on the
health and safety of the public or the common
defense and security by significantly increasing the
likelihood of the illegal production of nuclear
weapons or the theft, diversion, or sabotage of
DoD SNM, DoD SNM equipment, DoD SNM
facilities, or nuclear weapons in DoD custody.

DoDI 5200.48, March 6, 2020

k. Restricted data or formerly restricted data are classified and shall not be commingled with
CUI in an unclassified document. For restricted data or formerly restricted data, follow the
marking requirements in accordance with Volume 2 of DoDM 5200.01; Part 1045 of Title 10,
CFR; and the Atomic Energy Act of 1954.

l. For DoD Geospatial intelligence information and data, the DoD will not apply the
Geodetic Product Information (GPI) designation. Instead, the DoD will continue to use the
designation for “Limited Distribution” with the marking of “LIMDIS.” For all other DoD
geospatial information and data, such as installation geospatial information and services (IGI&S)
as defined by DoDI 8130.01, use the GPI category or other appropriate CUI category
designations defined by this issuance. The DoD will use the GPI designation for all of the non-
Geospatial intelligence information and data. Approved LDCs for the DoD are located on
Intelink at

m. The request for a waiver for a particular CUI Program requirement will be handled in
accordance with Volume 1 of DoDM 5200.01 for CNSI.

n. DoD Component heads shall produce annual self-inspection reports and general program
status updates to fulfill ISOO monitoring and reporting requirements.

3.8. OCA.

DoD OCAs will determine if CUI under their control, when compiled, is classified. If so, the
applicable SCGs must address the compilation. Any time an OCA discovers that compiled or
aggregated information is not properly classified on websites, folders, or documents, the OCA

a. Notify the organization using the compiled information to remove or protect the

b. Conduct a damage assessment.

c. Determine if the information still requires classified protection in its compiled form. If
not, the OCA must document the revised aggregation or compilation determination by updating
SCGs and providing the guide to all users in accordance with DoDM 5200.45.

d. If the information is determined not to be classified, it must be reviewed to identify if the

information is CUI.

e. Since OCAs are the owners of the information under their authority, they are authorized to
identify and mark such information as CUI.


DoDI 5200.48, March 6, 2020

a. The release or disclosure to foreign governments, international organizations, coalitions,

or allied personnel of CUI not controlled as NOFORN will be in accordance with a law,
regulation, or government-wide policy. Access to such CUI during official foreign national
visits and assignments to DoD Components and cleared contractor facilities, when applied by
contract, will be in accordance with DoDD 5230.20.

b. CUI not controlled as NOFORN may be released or disclosed to non-U.S. citizens

employed by the DoD if:

(1) Access to such information is within the scope of their assigned duties.

(2) Access to such information would help accomplish a lawful and authorized DoD
mission or purpose and would not be detrimental to the interests of the DoD or the U.S.

(3) There are no contract restrictions prohibiting access to such information.

(4) Access to such information is in accordance with DoDIs 8500.01 and 5200.02 and
export control regulations, as applicable.

c. The DoD Components’ CSAOs and CPMs will establish procedures to ensure prompt and
appropriate management action is taken in cases of CUI misuse, including UD of CUI, improper
CUI designation and marking, violation of this issuance, and incidents potentially placing CUI at
risk of UD. Such actions will focus on correcting or eliminating the conditions contributing to
the incident.

d. For UD of CUI, no formal security inquiry or investigation is required unless disciplinary

action will be taken against the individual(s) responsible. In such cases, a preliminary inquiry is
appropriate. UD of certain CUI, such as export controlled-technical data, may also result in
potential civil and criminal sanctions against responsible persons based on the procedures
codified in the relevant law, regulation, or government-wide policy. The DoD Component
originating the CUI will be informed of any UD.

e. Reporting or accounting for UD of CUI shall be done in accordance with Paragraph

3.5.a(4), and the appropriate Military Department Counterintelligence Organization shall be
notified of all incidents.


In accordance with DoDIs 8500.01 and 8510.01, security controls for systems and networks are
set to the level required by the safeguarding requirements for the data or information being
processed, as identified in Federal Information Processing Standards 199 and 200. For DoD
CUI, the minimum security level will be moderate confidentiality in accordance with Part 2002
of Title 32, CFR and NIST SP 800-171.

a. The USD(I&S) will notify and coordinate with the CUI EA regarding waiver requests
involving CUI requirements prior to granting any such requests, including waiver requests

DoDI 5200.48, March 6, 2020

related to IS. The USD(I&S) must coordinate and collaborate with the DoD CIO to ensure the
agency requesting the waiver has plans to appropriately safeguard and control CUI. The request
for a waiver for a CUI Program requirement shall be done in accordance with Volume 1 of
DoDM 5200.01 for CNSI, as modified in the forthcoming manual supporting this instruction.

b. DoD personnel will not use unofficial or personal (e.g., .net; .com) e-mail accounts,
messaging systems, or other non-DoD information systems, except approved or authorized
government contractor systems, to conduct official business involving CUI. This is necessary to
ensure proper accountability for Federal records and to facilitate data spill remediation in
accordance with Public Law 113-187 and the January 16, 2018 Deputy Secretary of Defense

c. DoD information systems processing, storing, or transmitting CUI will be categorized at

the moderate impact level, and follow the guidance in DoDIs 8500.01 and 8510.01. Non-DoD
information systems processing, storing, or transmitting CUI will provide adequate security, and
the appropriate requirements must be incorporated into all contacts, grants, and other legal
agreements with non-DoD entities in accordance with DoDI 8582.01. The NIST SP 800-171
governs and protects CUI on non-Federal IS when applied by contract.

d. For systems, networks, and programs operating on the various domains, a splash screen
warning and notice of consent, as shown in Figure 3, must be employed to alert users of CUI
within the program. This ensures proper safeguarding and dissemination controls are
implemented in accordance with Part 2002 of Title 32, CFR and this issuance.

DoDI 5200.48, March 6, 2020

Figure 3. Notice and Consent

"You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any device
attached to this IS), you consent to the following conditions:

-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.

-At any time, the USG may inspect and seize data stored on this IS.

-Communications using, or data stored on, this IS are not private, are subject to
routine monitoring, interception, and search, and may be disclosed or used for any
USG-authorized purpose.

-This IS includes security measures (e.g., authentication and access controls) to

protect USG interests--not for your personal benefit or privacy.

-Notwithstanding the above, using this IS does not constitute consent to PM, LE or
CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services by
attorneys, psychotherapists, or clergy, and their assistants. Such communications
and work product are private and confidential. See User Agreement for details."

e. Organizations will modify or install classification marking tools on UNCLASSIFIED,

SECRET, and TOP SECRET network systems to account for CUI information and readily
permit inclusion of CUI markings and designator indicators as required by Part 2002 of Title 32,

DoDI 5200.48, March 6, 2020




Part 2002 of Title 32, CFR requires dissemination statements to be placed on classified and
unclassified documents or other materials when CUI necessitates access restrictions, including
those required by law, regulation, or government-wide policy. These statements facilitate
control, secondary sharing, decontrol, and release without the need to repeatedly obtain approval
or authorization from the controlling DoD office.

a. Dissemination controls identify the audience deemed to have a lawful government

purpose to use the CUI and specify the rationale for applying the controls by specific codes in
accordance with DoDI 5230.24 and this issuance.

b. Agencies must promptly decontrol CUI properly determined by the CUI owner to no
longer require safeguarding or dissemination controls, unless doing so conflicts with the related
law, regulation, or government-wide policy in accordance with DoDI 5230.09.

c. Decontrolling CUI through the public release process relieves authorized holders from
requirements for handling information in accordance with the CUI Program. A prepublication
review must be conducted in accordance with DoDI 5230.09 before public release may be

d. In accordance with Part 2002.20 of Title 32, CFR, if the authorized holder of the CUI
publicly releases the CUI in accordance with the designating agency’s authorized procedures,
this constitutes the decontrol of the document.

e. To ensure CUI protection, the following measures will be implemented:

(1) During working hours, steps will be taken to minimize the risk of access by
unauthorized personnel, such as not reading, discussing, or leaving CUI information unattended
where unauthorized personnel are present. After working hours, CUI information will be stored
in unlocked containers, desks, or cabinets if the government or government-contract building
provides security for continuous monitoring of access. If building security is not provided, the
information will be stored in locked desks, file cabinets, bookcases, locked rooms, or similarly
secured areas. The concept of a controlled environment means there is sufficient internal
security measures in place to prevent or detect unauthorized access to CUI. For DoD, an open
storage environment meets these requirements.

(2) CUI information and material may be transmitted via first class mail, parcel post, or,
bulk shipments. When practical, CUI information may be transmitted electronically (e.g., data,
website, or e-mail), via approved secure communications systems or systems utilizing other
protective measures such as Public Key Infrastructure or transport layer security (e.g., https).
Avoid wireless telephone transmission of CUI when other options are available. CUI
transmission via facsimile machine is permitted; however, the sender is responsible for


DoDI 5200.48, March 6, 2020

determining whether appropriate protection will be available at the receiving location before
transmission (e.g., facsimile machine attended by a person authorized to receive CUI; facsimile
machine located in a controlled government environment).


a. In accordance with this issuance, CUI access should be encouraged and permitted to the
extent the access or dissemination:

(1) Complies with the law, regulation, or government-wide policy identifying the
information as CUI.

(2) Furthers a lawful government purpose.

(3) Is not restricted by an authorized LDC established by the CUI EA.

(4) Is not otherwise prohibited by any other law, regulation, or government-wide policy.

b. Agencies may place limits on disseminating CUI for a lawful government purpose only
using the dissemination controls listed in Table 2 or methods authorized by a specific law,
regulation, or government-wide policy.

c. When handling other Executive Branch CUI, DoD personnel will follow their governance
criteria for when the application of dissemination controls and its markings are allowed, and by
whom, while ensuring the policy is in accordance with Part 2002 of Title 32, CFR.

d. LDCs or distribution statements cannot unnecessarily restrict CUI access.

e. Since DoD Components need to retain certain agency-specific CUI within their
organizations, DoD Components may use the limited dissemination controls to limit access to
those on an accompanying dissemination list, as shown in Table 2. For example, raw data,
information, or products must be processed and analyzed before determining if further
dissemination is required or permitted. The Limited Dissemination Control List control will be
used to address this need. The LDC list is found on Intelink at


a. Legacy CUI technical documents and materials requiring export control have used
distribution statements in accordance with DoDI 5230.24 in order to address the shared
responsibility between the DoD and its contractors to safeguard this information. This was done
for legacy CUI creation, transmission, receipt, storage, distribution, decontrol, and approved
disposition authorities, including destruction.

b. As of the effective date of this issuance, DoD personnel will use LDCs for new CUI
documents and materials except export controlled technical information, which must be marked


DoDI 5200.48, March 6, 2020

with an export control warning in accordance with DoDI 5230.24, DoDD 5230.25, and Part 250
of Title 32, CFR. The wording of the distribution statements may not be modified to specify
additional distribution, such as distribution to foreign governments. However, where other
markings are authorized and used in accordance with associated law, regulation, or government-
wide policy (e.g., North Atlantic Treaty Organization markings, REL TO), those markings may
be used to further inform distribution decisions. Therefore, “REL TO” is authorized for use with
foreign nationals once the information distribution is properly coordinated with the foreign
disclosure office.

Table 2. Dissemination Control and Distribution Statement Markings

NONE – Publicly Releasable AFTER Review DISTRO A
No Foreign Dissemination (NOFORN / NF)
Federal Employees Only (FED ONLY) DISTRO B
Federal Employees and Contractors Only DISTRO C
No Dissemination to Contractors (NOCON)
Dissemination List Controlled (DL ONLY) DISTRO F
Authorized for Release to Certain Foreign
Nationals Only (REL TO USA, LIST )
Display Only (DISPLAY ONLY)
Dissemination List – (Include Separate List for DISTRO E
Government Only)*
Dissemination List – (Include Separate List for DISTRO D
Government and Contractors Only)*
U.S. Government Agencies and private
individuals or enterprises eligible to obtain
export controlled technical data in accordance
with DoDD 5230.25. DISTRO X was cancelled
and superseded by DISTRO C.
*The dissemination list limits access to the specified individuals, groups, or agencies and must
accompany the document

c. CUI export controlled technical information or other scientific, technical, and engineering
information will still use distribution statements. Export controlled information must also be
marked with an export control warning as directed in DoDI 5230.24, DoDD 5230.25, and Part
250 of Title 32, CFR.


Guidance for decontrolling CUI records, documents, and materials is provided in this issuance,
or the CUI Registry for information categories not directly related to DoD CUI.


DoDI 5200.48, March 6, 2020

a. CUI documents and materials will be formally reviewed in accordance with DoDI
5230.09 before being decontrolled or released to the public.

b. The originator or other competent authority (e.g., initial FOIA denial and appellate
authorities) will terminate the CUI status of specific information when the information no longer
requires protection from public disclosure. When the CUI status of information is terminated in
this manner, all known holders will be notified by email or other means. Upon notification,
holders will remove the CUI markings. Holders will not need to retrieve records on file solely
for this purpose. Information with a terminated CUI status will not be publicly released without
review and approval in accordance with DoDIs 5230.09, 5230.29, and 5400.04.


Guidance for destroying CUI documents and materials is provided in this issuance, the CUI
Registry, and ISOO Notice 2019-03. CUI documents and materials will be formally reviewed in
accordance with Paragraphs 4.5.a. and 4.5.b. before approved disposition authorities are applied,
including destruction. Media containing CUI must include decontrolling indicators.

a. Record and non-record copies of CUI documents will be disposed of in accordance with
Chapter 33 of Title 44, U.S.C. and the DoD Components’ records management directives. When
destroying CUI, including in electronic form, agencies must do so in a manner making it
unreadable, indecipherable, and irrecoverable. If the law, regulation, or government-wide policy
specifies a method of destruction, agencies must use the method prescribed.

b. Record and non-record CUI documents may be destroyed by means approved for
destroying classified information or by any other means making it unreadable, indecipherable,
and unrecoverable the original information such as those identified in NIST SP 800-88 and in
accordance with Section 2002.14 of Title 32, CFR.


DoDI 5200.48, March 6, 2020



There is a shared responsibility between the DoD and industry, when established by contract,
grants, or other legal agreements or arrangements, in the identification, creation, sharing,
marking, safeguarding, storage, dissemination, decontrol, disposition, destruction, and records
management of CUI documents and materials. It is essential to identify and apply the general
dissemination principles and guidance as prescribed by the CUI EA in accordance with Part 2002
of Title 32, CFR. Contracts containing CUI shared from DoD or generated, managed, or
transmitted by the contractor via their information systems, will be in accordance with this
issuance, which will be incorporated into each DoD contract.

a. The NIST SP 800-171 identifies the baseline CUI system security requirements for
industry established by Part 2002 of Title 32, CFR. Additionally, Section 252.204-7012 of the
DFARS specifies a waiver process for defense contractors in accordance with NIST SP 800-171
for contractor IT or networks.

b. CUI with the potential to impact national security (e.g., information related to critical
programs and technology information) may require enhanced protection. These enhanced
measures would address both physical and logical procedures. Enhanced protection methods for
systems hosting CUI include:

(1) Access control (e.g., restricting both physical and logical access to the systems).

(2) Audit and accountability (e.g., review and monitor system usage).

(3) Configuration management (e.g., restrict system connection to only approved


(4) Identification and authentication (e.g., control issuance of end-user certificates).

(5) Incident response (e.g., ensure corrective measures are implemented in a timely
manner and validate effectiveness).

(6) System and communication protection (e.g., application of encryption for data at rest
and restriction of connections to uncertified, unsecured, non-organizational systems). DoD
Components may implement stricter CUI encryption requirements based on a law, regulation, or
government-wide policy (DHA PI 8140, requires workforce encrypt emailed PHI).

(7) System and information integrity (e.g., provide network detection tools throughout
the system to identify attempted intrusions).

c. Non-DoD IS processing, storing, or transmitting CUI will be safeguarded in accordance

with contractual requirements identified for the particular CUI contained in the contract, DoDI
8582.01 and Section 252.204-7012 of the DFARS or their subsequent revisions.


DoDI 5200.48, March 6, 2020

d. When established by contract, contractors, sub-contractors, and consultants must comply

with safeguarding requirements identified in the contract for all types of CUI.

e. The program office or requiring activity must identify DoD CUI at the time of contract
award and, if necessary, provide guidance on information aggregation or compilation. The
program office or requiring activity must review recurring or renewed contracts for CUI to
comply with this issuance.


Safeguarding requirements and incident response measures for misuse or UD of CUI must be
implemented across the DoD. Senior leaders, contracting officers, commanders, and supervisors
at all levels must consider and take appropriate administrative, legal, or other corrective or
disciplinary action to address CUI misuse or UD commensurate with the appropriate law,
regulation, or government-wide policy.


This paragraph highlights requirements for DoD contractors.

a. Whenever DoD provides information to contractors, it must identify whether any of the
information is CUI via the contracting vehicle, in whole or part, and mark such documents,
material, or media in accordance with this issuance.

b. Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective
measures and dissemination controls, including those directed by relevant law, regulation, or
government-wide policy, will be articulated in the contract, grant, or other legal agreement, as

c. DoD contracts must require contractors to monitor CUI for aggregation and compilation
based on the potential to generate classified information pursuant to security classification
guidance addressing the accumulation of unclassified data or information. DoD contracts shall
require contractors to report the potential classification of aggregated or compiled CUI to a DoD

d. DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will
submit unclassified DoD information for review and approval for release in accordance with the
standard DoD Component processes and DoDI 5230.09.

e. All CUI records must follow the approved mandatory disposition authorities whenever the
DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section
1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance.


DoDI 5200.48, March 6, 2020




CFR Code of Federal Regulations

CMO Chief Management Officer of the Department of Defense
CNSI classified national security information
CPM Component program manager
CSAO Component senior agency official
CTI controlled technical information
CUI controlled unclassified information

DDI(CL&S) Director For Defense Intelligence (Counterintelligence, Law

Enforcement, And Security)
DCSA Defense Counterintelligence and Security Agency
DFARS Defense Federal Acquisition Regulation Supplement
DNI Director of National Intelligence
DoD CIO Department of Defense Chief Information Officer
DoDD DoD directive
DoDI DoD instruction
DoDM DoD manual

EA Executive Agent
E.O. Executive order

FOIA Freedom of Information Act

GPI Geodetic Product Information

ISOO Information Security Oversight Office

IS information systems

LDC limited dissemination controls

NARA National Archives and Records Administration

NISP National Industrial Security Program
NIST SP National Institute of Standards and Technology Special Publication
NNPI Naval Nuclear Propulsion Information
NOFORN or NF not releasable to foreign nationals

OCA original classification authority

OIG DoD Office of the Inspector General of the Department of Defense

PFPA Pentagon Force Protection Agency

DoDI 5200.48, March 6, 2020


REL TO releasable to

SCG security classification guide

SNM special nuclear material

U Unclassified information
UCNI unclassified controlled nuclear information
UD unauthorized disclosure
U.S.C. United States Code
USD(A&S) Under Secretary of Defense for Acquisition and Sustainment
USD(I&S) Under Secretary of Defense for Intelligence and Security
USD(R&E) Under Secretary of Defense for Research and Engineering


Unless otherwise noted, these terms and their definitions are for the purpose of this issuance.
Referenced definitions related to CUI in Section 2002.4 of Title 32, CFR can be found at


access The ability or opportunity to acquire, examine, or retrieve CUI.

agency Defined in Section 2002.4 of 32 CFR

aggregation The creation of classified information from the accumulation of

unclassified data or information from several areas within a

agreements and Defined in Section 2002.4 of Title 32 CFR


authorized CUI Defined in Section 2002.4 of Title 32 CFR


classified Defined in Section 2002.4 of Title 32 CFR


compilation The creation of classified information resulting from the

accumulation of unclassified data or information from several

DoDI 5200.48, March 6, 2020


contract Defined in Section 252.204- 2008 and 7012 of the FARS/DFARS.

controlled Defined in Section 2002.4 of Title 32 CFR


controls Defined in Section 2002.4 of Title 32 CFR

CNSI Defined in E.O. 13526.

CPM Defined in Section 2002.4 of Title 32 CFR

CSAO An official designated, in writing, by a DoD Component head who is

responsible to the agency head for implementing the CUI Program.
Also known as CUI SAO as defined in Section 2002.4 of Title 32

CTI Defined in the DFARS 204.7301.

CUI Defined in Section 2002.4 of Title 32 CFR

CUI Basic Defined in Section 2002.4 of Title 32 CFR (DoD is not using this
structure in its initial implementation phase.)

CUI category Defined in Section 2002.4 of Title 32 CFR

CUI EA Defined in Section 2002.4 of Title 32 CFR

CUI Indexes An organizational grouping of CUI categories as defined by the CUI

EA. The term was created by the CUI EA to replace the notion of a
sub-category which implies a hierarchy structure or importance.

CUI misuse Use of CUI in a manner not in accordance with the policy contained
in E.O. 13556; Part 2002 of Title 32, CFR; the CUI Registry; agency
CUI policy; or the applicable LRGWP governing the information.

CUI Program Defined in Section 2002.4 of Title 32 CFR

CUI Registry Defined in Section 2002.4 of Title 32 CFR

CUI Specified Defined in Section 2002.4 of Title 32 CFR (DoD is not using this
structure in its initial implementation phase.)

decontrol Defined in Section 2002.18 of Title 32, CFR.

DoDI 5200.48, March 6, 2020


Defense Industrial Defined in the DoD Dictionary of Military and Associated Terms.

disseminating Defined in Section 2002.4 of Title 32 CFR

document Defined in Section 2002.4 of Title 32 CFR

DoD personnel Defined in DoDI 5230.09.

foreign entity Defined in Section 2002.4 of Title 32 CFR

formerly restricted Defined in Section 1045 of Title 10, CFR.


handling Defined in Section 2002.4 of Title 32 CFR

lawful government Defined in Section 2002.4 of Title 32 CFR


LDC Defined in Section 2002.4 of Title 32 CFR

legacy material Defined in Section 2002.4 of Title 32 CFR

Limited Distribution A legacy CUI category used by the National Geospatial-Intelligence

Agency to identify a select group of sensitive, unclassified imagery
or geospatial information and data created or distributed by National
Geospatial Intelligence Agency or information, data, and products
derived from such information (marked as LIMDIS and now referred
to a GPI by CUI EA).

logical access Electronic access controls authenticated through outside certificates

accepted by the DoD to limit access to data files and systems only by
vetted individuals.

misuse Defined in Section 2002.4 of Title 32 CFR

NNPI Information concerning the design, arrangement, development,

testing, operation, administration, training, maintenance, and repair
of the propulsion plants of naval nuclear powered ships and
prototypes, including the associated nuclear support facilities.

non-Executive Defined in Section 2002.4 of Title 32 CFR

Branch entity

DoDI 5200.48, March 6, 2020


personally Defined in Office of Management and Budget Circular No. A-130.


physical access All DoD and non-DoD personnel entering or exiting DoD facilities or
installations that authenticated a physical access control system

portion Defined in Section 2002.4 of Title 32 CFR

protection Defined in Section 2002.4 of Title 32 CFR

public release Defined in Section 2002.4 of Title 32 CFR

records Defined in Section 2002.4 of Title 32 CFR

restricted data Defined in Part 1045 of Title 10, CFR.

re-use Defined in Section 2002.4 of Title 32 CFR

safeguarding Prescribed measures and controls that protect classified information

and CUI.

Senior Agency An official appointed by the Secretary of Defense to be responsible

Official for direction, administration, and oversight of the DoD’s Information
Security Program, including classification, declassification, CUI,
safeguarding, and security education and training programs, and for
the efficient and effective implementation of the guidance in this

SCG Security classification guidance issued by an OCA identifying the

elements of information regarding a specific subject requiring
classification, and establishes the level and duration of classification
for each element.

self-inspection Defined in Section 2002.4 of Title 32 CFR

UD Defined in Section 2002.4 of Title 32 CFR

unclassified Information not requiring control, but requiring review before public

DoDI 5200.48, March 6, 2020


