Cui Documents Must Be Reviewed According To Which Procedures

CUI Documents Must Be Reviewed According to Which Procedures: A Comprehensive Guide to Compliance

Controlled Unclassified Information (CUI) represents a critical category of government and contractor data that, while not classified, requires stringent protection due to its sensitive nature. Proper handling of CUI is not optional; it is a legal and contractual mandate. The cornerstone of this protection is a rigorous, documented review process. CUI documents must be reviewed according to specific, standardized procedures to ensure they are correctly identified, marked, stored, transmitted, and disposed of in full compliance with federal regulations. Failure to adhere to these procedures can result in severe penalties, including loss of contracts, financial fines, and reputational damage. This guide provides a detailed, step-by-step breakdown of the mandatory review procedures for any organization handling CUI.

Understanding the Foundation: What is CUI and Why Review Procedures Matter

Before diving into the "how," it is essential to understand the "what" and "why." CUI is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies. It is not classified under Executive Order 13526 but is still sensitive. Examples include sensitive but unclassified (SBU) information, proprietary business data, personally identifiable information (PII), and critical infrastructure data.

The need for a formal review procedure stems from the CUI Program, established by Executive Order 13556 and implemented by the National Archives and Records Administration (NARA). This program replaced a patchwork of agency-specific markings (like "SBU" or "FOR OFFICIAL USE ONLY") with a single, unified government-wide standard. The purpose is to eliminate confusion and ensure all handlers understand their obligations. Therefore, every document that might contain CUI must undergo a systematic review to determine its status and apply the correct controls. This review is not a one-time event but an ongoing process integrated into an organization's information lifecycle management.

The Legal and Regulatory Framework Governing CUI Review

The procedures for reviewing CUI documents are not arbitrary; they are codified in a hierarchy of binding documents. Organizations must align their internal procedures with these external mandates:

1. The CUI Registry (32 CFR Part 2002): This is the definitive, NARA-maintained list of all CUI categories and subcategories. Any review must start here. The Registry defines what information is CUI, the applicable legal authority, and the specific safeguarding requirements. A reviewer must be able to cross-reference document content against the Registry's categories (e.g., CUI//PRIV, CUI//PROPIN).
2. NIST Special Publication 800-171: This publication, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations, is the primary cybersecurity and handling standard for contractors and grantees. Its 14 families of security requirements (Access Control, Awareness and Training, Audit and Accountability, etc.) directly dictate how CUI must be protected after it is identified. The review procedure must assess whether the proposed handling environment (a file folder, an IT system, a shared drive) meets these requirements.
3. DFARS Clause 252.204-7012 / NIST SP 800-171 Compliance: For Department of Defense (DoD) contractors, this clause mandates compliance with NIST SP 800-171. It requires not only the implementation of security controls but also the prompt reporting of cybersecurity incidents affecting CUI. A review procedure must include a step to verify that incident reporting pathways are understood and documented.
4. Agency-Specific Supplements: Some agencies, like the Department of Energy (DOE) or NASA, have supplements to NIST SP 800-171 with additional, more stringent requirements. Any review for work under these agencies must incorporate these supplemental controls.

Step-by-Step: The Mandatory CUI Document Review Procedure

A compliant review process is methodical and auditable. It should be formalized in a standard operating procedure (SOP) and followed for every batch of documents, whether incoming, outgoing, or internally generated.

Step 1: Identification and Categorization The first and most crucial step is to determine if the document contains CUI. The reviewer must:

• Examine the Source: Is the document created by the federal government? Does it originate from a contract, grant, or agreement that specifies CUI requirements?
• Analyze Content: Scrutinize the document for information types listed in the CUI Registry. Look for PII (Social Security Numbers, full dates of birth), proprietary technical data, export-controlled information, critical infrastructure details, or law enforcement sensitive data.
• Consult the Contract/Sponsoring Agency: The contract or award document will often specify which CUI categories are applicable to the work. This is the primary guide.
• Document the Determination: For every document or file set, record the decision: "CUI - Yes/No." If "Yes," specify the exact CUI category(ies) from the Registry (e.g., CUI//PRIV//PII). This log is a critical compliance artifact.

Step 2: Marking and Labeling Once CUI is identified, it must be visibly marked according to NARA's marking standards.

• Physical Documents: The marking "CUI" must appear on the cover or first page, and on each subsequent page if the document is distributed. The specific category (e.g., "CUI//PRIV") and any applicable dissemination controls (e.g., "CUI//REL TO USA, AUS, CAN") must follow. The authorizing official's name and date may also be required.
• Electronic Files: Marking must be applied to the file name (e.g., ProjectAlpha_Specs_CUI-PROPIN.pdf) and within the document itself (header/footer). For emails, the subject line and body must include the CUI marking. Metadata tagging should also be used where possible.
• Containers: Any folder, box, or electronic directory holding CUI must also be marked with the CUI banner and category.

Step 3: Access Authorization and Need-to-Know Verification Review is not just about labeling; it's about controlling access.

• The procedure must verify that every individual with potential access to the document has:
  • A favorable security clearance (if required by the

Step 4: Secure Storage and Transmission Protocols All CUI, once identified and marked, must be stored and transmitted using systems that meet the required safeguarding standards.

• Physical Storage: Documents must be kept in locked containers (e.g., safes, secured cabinets) within facilities that have appropriate physical security controls. Access logs for storage areas may be required.
• Electronic Storage: Files must reside on systems that are FIPS 140-2 validated for encryption (at rest and in transit), with access controlled by unique user authentication (e.g., Common Access Cards, multi-factor authentication). Network segmentation from non-CUI systems is a best practice.
• Transmission: CUI may only be sent via approved encrypted channels (e.g., SFTP, encrypted email with AES-256, secure file transfer services). Transmission logs must record sender, recipient, date/time, and document identifier. Prohibited methods include standard unencrypted email, public cloud storage links, or physical mail without proper packaging and tracking.

Step 5: Decontrolling and Disposition The lifecycle of a CUI document does not end with storage; its eventual declassification or destruction must be formally managed.

• Decontrolling (Downgrading): If a document no longer meets CUI criteria (e.g., information becomes publicly available, contract requirements change), an authorized official must issue a written determination. The document's markings must be struck through or removed, and the system metadata updated. The original decontrolling authorization must be retained in the audit log.
• Disposition (Destruction): When retention periods expire or upon contract close-out, CUI must be destroyed in a manner that renders it unrecoverable. Physical documents require shredding (cross-cut) or incineration. Electronic media requires degaussing, physical destruction, or overwriting to NIST 800-88 standards. A certificate of destruction, signed by the authorized official, is a required artifact.

Step 6: Audit Trail and Continuous Monitoring The entire process must generate a verifiable, immutable record for internal and external auditors.

• Logging: Systems must log all access events (view, copy, modify, destroy), including user ID, timestamp, and action taken.
• Review: Logs must be periodically reviewed (e.g., quarterly) by the CUI Program Manager or security team to detect anomalous or unauthorized access.
• Documentation: The complete audit trail for a document batch—from initial identification log, through marking and access approvals, to final disposition—must be compiled and retained for the life of the CUI plus the agency’s record retention schedule.

Conclusion

Implementing this mandatory, step-by-step review procedure transforms CUI compliance from a theoretical requirement into an operational discipline. By methodically addressing identification, marking, access, storage, transmission, and disposition within a single, auditable workflow, organizations create a defensible posture that satisfies NARA’s intent and the specific clauses of contracts like DFARS 252.204-7012 or NIST SP 800-171. The true measure of success is not merely in the completion of these steps, but in the consistent generation of the audit artifacts they produce. These records—the determination logs, marking certifications, access approvals, and destruction certificates—are the tangible proof of due diligence. Ultimately, a rigorously applied review procedure is the cornerstone of protecting sensitive government information, thereby safeguarding national security interests, preserving proprietary value, and maintaining the trust essential for continued federal partnership.