What is the DoD CUI Program?

The Department of Defense (DoD) Controlled Unclassified Information (CUI) program enables the DoD to provide a secure and safe storage and management of non-classified but sensitive information. The DoD CUI Program is part of the DoD’s overarching information security efforts, ensuring that DoD personnel and contractors have the appropriate access to unclassified information while protecting the confidentiality, integrity, and availability of that information.

The DoD CUI Program is part of the DoD’s compliance with Executive Order (EO) 13556, Controlled Unclassified Information. This executive order requires departments and agencies within the Federal Government to uniformly address the management of unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. The purpose of the DoD CUI Program is to make sure that DoD personnel, contractors, and other personnel working with DoD systems have the appropriate access to unclassified information that requires protect for confidentiality, integrity, and availability.

What is the DoD Instruction for the DoD CUI Program?

The DoD Instruction 5200.48 establishes policy, assigns responsibilities and provides procedures for the DoD CUI Program. The instruction defines the controls that must be in-place and followed when handling CUI. The instruction implements DoD’s compliance with the objectives outlined in Executive Order 13556 and provides guidance on how to implement safeguards, store, and manage all non-classified information, as well as protect it with access and authentication controls.

The instruction applies to all DoD personnel, including DoD civilian and non-appropriated funds employees. This includes all members of the military, contractors, and other personnel working with or having access to DoD systems. The DoD CUI Program’s goal is to ensure the secure and safe management of the non-classified but sensitive information, allowing the personnel that needs access to have the proper access and any personnel without the proper access will not have access.

What are the Key Components of the DoD Instruction for the DoD CUI Program?

The DoD Instruction 5200.48 outlines the key components for the DoD CUI Program, which include:

• Identification & Marking of CUI: The Instruction outlines the requirements for properly identifying CUI and providing sufficient markings for CUI. This information is important for defining the security controls applicable for CUI, as well as to be able to detect and take corrective actions if appropriate.

• Safeguarding Requirements: The Instruction outlines the taskers and requirements that DoD personnel need to follow when safeguarding CUI. This includes technical requirements, physical requirements, operational requirements, and personnel requirements.

• Access Requirements: The Instruction provides guidance on how personnel can access CUI such as providing the appropriate authentication credentials. This is important because this information is used to make sure that users that have the proper access will be able to access the CUI and users without the proper permissions or credentials will not be able to access CUI.

• Incident Reporting: The Instruction outlines the requirements for CUI incident reporting, which includes providing a process for properly informing the DoD of any incidents involving CUI data. This information is important for notifying the DoD of any potential security incidents that have occurred with CUI data and to ensure proper corrective actions can be taken if necessary.

• Disposition and Destruction of CUI: The Instruction provides guidance on how CUI should be disposed of and destroyed so that it can no longer be accessed or retrieved in an unauthorized manner. This includes providing guidance on determining the appropriate manner in which CUI should be disposed based on the sensitivity of the CUI.

Conclusion

The DoD CUI Program is an important part of the DoD’s overall efforts in providing secure and safe management of non-classified information that needs additional protection for its confidentiality, integrity, and availability. The DoD Instruction 5200.48 establishes the policy, assigns the responsibilities, and provides the necessary procedures for the implementation and proper management of the DoD CUI Program. This Instruction also outlines the key components for implementing and managing the CUI Program, such as identification and marking of CUI, safeguarding requirements, access requirements, incident reporting, and disposition and destruction of CUI.