This is part of a series of posts on the notice of proposed rulemaking (NPRM) recently published by the National Archives and Records Administration’s (NARA) Information Security Oversight Office (ISOO) on the establishment and harmonization of controls on controlled unclassified information (CUI). Other posts in the series include:
Section 2002.15 outlines the marking requirements for CUI. This is a specific area that is going to require significant changes in the way that the various categories and subcategories of CUI are handled since portions of the new marking requirements will apply to both CUI Basic and CUI Specified categories and subcategories.
All CUI documents will include a mandatory banner marking (across the top-center of each page of the controlled document). The first element of that banner marking will either be the word ‘Controlled’ or the abbreviation ‘CUI’. For categories and subcategories that are listed in the CUI Registery as CUI Basic (no ‘*’ marking behind name) this may be the only element in the banner.
For CUI Specific a slash (‘/’) will be placed after the ‘Controlled’ or ‘CUI’ marking and the marking required for the category or subcategory of CUI will be used; at some point in time these will be listed in the CUI Registry page for each type of CUI Specific information. Where multiple CUI Specific categories or subcategories are used in the document, each must be listed in the banner in alphabetical order.
This rule would allow for the limited use of ‘limited dissemination control’ markings (ie: NOFORN; no foreign dissemination). These markings will be placed after all of the CUI Specific markings and will be preceded by a ‘//’. Multiple LDCs will be listed in alphabetical order. A listing of the authorized LDC abreviations will be included in the CUI Registry.
First Page Markings
The first page of any CUI document will also contain two additional markings; CUI designation indicator and CUI decontrolling indicators. The first is mandatory on all CUI documents. The second will be used where feasible.
The designation indicator will typically be the words ‘Controlled by:’ followed by the agency (at a minimum) and the office of the entity designating the material as CUI. For CFATS documents (for example) this would typically be something like ‘Controlled by: Infrastructure Security Compliance Division, NPPD, DHS’. The agency in this case would be DHS (see here and here).
The decontrolling indicator will be used where feasible (undefined). It will be in the format ‘Decontrol on:’ followed by either a date (YYYYMMDD) or an event. The event must be a specific event that is “foreseeable and verifiable by any authorized holder”. Including a point of contact listing for verifying the event is acceptable.
As long as the banner markings for the document apply to all of the contents of the document then portion or paragraph markings are not required. They are, however, recommended. Where there is a mixture of CUI categories or subcategories in a document or where uncontrolled information is included, then portion markings are required to differentiate the difference in status.
The format for portion markings will be generally the same as for banner markings except that they will be enclosed in parenthesis; for example: (CUI) for CUI Basic or (CUI/CI-CVI//NOFORN) for CUI Specific. Note in the last example that a ‘-‘ is used to separate the category (Critical Infrastructure) from the subcategory (Chemical Terrorism Vulnerablity Information); interestingly this convention is not used in the banner markings. Uncontrolled information will be marked with ‘(U)’.
There are also rules for the use of CUI markings in classified documents that I won’t go into in this post.