How to Identify Authorized Recipients of Controlled Unclassified Information

In the defense industrial base, Controlled Unclassified Information (CUI) flows up and down the supply chain. It moves from the development and delivery of products and services to the Department of Defense (DoD).

But who should or shouldn’t have access to CUI? To answer this, we must look at the laws and regulations that govern access to CUI. There are specific controls that protect unauthorized disclosure.

According to 32 CFR 2002.16, authorized holders must meet four conditions to permit access to or dissemination of CUI:

1. Follow laws, regulations, or Government-wide policies that established the CUI category or subcategory
2. Furthers a lawful Government purpose
3. Isn’t restricted by an authorized limited dissemination control established by the CUI EA
4. Is not otherwise prohibited by law

It’s also necessary to understand the process for decontrolling and public release of CUI, as well as incidents that are worth reporting.

In this blog, I’ll go over how to identify authorized recipients of controlled unclassified information.

Access to CUI (Lawful Government Purpose)

The first thing to note is the standard for sharing CUI. This standard is the "Lawful Government Purpose”. 32 CFR 2002.4 (bb) defines this as…

Okay, maybe that confused you even more. Since this definition is complex, let's simplify it.

The first part of the definition identifies a reason to share the information. It may be any activity, mission, function, operation, or endeavor. To simplify this subject, we'll replace it with the all-encompassing word “undertaking”.  

The second part of the definition identifies the authority. This can either be the US Government or non-executive branch entities, such as state and local law enforcement.  To simplify these authorities, we'll call them “the Government”.

The verbs that join these sections are authorize or recognize. Let’s simplify this to “affirm”.  

When we restate this in simple terms, we get “any undertaking that the Government affirms as within the scope of its legal authorities.”

Now that this is a little easier to understand, what does it mean for sharing CUI?

Only share CUI when...

• There’s a common undertaking (between agencies, under a contract or an agreement)
• The contents will help achieve the shared goals

Do not share CUI if it harms or obstructs a common undertaking.

Information Sharing Agreements

All recipients need to know how to handle CUI when sharing with an authorized non-executive branch entity.

When feasible, agencies should enter into a formal agreement that includes or states the following...

• Handle CUI per Executive Order 13556, 32 CFR 2002, and the CUI Registry
• Misuse of CUI is subject to penalties established by laws, regulations, or Government-wide policies
• Requirements to report any non-compliance to the disseminating agency

If an agency can’t enter into a formal information sharing agreement, the agency must communicate to the recipient that...

• the Government encourages CUI handling per these authorities
• such protections should accompany the CUI if the entity further distributes it.

Agreements with foreign entities must also encourage the protection of CUI. Arrangements may include safeguarding or dissemination controls. If that’s the case, then the agency must use approved markings on CUI received from or sent to foreign entities. If the disseminating agency isn’t the designating agency, then it must notify the designating agency.

Sharing US Government information with foreign entities is only permissible if...

• The entity has the authorization to receive the information
• The sharer has the authorization to pass the information
• The sharing complies with US laws and regulations
• The sharing benefits the US Government

Limited Dissemination Controls

The CUI Executive Agent (EA) approves limited dissemination controls (LDCs) and publishes them in the CUI Registry.  These place even more limits on sharing CUI.

Only the designating agency and authorized holders may apply LDCs. Others must request permission from the designating agency.

Designating entities may combine approved LDCs listed in the CUI Registry. You can find the complete list of LDCs here.

Distribution Statements

DoDI 5230.24 authorizes distribution statements for use with controlled technical information. And it also authorizes statements for use with other scientific, technical, and engineering data.

These statements sometimes coincide with LDCs. Let’s look more in-depth at these...

Distribution Statement A:

• Approved for public release
• Distribution unlimited
• Applies in the absence of LDC

Distribution Statement B:

• Distribution authorized to US Government agencies only
• Aligns to FED ONLY LDC

Distribution Statement C:

• Distribution authorized to US Government agencies and their contractors
• Aligns to the FEDCON LDC

Distribution Statement D:

• Distribution authorized to listed Department of Defense and US DoD contractors only
• Includes separate lists for authorized Government Agencies and Contractors

Distribution Statement E:

• Distribution authorized to listed DoD Components only
• Includes a list of authorized DoD Components

Distribution Statement F:

• Further dissemination only as directed by the controlling DoD Office or higher DoD authority
• Aligns to the DL ONLY LDC

Distribution Statement X:

• US Government agencies and private individuals or enterprises eligible to obtain export-controlled technical data under DoDD 5230.25
• Distribution Statement C now supersedes Distribution Statement X

Export Controlled Information

Some CUI is export-controlled information which may need further protection. DoD officials must pay attention to export control regulations and access restrictions on each type of CUI. This ensures compliance with export requirements, especially when non-US citizens visit their organizations.

If a document contains export-controlled technical data, it receives an export control warning. It then gets assigned Distribution Statement B, C, D, E, or F. These need an “Export Controlled” specification as the reason for the limitation.

Release to non-US Citizens

As if things weren’t complicated enough, there are more guidelines to follow when releasing CUI to non-US citizens.

Non-US citizens employed by the DoD may receive CUI if...

• Access is within the scope of their assigned duties
• Access would further the execution of a DoD undertaking
• Access is not detrimental to DoD interests or the US Government
• There are no contract restrictions prohibiting access
• It complies with DoDD 8500.01E, DoD 5200.2-R, and export control regulations.

Non-US citizens must execute a nondisclosure agreement approved by appropriate DoD Component authorities.

Decontrolling

In some cases, agencies can decontrol CUI that their agency designated. They may do this if it no longer requires safeguarding or dissemination controls.

The designating agency can decontrol CUI in response to a request by...

• an authorized holder
• a declassification action by Executive Order

Agencies may decontrol CUI through an affirmative decision to release it to the public, or based on one of the following...

• When laws, regulations, or Government-wide policies no longer need its control as CUI
• When the agency discloses it under a relevant data access statute, such as the FOIA, or the Privacy Act (when legally permissible)
• When a predetermined event or date occurs as described in §2002.20(g), unless a law, regulation, or Government-wide policy requires coordination first

The Archivist of the United States can decontrol records transferred to the National Archives. It does this to facilitate public access and can do so without a specific agreement with the designating agency.

Authorized holders don’t have to mark that CUI is no longer controlled unless they’re re-using it. Decontrolling CUI relieves authorized holders from handling requirements. But it doesn’t constitute authorization for public release. Any public release must follow applicable laws and agency policies on the public release of information.

Public Release of Declassified Documents

To ensure protection before the release of data, all CUI documents must go through a public release review.

DoDI 5230.29 explains how to submit records to the Defense Office of Prepublication and Security Review. A government representative of the submitting office must sign DD Form 1910.  This approves publicly releasing the materials.

Release or disclosure of CUI to foreign governments or international organizations must adhere to DoDD 5230.20. Appropriate authorities must approve data before release or before granting an export license under ITAR or EAR.

Reporting CUI Incidents

No individual or system is perfect, so unfortunately incidents may occur. If an incident occurs involving CUI, it must get reported immediately.

Agencies need ways for employees to report these incidents. This could be through hotlines, email addresses, or points of contact.

These CUI incidents may include...

• Improper storage of CUI
• Actual or suspected mishandling of CUI
• Unauthorized individuals gaining physical or electronic access to CUI
• Unauthorized release of CUI, either to public-facing websites or to unauthorized individuals
• Suspicious behavior from the workforce (insider threats)
  • General disregard for security procedures
  • Seeking access to information outside the extent of current responsibilities
  • Attempting to enter or access sensitive areas

Conclusion

To reiterate the purpose of this blog, there are laws and regulations to consider before granting access to CUI. By now, you know the key considerations for sharing this sensitive information.

Recipients must have a lawful government purpose. Distributing the information must further the goals of the government.

Recipients must acknowledge their responsibility in handling CUI through an information sharing agreement. Are there any limited dissemination controls or distribution statements that could prohibit access?

If the recipient isn’t a US citizen, then you must also consider export controls that need government authorization.

Each of these is necessary to consider since anyone entrusted to handle CUI also has the responsibility to protect it.

‍