The US government has finalized a rule, published on September 14, 2016, taking significant steps toward standardizing the treatment of non-classified sensitive US government information by both executive agencies and government contractors.
Controlled unclassified information (CUI) is information held by the Federal Government which is sensitive but unclassified. It includes such broad categories of information as proprietary information, export-controlled information, and certain information relating to legal proceedings. Despite the recent public spotlight on government protection of sensitive data, until this rule there was no unified law governing the designation and safeguarding of CUI; instead, agencies used their own conventions.
The final rule, effective November 14, 2016, will now exclusively govern the treatment of CUI by both executive agencies and government contractors. Although the final rule applies only to federal agencies, the rule requires that all agency-written agreements (including contracts, grants, and licenses) with contractors that involve CUI include a provision requiring the handling of CUI in accordance with the final rule. Further information is available in our October 2016 Advisory.