Framework FAQ's
What is the CUI Framework?
The President’s Memorandum establishes policies and procedures governing the designation, marking, safeguarding, and dissemination of CUI terrorism-related information that originates in departments and agencies, regardless of the medium used for the display, storage, or transmittal of such information.
The CUI Framework is a critical part of a larger effort to create an Information Sharing Environment (ISE) that will facilitate the sharing of terrorism-related information. Because the CUI Framework provides for standardized handling of information, it supports the individual missions of departments and agencies and enhances the ability to share vital terrorism-related information among Federal, State, local, tribal, private sector, and foreign partners. Implementing the CUI Framework will further the ISE and help departments and agencies better manage their information.
Who is required to implement the CUI Framework?
The heads of Executive Branch Departments and Agencies in the possession of terrorism-realted information are required to ensure implementation of the CUI Framework within their their respective department or agency.
The Executive Branch cannot mandate the use of the CUI Framework to other Branches of the Federal Government or State, local, tribal, and private sector entities. However, the CUI Office believes that having a common framework with all partners will improve information sharing and encourage entities outside of the Executive Branch to adopt the CUI framework.
What information will become CUI?
To be properly designated as CUI, information must meet the requirements set forth in the President’s memorandum, specifically:
“Information shall be designated as CUI and carry an authorized CUI marking if:
- a statute requires or authorizes such a designation; or
- the head of the originating department or agency, through regulations, directives, or other specific guidance to the agency, determines that the information is CUI. Such determination should be based on mission requirements, business prudence, legal privilege, the protection of personal or commercial rights, safety, or security. Such department or agency directives, regulations, or guidance shall be provided to the EA for review.
Notwithstanding the above, information shall not be designated as CUI:
- to:
- conceal violations of law, inefficiency, or administrative error
- prevent embarrassment to the Federal Government or any Federal official, any organization, or agency
- improperly or unlawfully interfere with competition in the private sector
- prevent or delay the release of information that does not require such protection
- if it is required to be made available to the public; or
- if it has already been released to the public under proper authority.
How do the new CUI designations impact Freedom of Information Act (FOIA) requests?
The CUI Framework makes no explicit changes to the FOIA process. Current practices and procedures related to the release of information pursuant to a FOIA request will remain in effect. Marking information as CUI will inform but will not be determinative of public disclosure and release decisions.
Governance Structure FAQ's
What is the CUI Governance Structure?
The CUI governance structure is composed of a central management and oversight authority and participating departments and agencies. Within the limits of the law, State, local, tribal, and private sector representatives shall also participate in an advisory capacity.
The President has designated NARA as the CUI Executive Agent. In this role, NARA has the authority and the responsibility to oversee and manage the implementation of the CUI Framework, including developing and issuing standards for the CUI Framework, conducting a periodic review of the CUI Framework and adjusting, as required, based on input from heads of Federal departments and agencies, the CUI Council and the Legislative Branch.
NARA will receive advisory support from a CUI Council, which shall act as a subcommittee of the Information Sharing Council "ISC", created by the Intelligence Reform and Terrorism Prevention Act of 2004
(IRTPA). Representing the needs and equities of ISE participants, the CUI Council will provide advice and recommendations to the CUI Executive Agent on ISE-wide CUI policies, procedures, guidelines, and standards
Heads of Executive Branch departments and agencies will be responsible for implementing the CUI Framework standards for ISE-wide CUI policy and ensuring that their departments or agencies comply with the CUI Framework.
Detailed descriptions of the roles and responsibilities of the CUI Governance Structure are found in the President’s Memorandum.
When will the CUI Council meet?
The Program Manager for the Information Sharing Environment (PM-ISE) issued guidance establishing the CUI Council, which is a sub-committee of the Information Sharing Council, and requesting that departments and agencies designate their representative to the CUI Council. The CUI Office Director, who is the Chair of the CUI Council, will schedule the CUI Council meetings.
Implementation of the CUI Framework FAQ's
What are the next steps for implementing the CUI Framework?
The CUI Office has convened the CUI Council and will begin the development of guidance necessary for the timely, efficient, and effective implementation of the CUI Framework. One of the initial tasks will be creating an implementation plan for the CUI Framework.
When should departments and agencies start to implement?
Before departments and agencies can apply the new framework, the CUI Office, with the advice of the CUI Council, must issue detailed implementing guidance. In addition, the CUI Registry and a CUI training program must be operational to further the Framework’s implementation
Once guidance is issued, the CUI Registry established, and a CUI training program created, the head of each department and agency with possession of terrorism-related information must ensure the implementation of the CUI Framework within such department and agency.
Implementation timelines are under development. In the interim, departments and agencies should work to establish internal processes to manage implementation, including a plan to transition from their current marking regime to the new CUI Framework.
When do employees start to use CUI?
Executive Branch employees and contractors supporting Government agencies should follow their existing "Sensitive But Unclassified" (SBU) schema until otherwise directed by the department or agency head.
When will the CUI Registry be set up?
In the coming months, an implementation plan will be developed for the CUI Framework. This plan will include setting a timeline for the development of the CUI Registry. Because the CUI registry is an integral part of the CUI Framework, it is expected that the development of the CUI registry will be given a high priority in implementation planning.
How will the exceptions be handled in the CUI Registry?
The memorandum requires that all CUI originated by departments and agencies and shared within the ISE conforms to the policies and standards for the designating, marking, safeguarding, and disseminating established in accordance with this memorandum. However, infrastructure protection agreements not fully accommodated under the CUI Framework (and its associated markings, safeguarding requirements, and dissemination limitations) will be considered exceptions to this CUI Framework. The memorandum identifies four exceptions:
- 6 CFR Pt. 29 – PCII (Protected Critical Infrastructure Information)
- 49 CFR Pts. 15 (Department of Transportation) & 1520 (Department of Homeland Security/Transportation Security Administration) – SSI (Sensitive Security Information)
- 6 CFR Pt. 27 – CVI (Chemical Vulnerability Information) and
- 10 CFR Pt. 73 – SGI (Safeguards Information)
The CUI Framework will be used for such information to the maximum extent possible, but will not affect or interfere with specific regulatory requirements for marking, safeguarding, and disseminating.
The affected department or agency is authorized to select the most applicable CUI safeguarding marking for the regulation. Any additional requirements for the safeguarding beyond that specified under the CUI Framework will be appropriately registered in the CUI Registry. Any regulatory marking will follow the CUI marking, and a specified dissemination instruction will articulate any additional regulatory requirements.
How much leeway will there be in implementation?
Full implementation of the CUI Framework is required within 5 years of the release date of the President’s Memorandum, Designation and Sharing of Controlled Unclassified Information (CUI) , May 9, 2008. Guidance and an implementation plan will be developed which shall allow for the timely, efficient, and effective implementation of the CUI Framework. The heads of departments and agencies will have flexibility to determine implementation within their departments or agencies consistent with policies, guidance, and standards established by the CUI Office.
PDF files require the free Adobe Reader.
More information on Adobe Acrobat PDF files is available on our Accessibility page.
