US Trends

who can control cui

Controlled Unclassified Information (CUI) can only be controlled by organizations and individuals that are officially designated as authorized holders under U.S. federal CUI rules. These authorized holders are the ones who decide how it is marked, safeguarded, shared, and eventually “decontrolled.”

What CUI Is (Quick context)

  • CUI is sensitive but unclassified information that federal law, regulation, or government‑wide policy says must have safeguarding or dissemination controls.
  • It is created or held by the U.S. Government or by non‑federal entities (like contractors) on behalf of the Government.

Who Can Control CUI Day to Day

In practice, “control” of CUI means deciding who may access it, how it is protected, and how it is shared or destroyed.

Key players:

  • Designating / Originating agencies
    • Federal executive branch agencies decide what is CUI and apply the initial CUI markings and categories.
* They issue policies, guidance, and sometimes security classification or CUI guides that others must follow.
  • Authorized holders in agencies
    • Employees within those agencies who are authorized to handle CUI must limit access to only other authorized individuals and ensure proper storage, transmission, and destruction.
* They are responsible for day‑to‑day control: locking it up, using secure systems, and checking that recipients are allowed to receive it.
  • Contractors and defense companies (DIB)
    • When CUI is shared with a contractor (for example, under a DoD contract), that company becomes responsible for protecting it under DFARS, NIST SP 800‑171, and CMMC requirements.
* Contractors must preserve all CUI markings, apply them to derivative documents, and implement required cybersecurity and physical controls.

High‑Level Oversight and Policy Control

  • CUI Executive Agent (National Archives / ISOO)
    • Executive Order 13556 made the National Archives and Records Administration (NARA) the Executive Agent for the CUI program, carried out by the Information Security Oversight Office (ISOO).
* ISOO issues government‑wide rules (32 CFR Part 2002) that define how agencies designate, mark, safeguard, disseminate, decontrol, and dispose of CUI.
  • Department‑level CUI programs (e.g., DoD, GSA, DOI)
    • Departments such as DoD, GSA, and Interior have their own CUI policies and guides that translate the government‑wide rules into internal procedures.
* Component heads must ensure training, oversight, and inspections so their personnel control CUI correctly.

Who Can Decontrol (Stop Controlling) CUI

“Decontrol” means formally removing CUI markings and controls when the information no longer requires that protection.

  • Authorized holders / designating agencies
    • Only authorized holders, consistent with the CUI Registry and agency policy, may decontrol CUI.
* Decontrol can occur automatically (for example, when law or policy no longer requires controls) or by an explicit action from the designating agency or its designated office.
  • Examples of decontrol triggers
    • Law, regulation, or policy changes so that controls are no longer required.
* The designating agency publicly releases the information, such as through an approved FOIA release.

* An authorized holder follows agency procedures to release the information in a way that the agency considers public.

Access vs. Control (Important distinction)

  • Access : Many different people and organizations can be given access to CUI if they have a lawful government purpose and meet any specific restrictions.
  • Control : Only those recognized as authorized holders under the relevant agency and government‑wide rules can decide how it is marked, limited, protected, shared, and eventually decontrolled.

In short, when asking “who can control CUI,” the answer is:

  • The originating / designating federal agency ,
  • The authorized holders within that agency, and
  • Any contractors or partner organizations that receive CUI and are bound by federal and contractual CUI requirements, all operating under the framework set by NARA/ISOO and agency‑specific CUI policies.