The CUI Life Cycle

The CUI Life Cycle shows the path that sensitive unclassified information takes as it goes from creation through destruction or public release.  Each step in the CUI journey has clearly defined requirements to ensure proper safeguarding.

CUI Lifecycle

Create

CUI is defined in Section 2002.4 of Title 32 CFR as "information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls." CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency.

Identify & Designate

The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category. If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.  

Mark/ Label

At minimum, CUI markings for unclassified DoD documents will include the acronym “CUI” in the banner and footer of the document. If portion markings are selected, then all document subjects and titles, as well as individual sections, parts, paragraphs, or similar portions of a CUI document known to contain CUI, will be portion marked with “(CUI).” Use of the unclassified marking “(U)” as a portion marking for unclassified information within CUI documents or materials is required.

Store

Information systems that house CUI must be NIST 800-171 compliant.  Authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI.  To physically store CUI, establish controlled environments in which to protect CUI from unauthorized access or disclosure and make use of those controlled environments.  Keep CUI under the authorized holder's direct control or protect it with at least one physical barrier, and reasonably ensure that the authorized holder or the physical barrier protects the CUI from unauthorized access or observation when outside a controlled environment

Disseminate

CUI information may be disseminated within the DoD Components and between DoD Component officials and DoD contractors, consultants, and grantees to conduct official business for the DoD, provided dissemination is consistent with controls imposed by a distribution statement or limited dissemination controls (LDC). Unlike with classified material, an individual or organization generally does not need to demonstrate a need-to-know to access CUI, unless required by a law, regulation, or government-wide policy, but must have a lawful governmental purpose for such access. DoD CUI may be disseminated to DoD personnel to conduct official DoD and U.S. Government business in accordance with a law, regulation, or government-wide policy. No individual may have access to CUI information unless it is determined he or she has an authorized, lawful government purpose. The person with authorized possession, knowledge, or control of CUI will determine whether an individual has an authorized, lawful government purpose to access designated CUI.

Disseminate After CUI Removal

Removing CUI from documents eliminates the handling and safeguarding requirements that are inherent with CUI.  Documents should go through at least two levels of review to ensure that ALL CUI is removed/redacted from the documents before they are disseminated as unclassified information which requires no additional safeguarding. 

Disseminate with CUI Intact

CUI access should be encouraged and permitted to the extent the access or dissemination:

  1. Complies with the law, regulation, or government-wide policy identifying the information as CUI.
  2. Furthers a lawful government purpose.
  3. Is not restricted by an authorized LDC established by the CUI EA.
  4. Is not otherwise prohibited by any other law, regulation, or government-wide policy.

Destroy

There are two forms of media: hard copy and electronic (soft) media.  Hard and soft copies of CUI should be completely destroyed, meaning they are rendered unreadable, indecipherable, and irrecoverable. There are three ways to dispose of electronic media: 

  1. Clearing: Protects against non-invasive data recovery techniques by clearing data through standard Read and Write commands on device. Examples include rewriting or resetting the storage device.
  2. Purging: Applies physical or logical techniques that render CUI recovery infeasible using state-of-the-art laboratory techniques.
  3. Destroying: Like purging, state-of-the-art laboratory techniques are used to make the data impossible to retrieve. However, the media is then completely destroyed so that it cannot be used for storage again.

Decontrol 

Agencies must promptly decontrol CUI properly determined by the CUI owner to no longer require safeguarding or dissemination controls, unless doing so conflicts with the related law, regulation, or government-wide policy in accordance with DoDI 5230.09.

CUI documents and materials will be formally reviewed in accordance with DoDI 5230.09 before being decontrolled or released to the public. Decontrolling CUI through the public release process relieves authorized holders from requirements for handling information in accordance with the CUI Program. A pre-publication review must be conducted in accordance with DoDI 5230.09 before public release may be authorized.

The CUI Life Cycle is copyrighted by CMMC Consulting LLC and SideChannelSec, LLC and may not be duplicated or reproduced without written consent.

0