SCHRIEVER AIR FORCE BASE, Colo. -- The Department of Defense recently adopted “Controlled Unclassified Information” as the identifier for sensitive information.
The Administrative Assistant for security to the Secretary of the Air force issued Air Force Guidance Memorandum 2020-16-01 July 23 to implement the new CUI policy.
The rebranding of CUI highlights a change in process rather than policy, said Doug Peacock, Schriever Information Protection Information Security specialist.
“What we’re trying to do is establish a starting point to acknowledge what CUI is, how to mark it and how to protect it,” Peacock said. “Sometimes people just push the FOUO button on the email because they don’t want their email to be locked out. They’d overprotect rather than properly protect and the DoD wanted to better control that. One of the biggest changes aside from the name is [the DoD will] implement an indicator box you have to put on your documents to say why something is marked CUI.”
All CUI documents will be required to have a ‘CUI’ marking at the top and bottom of the page to indicate sensitive information in the text. Peacock said those who want to be thorough can do portion markings in emails containing CUI.
Portion markings are shown when each paragraph of the email is marked and explains why the information is CUI and provides the reader with details of why it’s sensitive.
Emails will require senders to identify the person of contact, the name of the office creating the document, who it can be sent to and what category of CUI the content belongs.
“The DoD has established a 'CUI' registry you have to go to and find the law and regulation or government policy that specifically requires the information be marked as CUI,” said John Hladky, Peterson IP Information Security Program manager. “Instead of people haphazardly marking information as FOUO, people now have to go to the registry to understand why something is CUI.”
The DoD registry indicates numerous categories of CUI, which include security classification and declassification guides, agricultural and health operations, cyber security defense information and more.
The Defense Security Cooperation Agency and Center for Development of Security Excellence are working to develop a CUI training expected to be completed this month. Until the DSCA training becomes available, personnel are not required to complete any CUI training. Once the training is fielded, initial and annual training will be required.
Until the CUI button is created for the email system, DAF personnel can continue to use the FOUO or PII buttons, but need to ensure 'CUI' is added at the top and bottom of emails and the CUI designation indicator is included in the body of the email.
“[Moving to CUI] won’t be an overnight change; it’ll be a process to get people used to it,” Peacock said. “We’re working with the 50th Space Communications Squadron and the folks at the cyber security office. They’re working through their channels saying that a new change to Outlook and the [Digital Signature Enforcement Tool] is forthcoming and will change those buttons. To change that Air Force-wide is a lengthy process.”
For additional information regarding the FOUO to CUI change, contact your unit security assistant or visit https://static.e-publishing.af.mil/production/1/saf_aa/publication/afgm2020-16-01/afgm2020-16-01.pdf.
To see more categories covered by CUI, https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx.