Policies and Regulations:

Controlling unclassified information is a government-wide initiative directed by Executive Order 13556 that impacts more than 100 departments and agencies within the executive branch. Federal departments and agencies are required to develop CUI programs. The Information Security Oversight Office (ISOO), under the National Archives and Records Administration (NARA), issued 32 FCR Part 2002 for the executive branch and DOD further issued requirements for CUI implementation in DODI 5200.48

• 2010 Executive Order 13556 “The beginning of CUI”

• Established the program for managing unclassified information in the Executive branch. Creating a common definition and protocols for marking documents to remove inefficiency and confusion 

• 2016 CFR - Part 2002 of Title 32  “Implementing Regulation”

• Establishes how CUI should be handled, safeguarded, and disseminated within federal agencies and by contractors.

• 2020: NIST SP 800-171 (100 pages) “Computer Security Instructions”

• Assigned by ISOO CUI Notice 2020-04. All organizations that work with a federal agency must follow the NIST SP 800-171 requirements in order to be considered for government contracts. 

• 2020 DOD INSTRUCTION 5200.48  ”Instructions”

• Implements E.O. 13556 and 32 CFR Part 2002 and establishes policies for the handling, designating, and decontrolling of CUI within the Department of Defense (DoD). The instruction was issued in March 2020 and implements the Federal CUI mandate, which was established by Executive Order 13556. 

• 2024 DFARS 252.204.7012 “Instructions”

• The DFARS 252.204-7012 clause (aka DFARS 7012) was created in response to increases in cyberthreats aimed at our Defense Industrial Base (DIB).