Executive Order 13556: The Ultimate Guide to Controlled Unclassified Information (CUI)

LEGAL DISCLAIMER: This article provides general, informational content for educational purposes only. It is not a substitute for professional legal advice from a qualified attorney. Always consult with a lawyer for guidance on your specific legal situation.

Imagine you're helping a friend move. You enter their old house and see a chaotic mess of boxes. Some are labeled “Fragile,” others say “Kitchen Stuff,” “Handle with Care,” “Heavy,” or “This Side Up.” There's no single, consistent system. You don't know if “Handle with Care” is more important than “Fragile,” or if they mean the same thing. This confusion slows everything down and increases the risk of breaking something valuable. For decades, this was the state of sensitive information within the U.S. government. Dozens of agencies used over 100 different labels like “For Official Use Only” (FOUO) or “Sensitive But Unclassified” (SBU), creating a jungle of confusing markings. This made it difficult for agencies to share critical information securely and efficiently, a problem highlighted after the 9/11 attacks. Executive Order 13556, signed by President Barack Obama in 2010, was the government's solution. It was a presidential command to clean up the mess. It swept away all the old, confusing labels and created one single, standardized system for protecting sensitive government information that is not classified (e.g., Top Secret, Secret, Confidential). This new system is called the Controlled Unclassified Information (CUI) program. For the average person, especially small business owners who work with the government, this order changed everything about how they are required to handle, mark, and protect federal data.

• Key Takeaways At-a-Glance:
  • A Standardized System: Executive Order 13556 created the Controlled Unclassified Information (CUI) program to establish a single, uniform framework for managing and protecting unclassified information that requires safeguarding. executive_order.
  • Direct Impact on You: If you or your business handle any information for or on behalf of the U.S. government—from technical drawings to personal data—Executive Order 13556 dictates the specific security rules you must follow, affecting your cybersecurity policies, employee training, and contract compliance. government_contract.
  • Action Required: Understanding the CUI program is not optional for federal contractors; it is a critical compliance issue that requires you to identify CUI, implement specific security controls (often based on standards from the national_institute_of_standards_and_technology), and train your staff accordingly.

Before 2010, the U.S. government's approach to protecting sensitive but unclassified information was, to put it mildly, a state of organized chaos. Each federal agency was a kingdom unto itself, creating its own rules and its own labels for information that wasn't secret enough to be classified but too sensitive for public release. The Department of Defense used “For Official Use Only” (FOUO). The Department of Justice used “Law Enforcement Sensitive” (LES). The State Department had its own markings. This ad-hoc system created immense problems:

• Confusion: An employee moving from one agency to another had to learn a completely new set of rules.
• Information Hoarding: Unsure of the rules, agencies were often reluctant to share information with each other, fearing they might violate a policy they didn't understand.
• Inefficiency: Time and resources were wasted trying to determine how to handle a document from another agency.

The tragic events of September 11, 2001, cast a harsh spotlight on these failures. The 9/11 Commission Report specifically identified “failures of imagination, policy, capabilities, and management” and highlighted how poor information sharing between intelligence and law enforcement agencies contributed to the inability to “connect the dots.” The report made it clear that a modern, effective government needed a unified way to both protect sensitive information and share it with those who need it. In response, on November 4, 2010, President Obama issued Executive Order 13556, “Controlled Unclassified Information.” The order was not a suggestion; it was a directive from the Commander-in-Chief to the entire executive branch. Its goal was ambitious: to create a single, government-wide program to manage this information category. It designated the national_archives_and_records_administration (NARA) to oversee this massive undertaking, acting as the Executive Agent to implement the CUI program. This set the stage for a decade-long process of untangling the old web of regulations and building a new, coherent structure from the ground up.

The Executive Order itself is the foundational document, but it's more of a blueprint than a detailed instruction manual. It lays out the broad principles and delegates authority. A key passage from Section 1 of the order states:

“The CUI Program shall standardize the way the executive branch handles unclassified information that requires protection… and shall replace the array of existing agency-specific policies and regulations.”

This single sentence captures the entire mission. To turn this mission into reality, NARA, through its information_security_oversight_office (ISOO), issued a final rule that acts as the official CUI playbook. This rule is found in the code_of_federal_regulations.

• `32_cfr_part_2002`: This is the implementing regulation for the CUI program. If EO 13556 is the constitution, 32 CFR Part 2002 is the body of laws that governs daily life. It provides the specific, detailed requirements for marking, safeguarding, disseminating, and decontrolling CUI. Anyone who works with CUI, especially government contractors, must be familiar with this regulation.

The order and the regulation work together. The EO provides the “why” and the “who,” while 32 CFR Part 2002 provides the “what” and the “how.”

Executive Order 13556 is a directive to the entire executive branch, but its implementation is not one-size-fits-all. Each agency was required to review its existing policies, eliminate old markings, and adopt the CUI framework. This is a massive, ongoing effort. The table below illustrates how different agencies, with vastly different missions, are all bound by the same CUI framework.

This table shows that while the CUI program creates a universal language, its application is tailored to the specific types of sensitive information each agency creates and protects.

Executive Order 13556 didn't just create a new label; it created an entire ecosystem of rules, roles, and responsibilities. Understanding these core components is essential for anyone who handles federal information.

At its heart, CUI is unclassified information that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. This definition is crucial. Information isn't CUI just because it feels sensitive. It must be tied to an existing legal authority. For example, the privacy_act_of_1974 protects certain personal records held by the government. Information covered by that act is a type of CUI. Think of it this way:

• Classified Information: This is the nation's most vital secret information, protected because its unauthorized disclosure could cause exceptionally grave damage to national security. It has three levels: Top Secret, Secret, and Confidential. Access requires a security_clearance.
• Public Information: This is information cleared for release to anyone, with no restrictions.
• Controlled Unclassified Information (CUI): This is the vast middle ground. It's not a national security secret, but it's sensitive enough that the government has a formal reason (a law or policy) to protect it. Examples include personal privacy data, tax information, critical infrastructure details, and proprietary business information submitted to the government.

This is one of the most important distinctions within the CUI program. It dictates *how* the information must be protected.

• CUI Basic: This is the default category. The safeguarding and handling requirements are uniform across the U.S. Government and are laid out in `32_cfr_part_2002`. Think of this as the “standard” level of protection. You must protect it, but the law or policy that makes it CUI doesn't demand any extra, special handling beyond the CUI program's baseline rules.
• CUI Specified: This category is for information that requires more stringent controls. The underlying law, regulation, or policy specifies protections that are different from or go beyond the CUI Basic baseline. For example, specific export control data or intelligence-related information might have very precise rules about who can see it and how it can be shared.

Analogy: Imagine a secure office building.

• CUI Basic is like information left on a desk inside the main office area. The building itself is secure (that's the baseline protection), but within the main floor, authorized employees can generally access it.
• CUI Specified is like information locked in a safe *within* that secure office. Not only do you need access to the building, but you also need the specific combination or key for that safe. The law provides that “extra lock.”

How do you know if information is CUI? Or if it's Basic or Specified? The answer lies in the CUI Registry. Managed by NARA, the CUI Registry is the official online repository for all information about the CUI program. It is the definitive source for:

• A complete list of all approved CUI categories (e.g., Privacy, Tax, Export Control).
• The legal authority behind each category.
• Whether a category is CUI Basic or CUI Specified.
• Any specific handling or dissemination controls required for CUI Specified categories.

Anyone who creates or handles CUI is required to consult the Registry to ensure they are applying the correct markings and protections. It is the single source of truth for the entire program.

Clear, consistent marking is the cornerstone of the CUI program. The goal is that anyone, in any agency, can look at a document and immediately understand its sensitivity. Key marking requirements include:

• Banner Marking: All documents containing CUI must have a banner at the top and bottom of each page. At a minimum, it will say “CONTROLLED”.
• CUI Designation Indicator: The banner must specify the type of CUI. For CUI Basic, it might say “CUI”. For CUI Specified, it would include the specific category, such as “CUISP-PRVCY” for privacy information. * Portion Marking: Just like with classified documents, paragraphs or sections within a document may be marked to show which specific parts contain CUI. These markings are not optional. They are a legal requirement and are critical for ensuring that information is protected correctly throughout its lifecycle. ==== The Players on the Field: Who's Who in the CUI Ecosystem ==== * National Archives and Records Administration (NARA): As the Executive Agent designated by the EO, NARA has overall policy and oversight responsibility for the CUI program government-wide. * Information Security Oversight Office (ISOO): A component of NARA, ISOO is responsible for the day-to-day implementation and oversight of the program. They manage the CUI Registry and issue guidance to agencies. * Agency CUI Senior Officials (SAOs): Each executive branch agency must designate a senior official to be responsible for directing and overseeing the CUI program within their organization. * Government Employees & Contractors: These are the people on the front lines who create, handle, and use CUI every day. They are responsible for following the rules for marking, safeguarding, and sharing information properly. ===== Part 3: Your Practical Playbook for CUI Compliance ===== If your company does business with the federal government, the CUI program is not an abstract concept—it's a set of concrete compliance obligations. Failure to comply can lead to loss of contracts, fines, or even legal action. ==== Step-by-Step: What to Do if You Handle CUI ==== === Step 1: Identify if You Handle CUI === The first and most critical step is to determine if your work involves CUI. - Review Your Contracts: Look for clauses that mention “Controlled Unclassified Information,” CUI, or specific security requirements like `dfars_252_204-7012` (for DoD contractors). - Check Document Markings: Any information you receive from the government should be properly marked if it is CUI. Look for banners like “CUI” or “CONTROLLED.” - Ask Your Government Contact: If you are unsure, you have a right and a responsibility to ask your government contracting officer or point of contact for clarification. The government is responsible for identifying and marking CUI before giving it to you. === Step 2: Understand Your CUI Category === Once you've identified that you handle CUI, visit the online CUI Registry managed by NARA. Look up the category of CUI you are handling (e.g., “Privacy,” “Procurement and Acquisition”). This will tell you if it is CUI Basic or CUI Specified and what specific handling rules apply. === Step 3: Implement Safeguarding Requirements === Protecting CUI is about controlling access. You must ensure that only authorized individuals can see or use the information. The requirements cover both physical and digital security. - For CUI Basic on non-federal systems, the default standard for cybersecurity is `nist_sp_800-171` (Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations). This standard includes 110 security controls covering areas like: * Access Control: Who can log in to your systems? * Awareness and Training: Do your employees know the rules? * Incident Response: What do you do if you have a data breach? * Physical Protection: Are your servers and laptops locked and secured? === Step 4: Train Your Employees === Your employees are your first line of defense. Anyone in your organization who might come into contact with CUI must be trained on: - How to identify CUI. - Their responsibilities for safeguarding it. - The proper procedures for marking, handling, and destroying CUI. - Who to report security incidents to. === Step 5: Master CUI Marking and Decontrol === If you create new documents containing CUI, you are responsible for marking them correctly according to the rules in the CUI Registry. Equally important is decontrolling. Information should only be protected for as long as necessary. When the law or policy no longer requires protection, CUI must be decontrolled, meaning the markings are removed. You must follow official procedures for this; you cannot simply decide to un-mark a document on your own. ==== Essential Paperwork: Key Forms and Documents ==== * `sf_901` (CUI Cover Sheet): This is a standardized cover sheet (similar to those used for classified documents) that is placed on top of hard-copy CUI documents to clearly alert handlers to the sensitivity of the contents. * Government Contract Clauses (e.g., `dfars_252_204-7012`): For Department of Defense contractors, this clause is legally binding. It requires contractors to provide “adequate security” for covered defense information (a type of CUI) and to report cyber incidents rapidly. Similar clauses exist for other agencies. * System Security Plan (SSP): Required by `nist_sp_800-171`, this document details how your organization has implemented the 110 security controls. It is a living document that must be kept up-to-date. ===== Part 4: The Impact and Legacy of EO 13556 ===== ==== The Great “Un-Marking”: Sunsetting Old Labels ==== The most visible impact of EO 13556 was the systematic elimination of over 100 legacy markings. This was a monumental task. Agencies had to conduct massive inventories of their information, re-train their entire workforces, and update countless internal policies and IT systems. The term “FOUO” (For Official Use Only), once ubiquitous in government, was officially retired and replaced by the CUI framework. While this transition caused short-term pain and confusion, its long-term goal is to create a more efficient and secure government, free from the Tower of Babel of old markings. ==== Impact on Government Contractors ==== For the private sector, particularly small and medium-sized businesses, the CUI program represented a significant new regulatory burden. Complying with the cybersecurity requirements of `nist_sp_800-171` is a complex and often expensive undertaking. It requires sophisticated IT systems, dedicated personnel, and a new level of security awareness. This has raised the bar for entry into the federal marketplace, but it also reflects the reality that the nation's sensitive information is often most vulnerable when it is in the hands of third-party contractors. ==== Impact on Information Sharing ==== Did the CUI program achieve its goal of improving information sharing? The results are mixed and a subject of ongoing debate. * On the one hand, by creating a common language, it has made it procedurally easier for an employee at the Department of Energy to understand a document from the Department of Transportation. The clear rules remove ambiguity. * On the other hand, some critics argue that the program has led to “over-marking,” where risk-averse employees label information as CUI even when it may not qualify, thus restricting access unnecessarily. Striking the right balance between protecting information and sharing it effectively remains a central challenge for the program. ===== Part 5: The Future of the CUI Program ===== ==== Today's Battlegrounds: Current Controversies and Debates ==== The CUI program is not static. It continues to evolve, and several key debates shape its future. * Inconsistent Implementation: While the rules are centralized, implementation still varies from agency to agency. Some have been more aggressive in adopting the CUI framework than others, creating friction for contractors who work with multiple agencies. * The Cost of Compliance: The financial burden of cybersecurity compliance, particularly for small businesses, is a major point of contention. The DoD's `cybersecurity_maturity_model_certification` (CMMC) program, which builds upon the CUI framework, is a direct response to this challenge, seeking to verify that contractors have actually implemented the required security controls. * Decontrol and Over-Classification: A persistent challenge is ensuring that information is decontrolled when protection is no longer needed. The tendency in any bureaucracy is to protect information by default, which can lead to the unnecessary restriction of data that could be useful to the public or other researchers. ==== On the Horizon: How Technology and Society are Changing the Law ==== The world of 2010, when EO 13556 was signed, is vastly different from today. New technologies are testing the limits of the CUI framework. * Cloud Computing: How are CUI protections applied when data is stored not on a local server, but in a distributed cloud environment, potentially with servers in different countries? Federal cloud security programs like FedRAMP are working to address this. * Artificial Intelligence (AI): There is immense potential for AI to help agencies identify and automatically mark CUI, reducing human error and workload. However, this also raises questions about the accuracy of AI algorithms and how to handle the massive volumes of data they process. * Big Data and Data Aggregation: The CUI program often focuses on discrete documents or files. But what happens when multiple pieces of unclassified, non-CUI data are aggregated to reveal a sensitive pattern? This concept of “mosaic theory” presents a complex challenge that the current CUI framework is still grappling with. Executive Order 13556 was a landmark reform that brought much-needed order to the chaos of federal information security. Its implementation is a long-term project, but its core principles—uniformity, clarity, and a direct link to legal authority—will continue to shape how the U.S. government and its partners protect sensitive information for decades to come. ===== Glossary of Related Terms ===== * `32_cfr_part_2002`: The regulation issued by NARA that provides the detailed implementation instructions for the CUI program. * `classified_information`: Information requiring protection against unauthorized disclosure for national security reasons, categorized as Top Secret, Secret, or Confidential. * CUI Basic: The default CUI category where the handling and safeguarding controls are defined by 32 CFR Part 2002. * CUI Registry: The official online repository managed by NARA that identifies all approved CUI categories and their specific handling rules. * CUI Specified: A CUI category for which the underlying law or policy requires handling controls that are more stringent than the CUI Basic baseline. * Decontrolling: The process of removing CUI markings and safeguards when the information no longer requires protection. * Dissemination: The act of sharing or transmitting CUI to an authorized recipient. * Executive Agent: An agency or official designated by the President to have primary responsibility for a particular matter, in this case, NARA for the CUI program. * `information_security_oversight_office` (ISOO): The office within NARA responsible for policy and oversight of the government-wide security classification system and the CUI program. * Marking: The process of applying official labels and indicators to information to identify it as CUI. * `national_archives_and_records_administration` (NARA): The U.S. government agency tasked with preserving and documenting government and historical records. * `nist_sp_800-171`: A publication from the National Institute of Standards and Technology that provides security requirements for protecting CUI on non-federal systems. * Safeguarding: The measures and controls taken to protect CUI from unauthorized access or disclosure. * `security_clearance`: A formal determination that an individual is eligible for access to classified national security information. * Uncontrolled Unclassified Information: Information that is not classified and does not meet the standards for CUI, and therefore requires no specific safeguarding. ===== See Also ===== * `executive_order` * `classified_information` * `government_contract` * `freedom_of_information_act_foia` * `privacy_act_of_1974` * `cybersecurity_maturity_model_certification` * `national_institute_of_standards_and_technology`