D D I 5200.48 C U I (CUI) : O Nstruction Ontrolled Nclassified Nformation
D D I 5200.48 C U I (CUI) : O Nstruction Ontrolled Nclassified Nformation
48
CONTROLLED UNCLASSIFIED INFORMATION (CUI)
Originating Component: Office of the Under Secretary of Defense for Intelligence and Security
Releasability: Cleared for public release. Available on the Directives Division Website
at https://www.esd.whs.mil/DD/.
Approved by: Joseph D. Kernan, Under Secretary of Defense for Intelligence and
Security (USD(I&S))
Purpose: In accordance with the authority in DoD Directive (DoDD) 5143.01 and the December 22,
2010 Deputy Secretary of Defense Memorandum, this issuance:
• Establishes policy, assigns responsibilities, and prescribes procedures for CUI throughout the DoD
in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations
(CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and
252.204-7012.
• Establishes the official DoD CUI Registry.
DoDI 5200.48, March 6, 2020
TABLE OF CONTENTS
SECTION 1: GENERAL ISSUANCE INFORMATION .............................................................................. 4
1.1. Applicability. .................................................................................................................... 4
1.2. Policy. ............................................................................................................................... 4
SECTION 2: RESPONSIBILITIES ......................................................................................................... 6
2.1. USD(I&S) ......................................................................................................................... 6
2.2. Director for Defense Intelligence (Counterintelligence, Law Enforcement, and Security
(DDI(CL&S)). ..................................................................................................................... 6
2.3. Director, Defense Counterintelligence and Security Agency (DSCA). ............................ 7
2.4. Chief Management Officer of the Department of Defense (CMO). ................................. 8
2.5. PFPA. ................................................................................................................................ 8
2.6. Under Secretary of Defense for Policy. ............................................................................ 8
2.7. USD(A&S). ....................................................................................................................... 8
2.8. USD(R&E). ....................................................................................................................... 9
2.9. DoD CIO. .......................................................................................................................... 9
2.10. OSD and DoD Component Heads. ............................................................................... 10
2.11. Secretaries of the Military Departments. ...................................................................... 11
2.12. Chairman of the Joint Chiefs of Staff. .......................................................................... 11
SECTION 3: PROGRAMMATICS ....................................................................................................... 12
3.1. Background. .................................................................................................................... 12
3.2. Legacy Information Requirements. ................................................................................ 12
3.3. Handling Requirements. ................................................................................................. 13
3.4. Marking Requirements.................................................................................................... 14
3.5. General DoD CUI Administrative Requirements. .......................................................... 17
3.6. General DoD CUI Procedures. ....................................................................................... 17
3.7. General DoD CUI Requirements. ................................................................................... 19
3.8. OCA. ............................................................................................................................... 23
3.9. General Release and Disclosure Requirements. ............................................................. 23
3.10. General System and Network CUI Requirements. ....................................................... 24
SECTION 4: DISSEMINATION, DECONTROLLING, AND DESTRUCTION OF CUI ................................ 27
4.1. General. ........................................................................................................................... 27
4.2. Dissemination Requirements for DoD CUI. ................................................................... 28
4.3. Legacy Distribution Statements. ..................................................................................... 28
4.4. Decontrolling. ................................................................................................................. 29
4.5. Destruction. ..................................................................................................................... 30
SECTION 5: APPLICATION OF DOD INDUSTRY ............................................................................... 31
5.1. General. ........................................................................................................................... 31
5.2. Misuse or UD of CUI. ..................................................................................................... 32
5.3. Requirements for DoD Contractors. ............................................................................... 32
GLOSSARY ..................................................................................................................................... 33
G.1. Acronyms. ...................................................................................................................... 33
G.2. Definitions. ..................................................................................................................... 34
REFERENCES .................................................................................................................................. 38
TABLE OF CONTENTS 2
DoDI 5200.48, March 6, 2020
TABLES
Table 1. DoD CUI Registry Category Examples ......................................................................... 22
Table 2. Dissemination Control and Distribution Statement Markings ....................................... 29
FIGURES
Figure 1. CUI Warning Box for Classified Material ................................................................... 15
Figure 2. CUI Designation Indicator for All Documents and Material ....................................... 16
Figure 3. Notice and Consent....................................................................................................... 26
TABLE OF CONTENTS 3
DoDI 5200.48, March 6, 2020
1.1. APPLICABILITY.
a. Office of the Secretary of Defense (OSD), the Military Departments, the Office of the
Chairman of the Joint Chiefs of Staff and the Joint Staff, the Combatant Commands, the Office
of the Inspector General of the Department of Defense (OIG DoD), the Defense Agencies, the
DoD Field Activities, and all other organizational entities within the DoD (referred to
collectively in this issuance as the “DoD Components”).
1.2. POLICY.
a. As part of the phased DoD CUI Program implementation process endorsed by the CUI
Executive Agent (EA) pursuant to Information Security Oversight Office (ISOO) Memorandum
dated August 21, 2019, the designation, handling, and decontrolling of CUI (including CUI
identification, sharing, marking, safeguarding, storage, dissemination, destruction, and records
management) will be conducted in accordance with this issuance and Sections 252.204-7008 and
252.204-7012 of the DFARS when applied by a contract to non-DoD systems.
b. All DoD CUI must be controlled until authorized for public release in accordance with
DoD Instructions (DoDIs) 5230.09, 5230.29, and 5400.04, or DoD Manual (DoDM) 5400.07.
Official DoD information that is not classified or controlled as CUI will also be reviewed prior to
public release in accordance with DoDIs 5230.09 or5230.29.
(4) Control information not requiring protection under a law, regulation, or government-
wide policy, unless approved by the CUI EA at the National Archives and Records
Administration (NARA), through the Under Secretary of Defense for Intelligence and Security
(USD(I&S)).
d. In accordance with the DoD phased CUI Program implementation, all documents
containing CUI must carry CUI markings in accordance with this issuance.
e. Although DoD Components are not required to use the terms “Basic” or “Specified” to
characterize CUI at this time, DoD Components will apply:
(2) Terms and specific marking requirements will be promulgated by the USD(I&S) in
future guidance.
f. Nothing in this issuance alters or supersedes the existing authorities of the Director of
National Intelligence (DNI) regarding CUI.
g. Nothing in this issuance will infringe on the OIG DoD’s statutory independence and
authority, as articulated in the Inspector General Act of 1978 in the Title 5, United States Code
(U.S.C.) Appendix. In the event of any conflict between this instruction and the OIG DoD’s
statutory independence and authority, the Inspector General Act of 1978 in the Title 5, U.S.C.
Appendix takes precedence.
SECTION 2: RESPONSIBILITIES
2.1. USD(I&S)
The USD(I&S):
a. As the DoD Senior Agency Official for Security, establishes policy and oversees the DoD
Information Security Program.
b. In coordination with the requesting DoD Component, submits changes to CUI categories
on behalf of DoD Components to the CUI EA at NARA.
c. Provides reports to the CUI EA on the DoD CUI Program status, as described in
Paragraph 3.6.c., in accordance with Part 2002 of Title 32, CFR.
e. Coordinates with the Department of Defense Chief Information Officer (DoD CIO) on
CUI waiver requests for DoD information systems (IS) and networks.
The DDI(CL&S):
b. Reviews and signs all reports and other correspondence related to the DoD CUI Program.
c. Coordinates with the Secretaries of the Military Departments, Under Secretary of Defense
for Research and Engineering (USD(R&E)), Under Secretary of Defense for Acquisition and
Sustainment (USD(A&S)), and the DoD Component heads to:
(2) Review and provide guidance on DoD Component implementation policy and CUI-
related matters.
d. Assists the USD(I&S) with overseeing the CUI policy and program execution via the
Defense Security Enterprise Executive Committee in accordance with DoDD 5200.43.
SECTION 2: RESPONSIBILITIES 6
DoDI 5200.48, March 6, 2020
e. In coordination with the DoD CIO, USD(A&S), and USD(R&E), provides guidance on
implementing uniform standards to display TOP SECRET, SECRET, CONFIDENTIAL, and
UNCLASSIFIED for CNSI and CUI controls and banners for DoD systems and networks.
Under the authority, direction, and control of the USD(I&S) and in addition to the
responsibilities in Paragraph 2.10., the Director, DCSA:
a. Administers the DoD CUI Program for contractually established CUI requirements for
contractors in classified contracts in accordance with the May 17, 2018 Under Secretary of
Defense for Intelligence Memorandum.
c. Establishes and maintains a process to notify the DoD CIO, USD(R&E), and USD(A&S)
of threats related to CUI for further dissemination to DoD Components and contractors in
accordance with the Section 252.204-7012 of the DFARS.
d. Provides, in coordination with the USD(I&S), security education, training, and awareness
on the required topics identified in Section 2002.30 of Title 32, CFR, including protection and
management of CUI, to DoD personnel and contractors through the Center for Development of
Security Excellence (CDSE).
e. Provides security assistance and guidance to the DoD Components on the protection of
CUI when DoD Components establish CUI requirements in DoD classified contracts for NISP
contractors falling under DCSA security oversight.
f. Serves as the DoD-lead to report UDs of CUI, except for the reporting of cyber incidents
in accordance with Section 252.204-7012 of the DFARS, associated with contractually
established CUI system requirements in DoD classified contracts for NISP contractors falling
under DCSA security oversight.
g. Coordinates with the DoD CIO to implement uniform security requirements when the IS
or network security controls for unclassified and classified information are included in DoD
classified contracts for NISP contractors falling under DCSA security oversight.
SECTION 2: RESPONSIBILITIES 7
DoDI 5200.48, March 6, 2020
a. Serves as the subject matter expert on CUI containing personally identifiable information
and its release in accordance with Subsection 552 of Chapter 5 of Title 5, United States Code
(U.S.C.), also known as and referred to in this issuance as the “Freedom of Information Act
(FOIA),” implemented through DoDD 5400.07 and DoDI 5400.11, and Subsection 552a of
Chapter 5 of Title 5, U.S.C., also known and referred to in the issuance as the “Privacy Act of
1974.”
2.5. PFPA.
Under the authority, direction, and control of the CMO, through the Director for Administration
and Organizational Policy, and in addition to the responsibilities in Paragraph 2.10., the Director,
PFPA:
b. Provides information on OSD CUI Program status and other formally requested assistance
to the USD(I&S) to support the CUI Program.
c. Conducts CUI staff assistance visits to OSD in the National Capital Region.
In addition to the responsibilities in Paragraph 2.10., the Under Secretary of Defense for Policy:
a. Establishes policy and procedures for disclosing DoD CUI to foreign governments, the
North Atlantic Treaty Organization, and international organizations based on formally signed
agreements and arrangements between the parties.
2.7. USD(A&S).
In addition to the responsibilities in Paragraph 2.10., pursuant to Section 133b of Title 10,
U.S.C., and in coordination with the USD(I&S), DoD CIO, and USD(R&E), the USD(A&S):
SECTION 2: RESPONSIBILITIES 8
DoDI 5200.48, March 6, 2020
2.8. USD(R&E).
In addition to the responsibilities in Paragraph 2.10., pursuant to Section 133a of Title 10,
U.S.C., and in coordination with USD(I&S), the USD(R&E):
a. Establishes DoD CUI processes, policies, and procedures for grants and cooperative
research and development arrangements, agreements, and contracts involving controlled
technical information (CTI).
c. Oversees and ensures DoD CUI guidelines and requirements for sharing, marking,
safeguarding, storage, dissemination, decontrol, destruction, and records management of all
research, development, test, and evaluation information are properly executed for all DoD owned
records.
(1) Contracts, arrangements, and agreements for research, development, testing, and
evaluation identify CUI at the time of award.
a. Oversees CUI metadata tagging standards, consistent with federal data tagging approaches
in accordance with the National Strategy for Information Sharing and Safeguarding, to
implement the marking requirements in Paragraph 3.4.c. and in accordance with DoDI 8320.07.
b. Integrates CUI metadata tagging standards into DoD information technology content
management tools to support discovery, access, auditing, safeguarding, and records management
decisions regarding CUI (including monitoring CUI data for visibility, accessibility, trust,
interoperability, and comprehension).
c. Provides policy and standards recommendations to the USD(I&S) on updates for the
sharing, marking, safeguarding, storage, dissemination, decontrol, destruction, and records
SECTION 2: RESPONSIBILITIES 9
DoDI 5200.48, March 6, 2020
management of DoD CUI residing on both DoD and non-DoD IS in accordance with DoDI
8582.01.
d. Oversees Defense Industrial Base Cybersecurity Activities, using the DoD Cyber Crime
Center as the single DoD focal point for receiving and disseminating all cyber incident reports
impacting unclassified networks of defense contractors.
e. Coordinates with the USD(I&S), USD(A&S), USD(R&E), and DoD Component heads to
develop uniform security requirements for industry partners’ IS and network security controls
adequate for the type of CUI identified in the contract in accordance with Part 2002 of Title 32,
CFR, Section 252.204-7012 of the DFARS, and NIST SP 800-171.
f. Coordinates with the Director, DCSA to implement uniform security requirements when
IS or network security controls for unclassified and classified information are included in DoD
classified contracts of NISP contractors falling under DCSA security oversight.
(1) Implement information security policy standards for markings to display, CUI for
DoD classified and unclassified systems and networks.
(2) Integrate training on safeguarding and handling CUI into updates to initial and annual
cybersecurity awareness training.
h. Notifies the CUI EA in coordination with the USD(I&S) of CUI waivers impacting IS or
networks in accordance with Title 32 of the CFR.
(1) Manages and updates, as necessary and in coordination with DoD CIO, the policies
in Section 236.4 of Title 32, CFR and Section 252.204-7012 of the DFARS.
a. Identify, program, and commit the necessary resources to implement CUI Program
requirements as part of their overall information security programs.
SECTION 2: RESPONSIBILITIES 10
DoDI 5200.48, March 6, 2020
(1) A DoD Component senior agency official (CSAO) at the Senior Executive Service
level or equivalent to implement their CUI Program and perform the duties in Paragraph 3.5.
(2) A DoD Component program manager (CPM) to manage their CUI Program.
c. Ensure their subordinate organizations comply with DoD CUI Program requirements.
d. Ensure their personnel receive initial and annual refresher CUI education and training, and
maintain documentation of this training for audit purposes.
j. Manage their CUI programs in accordance with guidelines prescribed in this DoD
issuance.
In addition to the responsibilities in Paragraph 2.10., the Secretaries of the Military Departments
oversee the implementation of their CUI programs.
In addition to the responsibilities in Paragraph 2.10., the Chairman of the Joint Chiefs of Staff
oversees the implementation of the CUI programs in the Joint Staff organizations and Combatant
Commands.
SECTION 2: RESPONSIBILITIES 11
DoDI 5200.48, March 6, 2020
SECTION 3: PROGRAMMATICS
3.1. BACKGROUND.
The CUI EA at NARA, through the Information Security and Oversight Office (ISOO),
published and released Part 2002 of Title 32, CFR, which provides implementing requirements
for E.O. 13556.
a. Part 2002 of Title 32, CFR established a CUI EA office under NARA’s ISOO for
implementing and overseeing the CUI Program.
c. In accordance with Part 2002 of Title 32, CFR, CUI requires safeguarding or
dissemination controls identified in a law, regulation, or government-wide policy for information
that does not meet the requirements for classification in accordance with E.O. 13526.
This legacy information guidance applies to information contained across DoD in, among other
documents, security classification guides (SCGs), various policies, and other legacy materials
falling under the Science and Technology Information Program (DoDI 3200.12), in either
electronic or hardcopy format. The CUI Program does not require the redacting or re-marking of
documents bearing legacy markings. However, any new document created with information
derived from legacy material must be marked as CUI if the information qualifies as CUI.
a. DoD legacy material will not be required to be re-marked or redacted while it remains
under DoD control or is accessed online and downloaded for use within the DoD. However, any
such document or new derivative document must be marked as CUI if the information qualifies
as CUI and the document is being shared outside DoD. DoD legacy marked information stored
on a DoD access-controlled website or database does not need to be remarked as CUI, even if
other agencies and contractors are granted access to such websites or databases.
b. DoD legacy information does not automatically become CUI. It must be reviewed by the
owner of the information to determine if it meets the CUI requirements. If it is determined the
SECTION 3: PROGRAMMATICS 12
DoDI 5200.48, March 6, 2020
specific legacy information meets the CUI requirements, it will be marked in accordance with
this issuance and corresponding manual.
c. For federal systems, IS storing information identified as CUI must meet the minimum
network security standard in Part 2002 of Title 32, CFR. For nonfederal systems, IS must meet
the standards in the NIST SP 800-171, when established by contract.
d. When DoD legacy information is incorporated into, or cited in, another document or
material, it must be reviewed for CUI and marked in accordance with this issuance.
The DoD CUI Information Security Program will promote, to the maximum extent possible,
information sharing, facilitate informed resource use, and simplify its management and
implementation while maintaining required safeguarding and handling measures.
a. In accordance with DoDI 5230.09 and the August 14, 2014 Deputy Secretary of Defense
Memorandum:
(1) The DoD originator or authorized CUI holder must ensure a prepublication and
security policy review is conducted, pursuant to the standard DoD Component process, before
CUI is approved for public release, which includes publication to a publicly accessible website.
(2) Decontrolling and releasing CUI records will be executed by the originator of the
information, the original classification authority (OCA) if identified in a security classification
guide, or designated offices for decontrolling CUI pursuant to the procedures for the review and
release of information under the FOIA in accordance with the November 19, 2018 ISOO Notice.
There are no specific timelines to decontrol CUI unless specifically required in a law, regulation,
or government-wide policy. Decontrol will occur when the CUI no longer requires safeguarding
and will follow DoD records management procedures.
b. OCAs will determine if aggregated CUI under their control should be classified in
accordance with Volume 1 of DoDM 5200.01 and will confirm the relevant SCGs address the
compilation.
d. The DoD CUI Registry provides an official list of the Indexes and Categories used to
identify the various types of DoD CUI. The DoD CUI Registry mirrors the National CUI
Registry, but provides additional information on the relationships to DoD by aligning each Index
and Category to DoD issuances.
SECTION 3: PROGRAMMATICS 13
DoDI 5200.48, March 6, 2020
(1) The official DoD CUI Registry of categories can be accessed on Intelink at
https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.
(2) The site will be updated as changes to the DoD CUI Registry are made based on
official notification from the CUI EA through the CUI Registry Working Group; changes to law,
regulation, or government-wide policy; or notification that the information no longer meets the
requirements for CUI.
This paragraph covers the essential marking requirements for initial phased implementation of
the DoD CUI Program.
a. At minimum, CUI markings for unclassified DoD documents will include the acronym
“CUI” in the banner and footer of the document.
b. If portion markings are selected, then all document subjects and titles, as well as individual
sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be
portion marked with “(CUI).” Use of the unclassified marking “(U)” as a portion marking for
unclassified information within CUI documents or materials is required.
(1) There is no requirement to add the “U,” signifying unclassified, to the banner and
footer as was required with the old FOUO marking (i.e., U//FOUO).
(2) Banners, footers, and portion marking will only be marked “Unclassified” or “(U)”
for unclassified information in accordance with the June 4, 2019 ISOO letter. If the document
also contains CUI, it will be marked in accordance with Paragraph 3.4.a. and additional
forthcoming guidance.
(1) There will be an acknowledgement added to the warning box on the first page of
multi-page documents to alert readers to the presence of CUI in a classified DoD document, as
shown in Figure 1.
SECTION 3: PROGRAMMATICS 14
DoDI 5200.48, March 6, 2020
This content is classified at the [insert highest classification level of the source
data] level and may contain elements of controlled unclassified information
(CUI), unclassified, or information classified at a lower level than the overall
classification displayed. This content shall not be used as a source of derivative
classification; refer instead to [cite specific reference, where possible, or state
“the applicable classification guide(s)”]. It must be reviewed for both
Classified National Security Information (CNSI) and CUI in accordance with
DoDI 5230.09 prior to public release. [Add a point of contact when needed.]
(2) Volume 2 of DoDM 5200.01 requires DoD intelligence producers to follow DNI
formats for intelligence production under the authority of the DNI. When DoD CUI is
incorporated into a Digital Access Policy under the authority of the DNI, the information and the
document will follow the Digital Access Policy standards established by the DNI.
(1) The application of the control marking “not releasable to foreign nationals”
(NOFORN or NF) will only be applied, when warranted, to unclassified intelligence information
properly categorized as CUI and reviewed by a Foreign Disclosure Officer to ensure there are no
international agreements in place to prohibit its use and prohibiting sharing.
(2) The control marking NOFORN or NF will be applied to Naval Nuclear Propulsion
Information (NNPI), Unclassified Controlled Nuclear Information (UCNI), National Disclosure
Policy (NDP-1), and cover and cover support information. When warranted, it can be applied to
unclassified information properly categorized as CUI having a licensing or export control
requirement. Before marking a document or material as NOFORN or NF, it will be reviewed by
the Foreign Disclosure Officer to ensure there are no agreements in place to prohibit its use and
sharing.
(3) The application of “Releasable to” (“REL TO”) can only be applied, when warranted
and consistent with relevant law, regulation, or government-wide policy or DoD policy, to
information properly categorized as CUI with an export control or licensing requirement with a
foreign disclosure agreement in place.
SECTION 3: PROGRAMMATICS 15
DoDI 5200.48, March 6, 2020
(b) DoD operational CUI (not related to intelligence) may be marked as REL TO.
e. All classified documents, including legacy documents will be reviewed for CUI and
properly marked upon changes in the document’s classification level, particularly if the
documents are to be completely declassified.
f. The first page or cover of any document or material containing CUI, including a
document with commingled classified information, will include a CUI designation indicator, as
shown in Figure 2. This CUI designation indicator is similar to the classification-marking block
used for CNSI documents and materials. Documents and materials containing CUI will require a
generic “CUI” marking at the top and bottom of each page.
(1) In accordance with Part 2002 of Title 32, CFR, the CUI designation indicator must
contain, at minimum, the name of the DoD Component determining that the information is CUI.
If letterhead or another standard indicator of origination is used, this line may be omitted.
(2) The second line must identify the office making the determination.
(3) The third line must identify all types of CUI contained in the document.
(4) The fourth line must contain the distribution statement or the dissemination controls
applicable to the document.
(5) The fifth line must contain the phone number or office mailbox for the originating
DoD Component or authorized CUI holder.
g. During DoD’s initial phased implementation of the CUI Program, there is no required
distinction that must be made between Basic and Specified CUI. All DoD information will be
protected in accordance with the requirements under the Basic level of safeguards and
dissemination unless specifically identified otherwise in a law, regulation, or government-wide
policy. Forthcoming guidance will address the distinction between the two levels of CUI,
including a list of which categories are Basic or Specified, what makes the category one or the
other, and the unique requirements, to include markings, for each.
SECTION 3: PROGRAMMATICS 16
DoDI 5200.48, March 6, 2020
Each DoD Component head must appoint, in writing, a CSAO for the Information Security
Program, who will:
a. Appoint, in writing, an official to serve as the CPM for CUI in accordance with ISSO
Notice 2019-02. To manage the DoD Component’s overall execution of the CUI program, the
CPM will:
(1) Coordinate directly with the USD(I&S) Information Security Directorate on CUI
matters.
(2) Manage and oversee CUI implementation for the DoD Component.
(5) Submit the annual CUI Implementation Status Report to the DDI(CL&S) to evaluate
the effectiveness, compliance, and efficiency of the DoD Component’s implementation of CUI,
in accordance with Paragraph 3.6.c.
(6) Resolve CUI challenges in accordance with E.O. 13556 and Part 2002 of Title 32,
CFR. Refer all unresolved challenges to the DDI(CL&S).
b. Serve as the primary point of contact for official correspondence, accountability reporting,
and other matters of record between the DoD Component and the USD(I&S).
DoD CUI is clustered into organizational indexes (e.g., defense, privacy, proprietary) with
associated categories, and is categorized by the DoD according to the specific law, regulation, or
government-wide policy requiring control. Unclassified information associated with a law,
regulation, or government-wide policy and identified as needing safeguarding is considered CUI.
It requires access control, handling, marking, dissemination controls, and other protective
measures for safeguarding.
b. In accordance with this issuance, every individual at every level, including DoD civilian
and military personnel as well as contractors providing support to the DoD pursuant to
SECTION 3: PROGRAMMATICS 17
DoDI 5200.48, March 6, 2020
contractual requirements, will comply with the requirements in Paragraph 3.6.f of this issuance
for initial and annual refresher CUI training.
c. Each OSD and DoD Component will annually submit the CUI Implementation Status
Report to the USD(I&S) for inclusion in the DoD CUI Program report to the CUI EA. A copy of
the report will be made available on Intelink at
https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.
The CUI Implementation Status Report will at least include:
d. DoD and OSD Components will submit an initial report on the implementation status of
their CUI Programs. Once established, DoD Component heads will conduct inspections of their
programs, and the DoD Implementation Status Report will transition to an annual self-inspection
report.
e. Some documents and materials containing CUI may constitute permanently valuable
government records and will be maintained and disposed of in accordance with the NARA-
approved record disposition schedules applicable to each DoD Component in accordance with
DoDI 5015.02. When other materials containing CUI no longer require safeguarding, they will
be decontrolled and either retained, if a permanent record, or destroyed in accordance with
Section 4 and ISOO Notice 2019-03.
f. Other Executive Branch Agencies in the U.S. Government have identified organizational
indexes and CUI categories related to a law, regulation, or government-wide policy. Some CUI
indexes and categories are unique to specific organizations. The Official CUI Registry is on the
NARA Website at https://www.archives.gov/cui. It identifies other CUI categories not specific
to the Defense Index, but that may apply or relate to the Executive Branch. Since various DoD
Components interact and share inter-dependencies with other departments, agencies, and
activities in the Executive Branch, it is important to know and understand these indexes and
categories, along with their associated markings, in order to recognize other agencies’ CUI and
handle the information accordingly. Of note, the CUI indexes and categories listed in the CUI
Registry and DoD CUI Registry identify the safeguarding and dissemination requirements as
identified by the related law, regulation, or government-wide policy. Moreover, the CUI
Registry is agile and subject to change based on changes in law, regulation, or government-wide
policy.
g. In accordance with ISOO Notice 2016-01, CUI training standards must, at minimum:
SECTION 3: PROGRAMMATICS 18
DoDI 5200.48, March 6, 2020
(2) Identify the organizational index with CUI categories routinely handled by DoD
personnel.
(3) Describe the CUI Registry, including purpose, structure, and location
(http://www.archives.gov/cui).
(4) Describe the differences between CUI Basic and CUI Specified.
(5) Identify the offices or organizations with DoD CUI Program oversight
responsibilities.
(7) Address the required physical safeguards and CUI protection methods as described in
this issuance.
(8) Address the destruction requirements and methods as described in this issuance.
(10) Address methods for properly disseminating CUI within the DoD and with external
entities inside and outside of the Executive Branch.
(11) Address the methods for properly decontrolling CUI as described in this issuance.
This section specifies initial requirements for implementing, marking, and managing the CUI
program. Table 1 contains a sample list of the categories found in the DoD CUI Registry and
Defense Index. A complete list of CUI Indexes and Categories can be found on Intelink at
https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.
Some significant points about DoD CUI include:
a. CUI does not include information lawfully and publicly available without restrictions.
b. CUI requires safeguarding measures identified by the CUI EA in Part 2002.14 of Title 32,
CFR and, as necessary, in the law, regulation, or government-wide policy with which it is
associated. DoD CUI may be disseminated to DoD personnel to conduct official DoD and U.S.
Government business in accordance with a law, regulation, or government-wide policy.
(1) No individual may have access to CUI information unless it is determined he or she
has an authorized, lawful government purpose.
(2) The person with authorized possession, knowledge, or control of CUI will determine
whether an individual has an authorized, lawful government purpose to access designated CUI.
(3) CUI information may be disseminated within the DoD Components and between
DoD Component officials and DoD contractors, consultants, and grantees to conduct official
SECTION 3: PROGRAMMATICS 19
DoDI 5200.48, March 6, 2020
business for the DoD, provided dissemination is consistent with controls imposed by a
distribution statement or limited dissemination controls (LDC).
c. CTI compiled or aggregated may become classified. Such classified CTI is subject to the
requirements of the National Industrial Security Program, which has different requirements than
Section 252.204-7012 of the DFARS for unclassified CTI.
d. As DoD programs transition through the acquisition life cycle, the CUI category or
treatment of information may change. In accordance with Title 32, CFR, if the safeguarding
requirements for a CUI category or the original law, regulation, or government-wide policy
changes, there will be a cascading effect requiring changes for the particular category. These
changes will be implemented as soon as possible.
(1) For example, in the acquisition area, a program will begin in the basic research and
development phase. Once this program milestone is achieved, the project could transition to the
applied research and development or to the production phase.
(2) At this point, the original CUI must be reviewed for any necessary adjustments,
including potential changes to the CUI designation, category, subcategory or type, or controls.
e. CUI will be identified in SCGs to ensure such information receives appropriate protection.
If the SCG is canceled, a memorandum or other guidance document may be issued to identify
CUI instead.
f. DoD is required to provide documents and records requested by members of the public,
unless those records are exempt from disclosure in accordance with the procedures established
by Part 286 of Title 32, CFR and DoDD 5400.07.
SECTION 3: PROGRAMMATICS 20
DoDI 5200.48, March 6, 2020
g. Other CUI category information may qualify for withholding from public release based on
a specific FOIA exemption for the type of information in question. Determining whether
information meets the requirements for CUI shall be done separately and prior to identifying any
potential FOIA exemptions.
h. CUI requiring distribution statements in accordance with DODI 5230.24 or the LDC
identified in the related law, regulation, or government-wide policy, but does not qualify as
classified information in accordance with E.O. 13526 or Chapter 14 of Title 42, U.S.C, (also
known and referred to in this issuance as the “Atomic Energy Act of 1954”), will be
implemented in accordance with this issuance.
i. Table 1 is an example of the format for the list of all DoD CUI Registry Categories aligned
to the CUI National Registry published on Intelink at
https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.
j. Table 1 provides a sample of the cross-walk of the National CUI registry to the DoD
issuance(s) related to the category. The items in Table 1 identify the two unique types of data
used by the Department of Energy, the DoD, and the DoD Components. Both types satisfy the
CUI requirements and are subject to safeguarding and limited distribution control, and are
exempt from mandatory public disclosure in accordance with Exemption 3 of the FOIA.
SECTION 3: PROGRAMMATICS 21
DoDI 5200.48, March 6, 2020
SECTION 3: PROGRAMMATICS 22
DoDI 5200.48, March 6, 2020
k. Restricted data or formerly restricted data are classified and shall not be commingled with
CUI in an unclassified document. For restricted data or formerly restricted data, follow the
marking requirements in accordance with Volume 2 of DoDM 5200.01; Part 1045 of Title 10,
CFR; and the Atomic Energy Act of 1954.
l. For DoD Geospatial intelligence information and data, the DoD will not apply the
Geodetic Product Information (GPI) designation. Instead, the DoD will continue to use the
designation for “Limited Distribution” with the marking of “LIMDIS.” For all other DoD
geospatial information and data, such as installation geospatial information and services (IGI&S)
as defined by DoDI 8130.01, use the GPI category or other appropriate CUI category
designations defined by this issuance. The DoD will use the GPI designation for all of the non-
Geospatial intelligence information and data. Approved LDCs for the DoD are located on
Intelink at
https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.
m. The request for a waiver for a particular CUI Program requirement will be handled in
accordance with Volume 1 of DoDM 5200.01 for CNSI.
n. DoD Component heads shall produce annual self-inspection reports and general program
status updates to fulfill ISOO monitoring and reporting requirements.
3.8. OCA.
DoD OCAs will determine if CUI under their control, when compiled, is classified. If so, the
applicable SCGs must address the compilation. Any time an OCA discovers that compiled or
aggregated information is not properly classified on websites, folders, or documents, the OCA
will:
a. Notify the organization using the compiled information to remove or protect the
information.
c. Determine if the information still requires classified protection in its compiled form. If
not, the OCA must document the revised aggregation or compilation determination by updating
SCGs and providing the guide to all users in accordance with DoDM 5200.45.
e. Since OCAs are the owners of the information under their authority, they are authorized to
identify and mark such information as CUI.
SECTION 3: PROGRAMMATICS 23
DoDI 5200.48, March 6, 2020
(1) Access to such information is within the scope of their assigned duties.
(2) Access to such information would help accomplish a lawful and authorized DoD
mission or purpose and would not be detrimental to the interests of the DoD or the U.S.
Government.
(4) Access to such information is in accordance with DoDIs 8500.01 and 5200.02 and
export control regulations, as applicable.
c. The DoD Components’ CSAOs and CPMs will establish procedures to ensure prompt and
appropriate management action is taken in cases of CUI misuse, including UD of CUI, improper
CUI designation and marking, violation of this issuance, and incidents potentially placing CUI at
risk of UD. Such actions will focus on correcting or eliminating the conditions contributing to
the incident.
In accordance with DoDIs 8500.01 and 8510.01, security controls for systems and networks are
set to the level required by the safeguarding requirements for the data or information being
processed, as identified in Federal Information Processing Standards 199 and 200. For DoD
CUI, the minimum security level will be moderate confidentiality in accordance with Part 2002
of Title 32, CFR and NIST SP 800-171.
a. The USD(I&S) will notify and coordinate with the CUI EA regarding waiver requests
involving CUI requirements prior to granting any such requests, including waiver requests
SECTION 3: PROGRAMMATICS 24
DoDI 5200.48, March 6, 2020
related to IS. The USD(I&S) must coordinate and collaborate with the DoD CIO to ensure the
agency requesting the waiver has plans to appropriately safeguard and control CUI. The request
for a waiver for a CUI Program requirement shall be done in accordance with Volume 1 of
DoDM 5200.01 for CNSI, as modified in the forthcoming manual supporting this instruction.
b. DoD personnel will not use unofficial or personal (e.g., .net; .com) e-mail accounts,
messaging systems, or other non-DoD information systems, except approved or authorized
government contractor systems, to conduct official business involving CUI. This is necessary to
ensure proper accountability for Federal records and to facilitate data spill remediation in
accordance with Public Law 113-187 and the January 16, 2018 Deputy Secretary of Defense
memorandum.
d. For systems, networks, and programs operating on the various domains, a splash screen
warning and notice of consent, as shown in Figure 3, must be employed to alert users of CUI
within the program. This ensures proper safeguarding and dissemination controls are
implemented in accordance with Part 2002 of Title 32, CFR and this issuance.
SECTION 3: PROGRAMMATICS 25
DoDI 5200.48, March 6, 2020
"You are accessing a U.S. Government (USG) Information System (IS) that is
provided for USG-authorized use only. By using this IS (which includes any device
attached to this IS), you consent to the following conditions:
-The USG routinely intercepts and monitors communications on this IS for purposes
including, but not limited to, penetration testing, COMSEC monitoring, network
operations and defense, personnel misconduct (PM), law enforcement (LE), and
counterintelligence (CI) investigations.
-At any time, the USG may inspect and seize data stored on this IS.
-Communications using, or data stored on, this IS are not private, are subject to
routine monitoring, interception, and search, and may be disclosed or used for any
USG-authorized purpose.
-Notwithstanding the above, using this IS does not constitute consent to PM, LE or
CI investigative searching or monitoring of the content of privileged
communications, or work product, related to personal representation or services by
attorneys, psychotherapists, or clergy, and their assistants. Such communications
and work product are private and confidential. See User Agreement for details."
SECTION 3: PROGRAMMATICS 26
DoDI 5200.48, March 6, 2020
4.1. GENERAL.
Part 2002 of Title 32, CFR requires dissemination statements to be placed on classified and
unclassified documents or other materials when CUI necessitates access restrictions, including
those required by law, regulation, or government-wide policy. These statements facilitate
control, secondary sharing, decontrol, and release without the need to repeatedly obtain approval
or authorization from the controlling DoD office.
b. Agencies must promptly decontrol CUI properly determined by the CUI owner to no
longer require safeguarding or dissemination controls, unless doing so conflicts with the related
law, regulation, or government-wide policy in accordance with DoDI 5230.09.
c. Decontrolling CUI through the public release process relieves authorized holders from
requirements for handling information in accordance with the CUI Program. A prepublication
review must be conducted in accordance with DoDI 5230.09 before public release may be
authorized.
d. In accordance with Part 2002.20 of Title 32, CFR, if the authorized holder of the CUI
publicly releases the CUI in accordance with the designating agency’s authorized procedures,
this constitutes the decontrol of the document.
(1) During working hours, steps will be taken to minimize the risk of access by
unauthorized personnel, such as not reading, discussing, or leaving CUI information unattended
where unauthorized personnel are present. After working hours, CUI information will be stored
in unlocked containers, desks, or cabinets if the government or government-contract building
provides security for continuous monitoring of access. If building security is not provided, the
information will be stored in locked desks, file cabinets, bookcases, locked rooms, or similarly
secured areas. The concept of a controlled environment means there is sufficient internal
security measures in place to prevent or detect unauthorized access to CUI. For DoD, an open
storage environment meets these requirements.
(2) CUI information and material may be transmitted via first class mail, parcel post, or,
bulk shipments. When practical, CUI information may be transmitted electronically (e.g., data,
website, or e-mail), via approved secure communications systems or systems utilizing other
protective measures such as Public Key Infrastructure or transport layer security (e.g., https).
Avoid wireless telephone transmission of CUI when other options are available. CUI
transmission via facsimile machine is permitted; however, the sender is responsible for
determining whether appropriate protection will be available at the receiving location before
transmission (e.g., facsimile machine attended by a person authorized to receive CUI; facsimile
machine located in a controlled government environment).
a. In accordance with this issuance, CUI access should be encouraged and permitted to the
extent the access or dissemination:
(1) Complies with the law, regulation, or government-wide policy identifying the
information as CUI.
(4) Is not otherwise prohibited by any other law, regulation, or government-wide policy.
b. Agencies may place limits on disseminating CUI for a lawful government purpose only
using the dissemination controls listed in Table 2 or methods authorized by a specific law,
regulation, or government-wide policy.
c. When handling other Executive Branch CUI, DoD personnel will follow their governance
criteria for when the application of dissemination controls and its markings are allowed, and by
whom, while ensuring the policy is in accordance with Part 2002 of Title 32, CFR.
e. Since DoD Components need to retain certain agency-specific CUI within their
organizations, DoD Components may use the limited dissemination controls to limit access to
those on an accompanying dissemination list, as shown in Table 2. For example, raw data,
information, or products must be processed and analyzed before determining if further
dissemination is required or permitted. The Limited Dissemination Control List control will be
used to address this need. The LDC list is found on Intelink at
https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.
a. Legacy CUI technical documents and materials requiring export control have used
distribution statements in accordance with DoDI 5230.24 in order to address the shared
responsibility between the DoD and its contractors to safeguard this information. This was done
for legacy CUI creation, transmission, receipt, storage, distribution, decontrol, and approved
disposition authorities, including destruction.
b. As of the effective date of this issuance, DoD personnel will use LDCs for new CUI
documents and materials except export controlled technical information, which must be marked
with an export control warning in accordance with DoDI 5230.24, DoDD 5230.25, and Part 250
of Title 32, CFR. The wording of the distribution statements may not be modified to specify
additional distribution, such as distribution to foreign governments. However, where other
markings are authorized and used in accordance with associated law, regulation, or government-
wide policy (e.g., North Atlantic Treaty Organization markings, REL TO), those markings may
be used to further inform distribution decisions. Therefore, “REL TO” is authorized for use with
foreign nationals once the information distribution is properly coordinated with the foreign
disclosure office.
c. CUI export controlled technical information or other scientific, technical, and engineering
information will still use distribution statements. Export controlled information must also be
marked with an export control warning as directed in DoDI 5230.24, DoDD 5230.25, and Part
250 of Title 32, CFR.
4.4. DECONTROLLING.
Guidance for decontrolling CUI records, documents, and materials is provided in this issuance,
or the CUI Registry for information categories not directly related to DoD CUI.
a. CUI documents and materials will be formally reviewed in accordance with DoDI
5230.09 before being decontrolled or released to the public.
b. The originator or other competent authority (e.g., initial FOIA denial and appellate
authorities) will terminate the CUI status of specific information when the information no longer
requires protection from public disclosure. When the CUI status of information is terminated in
this manner, all known holders will be notified by email or other means. Upon notification,
holders will remove the CUI markings. Holders will not need to retrieve records on file solely
for this purpose. Information with a terminated CUI status will not be publicly released without
review and approval in accordance with DoDIs 5230.09, 5230.29, and 5400.04.
4.5. DESTRUCTION.
Guidance for destroying CUI documents and materials is provided in this issuance, the CUI
Registry, and ISOO Notice 2019-03. CUI documents and materials will be formally reviewed in
accordance with Paragraphs 4.5.a. and 4.5.b. before approved disposition authorities are applied,
including destruction. Media containing CUI must include decontrolling indicators.
a. Record and non-record copies of CUI documents will be disposed of in accordance with
Chapter 33 of Title 44, U.S.C. and the DoD Components’ records management directives. When
destroying CUI, including in electronic form, agencies must do so in a manner making it
unreadable, indecipherable, and irrecoverable. If the law, regulation, or government-wide policy
specifies a method of destruction, agencies must use the method prescribed.
b. Record and non-record CUI documents may be destroyed by means approved for
destroying classified information or by any other means making it unreadable, indecipherable,
and unrecoverable the original information such as those identified in NIST SP 800-88 and in
accordance with Section 2002.14 of Title 32, CFR.
5.1. GENERAL.
There is a shared responsibility between the DoD and industry, when established by contract,
grants, or other legal agreements or arrangements, in the identification, creation, sharing,
marking, safeguarding, storage, dissemination, decontrol, disposition, destruction, and records
management of CUI documents and materials. It is essential to identify and apply the general
dissemination principles and guidance as prescribed by the CUI EA in accordance with Part 2002
of Title 32, CFR. Contracts containing CUI shared from DoD or generated, managed, or
transmitted by the contractor via their information systems, will be in accordance with this
issuance, which will be incorporated into each DoD contract.
a. The NIST SP 800-171 identifies the baseline CUI system security requirements for
industry established by Part 2002 of Title 32, CFR. Additionally, Section 252.204-7012 of the
DFARS specifies a waiver process for defense contractors in accordance with NIST SP 800-171
for contractor IT or networks.
b. CUI with the potential to impact national security (e.g., information related to critical
programs and technology information) may require enhanced protection. These enhanced
measures would address both physical and logical procedures. Enhanced protection methods for
systems hosting CUI include:
(1) Access control (e.g., restricting both physical and logical access to the systems).
(2) Audit and accountability (e.g., review and monitor system usage).
(5) Incident response (e.g., ensure corrective measures are implemented in a timely
manner and validate effectiveness).
(6) System and communication protection (e.g., application of encryption for data at rest
and restriction of connections to uncertified, unsecured, non-organizational systems). DoD
Components may implement stricter CUI encryption requirements based on a law, regulation, or
government-wide policy (DHA PI 8140, requires workforce encrypt emailed PHI).
(7) System and information integrity (e.g., provide network detection tools throughout
the system to identify attempted intrusions).
e. The program office or requiring activity must identify DoD CUI at the time of contract
award and, if necessary, provide guidance on information aggregation or compilation. The
program office or requiring activity must review recurring or renewed contracts for CUI to
comply with this issuance.
Safeguarding requirements and incident response measures for misuse or UD of CUI must be
implemented across the DoD. Senior leaders, contracting officers, commanders, and supervisors
at all levels must consider and take appropriate administrative, legal, or other corrective or
disciplinary action to address CUI misuse or UD commensurate with the appropriate law,
regulation, or government-wide policy.
a. Whenever DoD provides information to contractors, it must identify whether any of the
information is CUI via the contracting vehicle, in whole or part, and mark such documents,
material, or media in accordance with this issuance.
b. Whenever the DoD provides CUI to, or CUI is generated by, non-DoD entities, protective
measures and dissemination controls, including those directed by relevant law, regulation, or
government-wide policy, will be articulated in the contract, grant, or other legal agreement, as
appropriate.
c. DoD contracts must require contractors to monitor CUI for aggregation and compilation
based on the potential to generate classified information pursuant to security classification
guidance addressing the accumulation of unclassified data or information. DoD contracts shall
require contractors to report the potential classification of aggregated or compiled CUI to a DoD
representative.
d. DoD personnel and contractors, pursuant to mandatory DoD contract provisions, will
submit unclassified DoD information for review and approval for release in accordance with the
standard DoD Component processes and DoDI 5230.09.
e. All CUI records must follow the approved mandatory disposition authorities whenever the
DoD provides CUI to, or CUI is generated by, non-DoD entities in accordance with Section
1220-1236 of Title 36, CFR, Section 3301a of Title 44, U.S.C., and this issuance.
GLOSSARY
G.1. ACRONYMS.
ACRONYM MEANING
EA Executive Agent
E.O. Executive order
GLOSSARY 33
DoDI 5200.48, March 6, 2020
ACRONYM MEANING
REL TO releasable to
U Unclassified information
UCNI unclassified controlled nuclear information
UD unauthorized disclosure
U.S.C. United States Code
USD(A&S) Under Secretary of Defense for Acquisition and Sustainment
USD(I&S) Under Secretary of Defense for Intelligence and Security
USD(R&E) Under Secretary of Defense for Research and Engineering
G.2. DEFINITIONS.
Unless otherwise noted, these terms and their definitions are for the purpose of this issuance.
Referenced definitions related to CUI in Section 2002.4 of Title 32, CFR can be found at
https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.
TERM DEFINITION
GLOSSARY 34
DoDI 5200.48, March 6, 2020
TERM DEFINITION
CUI Basic Defined in Section 2002.4 of Title 32 CFR (DoD is not using this
structure in its initial implementation phase.)
CUI misuse Use of CUI in a manner not in accordance with the policy contained
in E.O. 13556; Part 2002 of Title 32, CFR; the CUI Registry; agency
CUI policy; or the applicable LRGWP governing the information.
CUI Specified Defined in Section 2002.4 of Title 32 CFR (DoD is not using this
structure in its initial implementation phase.)
GLOSSARY 35
DoDI 5200.48, March 6, 2020
TERM DEFINITION
Defense Industrial Defined in the DoD Dictionary of Military and Associated Terms.
Base
GLOSSARY 36
DoDI 5200.48, March 6, 2020
TERM DEFINITION
physical access All DoD and non-DoD personnel entering or exiting DoD facilities or
installations that authenticated a physical access control system
(PACS).
unclassified Information not requiring control, but requiring review before public
release.
GLOSSARY 37
DoDI 5200.48, March 6, 2020
REFERENCES
REFERENCES 38
DoDI 5200.48, March 6, 2020
DoD Instruction 8510.01, “Risk Management Framework (RMF) for DoD Information
Technology (IT),” March 12, 2014, as amended
DoD Manual 5200.01, Volume 1, “DoD Information Security Program: Overview,
Classification, And Declassification,” February 24, 2012, as amended
DoD Manual 5200.01, Volume 2, “DoD Information Security Program: Marking of
Information,” February 24, 2012, as amended
DoD Manual 5200.45, “Instruction for Developing Security Classification Guides,” April 02,
2013, as amended
DoD Manual 5400.07, “DoD Freedom of Information Act (FOIA) Program,” January 25, 2017
Executive Order 13526, “Classified National Security Information,” December 29, 2009
Executive Order 13556, “Controlled Unclassified Information,” November 04, 2010
Federal Information Processing Standards Publication 199, “Standards for Security
Categorization of Federal Information and Information Systems,” February 2004
Federal Information Processing Standards Publication 200, “Minimum Security Requirements
for Federal Information and Information Systems,” March 2006
Information Security Oversight Office, “CUI Notice 2016-01: Implementation Guidance for the
Controlled Unclassified Information Program,” September 14, 2016
Information Security Oversight Office, “CUI Notice: Decontrolling Controlled Unclassified
Information (CUI ) in Response to a Freedom of Information Act (FOIA) Request,”
November 19, 2018
Information Security Oversight Office, “CUI Notice 2019-01: Controlled Unclassified
Information (CUI) Coversheets and Labels,” February 22, 2019
Information Security Oversight Office, “CUI Notice 2019-02: CUI Program Manage Position
Description Template,” May 13, 2019
Information Security Oversight Office, “CUI Notice 2019-03: Destroying Controlled
Unclassified Information (CUI),” July 15, 2019
Information Security Oversight Office Response Letter to Under Secretary of Defense for
Intelligence and Security, August 21, 2019
Information Security Oversight Office Response Letter to Under Secretary of Defense for
Intelligence, Subject: “Unclassified versus Uncontrolled Unclassified Information”, June 4,
2019
Intelligence Community Directive 710, “Classification Management and Control Markings
System,” June 21, 2013
Intelligence Community Policy Guidance 403.1, “Criteria for Foreign Disclosure and release of
Classified National Intelligence,” June 21, 2013
National Institute of Standards and Technology Special Publication 800-171, “Protecting
Controlled Unclassified Information in Nonfederal Information Systems and Organizations,”
January 14, 2016, as amended
National Institute of Standards and Technology Special Publication 800-88, Revision 1,
“Guidelines for Media Sanitization,” February 5, 2015
National Strategy for Information Sharing and Safeguarding, December 19, 2012
REFERENCES 39
DoDI 5200.48, March 6, 2020
Office of the Chairman of the Joint Chiefs of Staff, “DoD Dictionary of Military and Associated
Terms,” current edition
Office of the Chief of Naval Operations Instruction N9210.3, “Safeguarding of Naval Nuclear
Propulsion Information (NNPI),” June 7, 2010
Office of Management and Budget Circular No. A-130, “Managing Information as a Strategic
Resource,” July 28, 2016
OPNAVINST N9210.3, “Safeguarding of Naval Nuclear Propulsion Information (NNPI)”, June
07, 2010
Under Secretary of Defense for Intelligence Memorandum, “Controlled Unclassified Information
Implementation and Oversight for the Defense Industrial Base,” May 17, 2018
United States Code, Title 5
United States Code, Title 10
United States Code, Title 42, Chapter 14 (also known as the “Atomic Energy Act of 1954”)
United States Code, Title 44
REFERENCES 40