Organizations that work in close proximity to government entities, like the US military, come into contact with several protected forms of information. One of the most critical kinds, for national security, is controlled unclassified information (CUI). It’s imperative to understand the processes and logistics of controlling and decontrolling CUI, such as who can decontrol CUI and who has a responsibility to protect it (and how). Read on to learn what your organization may need to do.

Who Is In Charge of Decontrolling CUI?

There are three primary parties that decontrol CUI, per the Department of Defense’s (DoD) Instruction 5200.48. They are the information’s originator, the original classification authority (OCA), if the information is in a classification guide, and designated offices for decontrolling CUI.

To understand why these parties are in charge of decontrolling, and why it matters, you also need to grasp the context around CUI and why it’s so critical to the national security of the US:

  • What decontrolling CUI means
  • Why CUI needs to be protected
  • How DoD-specific CUI is protected

If your organization is seeking a DoD contract, working with a qualified compliance partner can help you protect CUI and other sensitive information and achieve preferred contractor status.

What Does it Mean to Decontrol CUI?

According to 32 CFR § 2002.4, decontrolling CUI means removing any controls designed to safeguard or limit the dissemination of CUI. This may happen automatically or through direct action by the Office of the Director of National Intelligence (ODNI) or any of its components.

Agencies are encouraged to decontrol CUI as soon as they can, absent any conflicts of interest. There are four other conditions that authorize decontrolling, according to 32 CFR § 2002.18

  • When laws or policies no longer apply or require the CUI to be controlled
  • When the OCA or designating agency makes a proactive public disclosure
  • When a Freedom of Information Act (FOIA) or Privacy Act disclosure applies
  • When a pre-determined date or event necessitates disclosure, per the law

Beyond these, the OCA or other authority may decontrol CUI in response to a request from an authorized holder or in conjunction with wider declassification (e.g., by Executive Order 13526).

When a piece of CUI is decontrolled, authorized holders are no longer required to apply safeguards to it and must remove CUI markings on any CUI that is decontrolled. However, decontrolling is not an authorization for immediate public release.

What is CUI, and Why is it Critical to Protect?

The decontrolling of CUI is a sensitive manner that is highly regulated, as detailed above. But even more sensitive is the actual controlling—or safeguarding—of CUI, which is carried out by many more stakeholders than the limited parties who can decontrol CUI. This is because CUI is defined as information created or owned by the government that is not officially classified but nonetheless could compromise national or international security if inappropriately accessed.

In fact, it is because CUI is officially unclassified that it is so critical to protect.

Official classification effectively makes information impossible to access for even the most sophisticated criminals. Without that designation, information pertaining to defense, national infrastructure, trade secrets, law enforcement, and other sectors is all potentially dangerous.

That’s why several industries’ governing regulations specify controls for CUI.

In particular, the Defense Federal Acquisition Regulation Supplement (DFARS) requires the protection of CUI for any entities that come into contact with it. That protection comprises DFARS compliance, which in turn requires the implementation of several National Institute of Standards and Technology (NIST) controls from Special Publications 800-171 and 800-172.


How Do DoD Stakeholders Safeguard CUI?

Although CUI spans multiple sectors, its most critical applications and the most stringent regulations regarding it all concern defense. The practical question to ask is not about who decontrols all CUI, but about who can decontrol DoD CUI—and who can protect it, and how.

DFARS compliance is the primary way organizations protect CUI, and it is required for every stakeholder that works with the DoD in the loosely-defined Defense Industrial Base (DIB) sector.

Leave a Comment