Policies and Regulations:

Controlling unclassified information is a government-wide initiative directed by Executive Order 13556 that impacts more than 100 departments and agencies within the executive branch. Federal departments and agencies are required to develop CUI programs. The Information Security Oversight Office (ISOO), under the National Archives and Records Administration (NARA), issued 32 FCR Part 2002 for the executive branch and DOD further issued requirements for CUI implementation in DODI 5200.48

2010 Executive Order 13556 “The beginning of CUI”

• Establishes the program for managing unclassified information in the Executive branch. Creates a uniformed program, common definition, and protocols for marking documents to remove inefficiency and confusion.

2016 CFR – Part 2002 of Title 32 “Implementing Regulation”

• Establishes how CUI should be handled, safeguarded, and disseminated.

2020 DOD INSTRUCTION 5200.48 “Instructions”

• Implements E.O. 13556 and 32 CFR Part 2002 and establishes policies for the handling, designating, and decontrolling of CUI within the Department of Defense (DoD). The instruction was issued in March 2020 and implements the Federal CUI mandate, which was established by Executive Order 13556.

2024 DFARS 252.204.7012 “Instructions”

• This clause (aka DFARS 7012) was created in response to increases in cyberthreats aimed at our Defense Industrial Base (DIB).

2024: NIST SP 800–171 r3 “Computer Security Instructions”

• Originally implemented via the ISOO CUI Notice 2020-04. Required for all organizations that work with Government contracts.

• Also check out the NIST Special Publication 800-171

CMMC 2.0 (Expected Final Rule in 2025)

• Coming soon… we hope!

Keep in mind, your agency/customer may have agency-specific CUI Policies!

• Agencies like DOE, DHS, and DOJ often have internal memos, manuals, or supplements to 32 CFR 2002.

• DoD is the only one with a standalone instruction (5200.48), but others may be relevant depending on your customer.