Cui Documents Must Be Reviewed According To Which Procedures

CUI Documents Must Be Reviewed According to Which Procedures

Controlled Unclassified Information (CUI) encompasses a broad range of sensitive data that, while not classified, requires safeguarding under federal law and agency-specific policies. Because mishandling CUI can lead to unauthorized disclosure, loss of public trust, and potential legal penalties, organizations must follow a disciplined set of procedures when reviewing any document that may contain CUI. The following sections outline the essential steps, responsibilities, and best‑practice guidelines that govern the review of CUI documents, ensuring compliance with the National Archives and Records Administration (NARA) CUI Program, NIST SP 800‑171, and relevant agency directives.

1. Understanding the Scope of CUI

Before a document can be reviewed, reviewers must first determine whether it falls within the CUI framework. CUI is divided into two categories:

CUI Basic – Information that requires protection but does not have a specific handling protocol outlined in a law, regulation, or government‑wide policy.
CUI Specified – Information that has a specific safeguarding or dissemination control prescribed by statute, regulation, or government‑wide policy (e.g., export‑controlled data, privacy information, critical infrastructure details).

Reviewers consult the CUI Registry (maintained by NARA) to verify the appropriate CUI category, marking requirements, and any applicable dissemination controls. If a document is not listed in the registry but appears to meet the definition of CUI, the organization’s CUI Senior Agency Official (SAO) must make a determination.

2. Legal and Regulatory Foundations

The review process is anchored in several key documents:

Source	Primary Requirement for CUI Review
Executive Order 13556 (2010)	Establishes the CUI program and mandates uniform marking and handling.
NARA CUI Directive (ISOO‑CUI‑2020‑01)	Provides the CUI Registry, marking standards, and training requirements.
NIST SP 800‑171 Rev. 2	Specifies security requirements for protecting CUI in non‑federal systems.
DoD Instruction 5200.48 (Controlled Unclassified Information)	Details DoD‑specific labeling, storage, and transmission procedures.
Agency‑Specific CUI Policies	May add additional controls (e.g., HIPAA for health‑related CUI, FERPA for education records).

Reviewers must be familiar with the hierarchy: Executive Order → NARA CUI Directive → NIST SP 800‑171 → Agency‑specific guidance. Any conflict is resolved by deferring to the higher‑authority source.

3. Step‑by‑Step Review Procedure

A systematic review ensures that every CUI document is correctly identified, marked, stored, and transmitted. The procedure can be broken down into six sequential phases.

3.1. Initial Identification and Screening

Receive the document – Log receipt in a document control system (paper or electronic).
Perform a preliminary scan – Look for indicators such as “FOR OFFICIAL USE ONLY,” “PRIVACY ACT,” “EXPORT CONTROLLED,” or agency‑specific markings. 3. Consult the CUI Registry – Match any identified indicators to a CUI category and note the required markings and dissemination controls. 4. Document the determination – Record the decision (CUI Basic, CUI Specified, or non‑CUI) in the review worksheet, including the registry reference and rationale.

3.2. Marking and Labeling

If the document is deemed CUI:

Apply the standard CUI marking at the top and bottom of each page:
CUI // [Category] // [Dissemination Control]
Example: CUI // PRIVACY // NOFORN.
For electronic files, embed the marking in the header/footer and include it in the file metadata (e.g., document properties, PDF/XMP).
Ensure that the marking is legible, durable (for paper), and not obscured by staples, bindings, or redactions.

3.3. Handling and Storage ReviewReviewers verify that the document’s handling environment meets the prescribed controls:

Control	What to Check
Physical Security	Locked cabinets, access logs, visitor escorts for hard copies.
System Security	Encryption at rest (AES‑256), role‑based access control, audit logging for electronic copies.
Environmental Controls	Protection from fire, water, and electromagnetic interference where required.
Backup Procedures	Encrypted backups stored in accordance with the same CUI controls.

Any deficiencies must be flagged for remediation before the document is cleared for further use.

3.4. Transmission and Dissemination Check

Before sharing a CUI document, reviewers confirm:

Authorized Recipients – Verify that the recipient has a legitimate need‑to‑know and is listed in the organization’s CUI access list.
Dissemination Controls – Ensure that markings such as NOFORN, FEDONLY, or PROPIN are respected (e.g., no transmission to foreign nationals if NOFORN applies).
Transmission Method – Use approved channels: encrypted email (S/MIME or PGP), secure file transfer protocol (SFTP), or government‑approved collaboration platforms.
Tracking – Maintain a transmission log that records date, time, sender, recipient, and method.

3.5. Disposal and Destruction Verification

When a CUI document reaches the end of its lifecycle, reviewers must ensure proper disposal:

Paper – Cross‑cut shredding to a particle size of ≤5 mm, or incineration in an approved facility.
Electronic Media – Cryptographic erasure (e.g., NIST SP 800‑88 Clear) or physical destruction (shredding, degaussing) of storage media.
Certification – Obtain a disposal certificate from the responsible party and retain it for the retention period specified in the agency’s records schedule.

3.6. Audit and Continuous Improvement

After the review cycle, conduct an internal audit:

Sample Audits – Randomly select a percentage of reviewed documents to verify marking accuracy, storage compliance, and transmission logs.
Metrics – Track error rates (mis‑marked, mishandled, improperly disposed) and trend them over time. * Feedback Loop – Use audit findings to update training materials, revise SOPs, and improve the review checklist.

4. Roles and Responsibilities

Role	Primary Duties in CUI Document Review
Document Originator	Determines initial CUI status, applies provisional markings, and submits for review.
CUI Reviewer (Designated)	Executes the six‑step procedure, signs off on the review worksheet, and escalates ambiguities to the SAO.
**CUI

Role	Primary Duties in CUI Document Review
Document Originator	Determines initial CUI status, applies provisional markings, and submits the document for formal review.
CUI Reviewer (Designated)	Executes the six‑step review procedure, completes the review worksheet, signs off on compliance, and forwards any ambiguities to the Senior Agency Official (SAO) for resolution.
Senior Agency Official (SAO)	Provides final authority on CUI classification when the reviewer encounters uncertain or conflicting guidance, ensures that escalation decisions are documented, and oversees adherence to the organization’s CUI program.
Information Security Officer (ISO)	Validates that technical safeguards (encryption, access controls, transmission methods) align with NIST SP 800‑171 and agency‑specific policies, and advises on remediation of identified deficiencies.
Records Manager	Confirms that retention schedules apply correctly, verifies that disposal actions are recorded in the records management system, and ensures that disposal certificates are retained for the required period.
IT/Systems Administrator	Implements and maintains approved storage repositories, backup solutions, and transmission channels; monitors logs for unauthorized access or anomalous activity.
Supervisor/Manager	Ensures that personnel under their direction have completed required CUI training, allocates time for review activities, and tracks completion of remediation actions flagged during reviews.
Internal Auditor	Conducts periodic sample audits of reviewed documents, analyzes error trends, and reports findings to the CUI program office to drive continuous improvement.

5. Training and Awareness

A robust CUI review program depends on well‑informed staff. Training should be tiered:

Foundational Training – Mandatory for all employees who may encounter CUI. Covers definitions, marking conventions, basic handling rules, and the importance of safeguarding.
Role‑Specific Training – Tailored modules for reviewers, originators, IT personnel, and records managers that dive deeper into the six‑step procedure, technical controls, and escalation pathways. 3. Refresher & Updates – Annual refresher courses plus ad‑hoc updates whenever NIST, DoD, or agency guidance changes.
Competency Assessment – Short quizzes or practical exercises after each training session; a passing score (e.g., ≥ 80 %) is required before an individual is authorized to perform CUI reviews.

Training records must be retained in accordance with the agency’s records schedule and made available for audit upon request.

6. Documentation and Recordkeeping

Consistent documentation provides traceability and supports accountability:

Review Worksheet – A standardized form that captures each of the six steps, reviewer comments, disposition (approved, needs remediation, rejected), and electronic signature.
Transmission Log – Automated or manual log recording date/time, sender, recipient, method, and any transmission‑related anomalies.
Disposal Certificate – Issued by the responsible party (e.g., records manager or contracted disposal vendor) and includes document identifier, disposal method, date, and witness signatures.
Remediation Tracker – A spreadsheet or ticketing system that logs deficiencies identified during review, assigned owners, due dates, and closure verification.
Audit Reports – Summaries of sample audits, error rates, trend analysis, and corrective‑action plans.

All records shall be stored in a controlled environment that meets the same CUI protections applied to the source documents (e.g., encrypted file share with role‑based access).

7. References

National Institute of Standards and Technology (NIST). *Special Publication 800‑17

8. Enforcement and Accountability

A robust CUI review program requires clear consequences for non-compliance. Establish a formal process for enforcing the review requirements:

Escalation Pathways: Define clear escalation procedures for deficiencies identified during review. This should include:
- Immediate Remediation: Requiring the originator to correct errors and resubmit the document promptly.
- Escalation to Supervisor/Manager: For unresolved issues or persistent non-compliance, involving the employee's direct supervisor or a designated compliance officer.
- Escalation to Security/Compliance Office: For serious or systemic failures, involving the agency's CUI Program Office or designated security authority.
Performance Management: Integrate CUI review responsibilities and compliance into performance evaluations for relevant roles (reviewers, originators, supervisors). Document instances of non-compliance and follow agency disciplinary procedures, which may include:
- Verbal/Written Warnings
- Mandatory Retraining
- Suspension of Review Responsibilities
- Termination of Employment (for severe or repeated violations)
Monitoring and Auditing: Continuously monitor the effectiveness of the review process through:
- Sample Audits: Regularly auditing completed reviews to verify adherence to procedures and identify emerging trends or weaknesses.
- Compliance Metrics: Tracking key performance indicators (KPIs) such as review completion rates, error rates, time-to-review, and remediation turnaround times.
- Internal Investigations: Conducting investigations into specific incidents of suspected CUI mishandling or review failures.
Continuous Improvement: Use audit findings, monitoring data, and feedback from enforcement actions to drive program enhancements. Regularly update procedures, training, and controls based on lessons learned and evolving threats.

9. Continuous Improvement and Adaptation

The CUI landscape, including threats, technologies, and regulatory requirements, is dynamic. A successful program must be agile:

Regular Program Reviews: Conduct periodic (e.g., annually) comprehensive reviews of the entire CUI review program to assess effectiveness, identify gaps, and recommend improvements.
Feedback Loops: Establish mechanisms for reviewers, originators, and other stakeholders to provide feedback on the review process itself (e.g., ease of use, clarity of instructions, adequacy of training).
Adaptation to Change: Proactively update procedures, training materials, and technical controls in response to:
- Changes in NIST, DoD, or agency CUI guidance.
- New threats or vulnerabilities identified in CUI systems.
- Technological advancements impacting CUI handling.
Benchmarking: Compare program performance against industry best practices or other agencies with similar CUI responsibilities.

Conclusion

Implementing a comprehensive CUI review program is not a one-time project but an ongoing commitment requiring a multi-faceted approach. It hinges on clear roles and responsibilities, rigorous training and competency assessment, meticulous documentation and recordkeeping, robust enforcement mechanisms, and a relentless focus on continuous improvement. By establishing standardized procedures, ensuring personnel are adequately trained and held accountable, maintaining thorough records, and proactively adapting to change, organizations can significantly enhance their ability to protect Controlled Unclassified Information, mitigate risks, and maintain compliance with stringent regulatory and policy requirements. Success depends on the sustained, coordinated effort of every individual involved in the CUI lifecycle.