On September 14, 2016, the US National Archives and Records Administration (NARA) issued a final rule regarding controlled unclassified information (CUI). The final rule defines CUI as “information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.” Based on this new definition, an agency’s treatment of information as CUI may be mandatory or permissive, and would give the agency the ability to designate information as CUI provided it is not expressly prevented from doing so.

The final rule’s safeguarding standards require agencies to protect CUI “at all times in a manner that minimizes the risk of unauthorized disclosure while allowing timely access by authorized holders.” This includes a requirement that agencies ensure that CUI is protected by “non-executive branch entities,” including private contractors. The final rule formally provides for the creation and utilization of a CUI Registry to address, among other things, the uniform level of protection required for protection of each subcategory of information. 

The safeguarding standards addressed in the final rule will rely upon the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171. According to the final rule, NIST SP 800-171 “defines the requirements necessary to protect CUI Basic on non-Federal information systems” and agencies “must use NIST SP 800-171 when establishing security requirements to protect CUI’s confidentiality on non-Federal information systems[.]” The final rule confirms that contractors dealing with CUI will be required to comply with some subset of the standards outlined in NIST SP 800-171, depending upon the classification of the information maintained. A forthcoming Federal Acquisition Regulation (FAR) clause will apply CUI security controls to contractors. The rule will become effective on November 14, 2016. (81 Fed. Reg. 63,324, 09/14/16)