We regularly hear from contractors that they are confused about how to handle information marked as For Official Use Only (“FOUO”), Sensitive but Unclassified (“SbU”), or other “legacy” markings under the new Controlled Unclassified Information (“CUI”) program. Another common question is how to handle information that isn’t marked as CUI but which the contractor THINKS might actually be CUI.

In some cases, these contractors are being told by consultants and others that they should add CUI markings to the information. Thankfully, the contractors’ “Spidey-Sense” tells them that this might not be right. We agree with them – that’s not the right approach. At least, not without authorization from an authorized government representative (sorry for using “authorized” twice there, but it’s important!).

In short, as we’ve discussed in previous posts, marking information as CUI is an inherently governmental function, and government contractors are not authorized to mark any information as CUI without some kind of delegated authority from the government.

There appears to be some confusion in the broader government contractor/service provider/consultant community over these topics. Some argue that “authorized holders” can mark legacy information, as well as newer “suspected CUI” (i.e., information the contractor things is CUI but isn’t marked) as CUI. They even point to different statutes as the basis for their arguments. Unfortunately, their reading of the statutes is inconsistent with the plain language in other portions of the statutes, and they are actually advising contractors to do something that is against the law. At the end of the day, while a contractor’s liability may be relatively low, it’s still not the right direction in which to point contractors.

Read on if you want to learn more!

Hierarchy of the CUI Program

To help clear up some of the confusion, it is important to first understand the hierarchical nature of the different executive orders, regulations, and instructions/memos involved. The CUI program traces its origins back to Executive Order 13556.  As part of that Executive Order, former President Obama directed the National Archives and Records Administration (“NARA”) to create the CUI program.  NARA eventually published the CUI program as 32 Code of Federal Regulations (“CFR”) §2002.  This is a series of regulations that apply to the federal government agencies and, by extension, to contractors and others handling CUI.  DoD’s efforts, including any DoD memos, CMMC, and DFARS 252.204-7012, -7019, and -7020, all are based on 32 CFR §2002 and supplement what’s in the CFR. DoD’s efforts cannot contradict what’s in the CFR, but they can act to add additional clarity/context for DoD’s CUI program.

Starting from the Beginning

So, when determining how to handle CUI, and especially legacy/unmarked information, you should always start by looking to 32 CFR §2002. NARA specifically addressed legacy and unmarked information in 32 CFR §§2002.50 and .52.

If you take a moment to read those sections, you’ll note a few important quotes, including: 

“Authorized holders of CUI who, in good faith, believe that its designation as CUI is improper or incorrect, or who believe they have received unmarked CUI, should notify the disseminating agency of this belief.” (emphasis added).

32 CFR §2002.50(a)

NARA later refers to this as a “challenge”. They then go on to say:

“Until the challenge is resolved, authorized holders should continue to safeguard and disseminate the challenged CUI at the control level indicated in the markings.”  (emphasis added).

32 CFR §2002.50(d)

This means that the contractor must continue to treat the challenged information (whether legacy information or suspected CUI) as NON-CUI until they hear back from the agency. Note that 32 CFR §2002 doesn’t say the contractor should mark the challenged information as CUI. In fact, they say just the opposite. Thus, the contractor does not have authorization to mark it as CUI.

NARA even takes this one step further a little later in 32 CFR §2002. If the contractor doesn’t agree with the agency’s response to the challenge, the contractor can initiate a dispute in accordance with §2002.52. That section states, in part:

“Until the dispute is resolved, authorized holders should continue to safeguard and disseminate any disputed CUI at the control level indicated in the markings, or as directed by the CUI EA if the information is unmarked.” (emphasis added).

32 CFR §2002.52(f)

As with the “challenge” process above, this means that contractors should continue to treat the legacy and suspected CUI as non-CUI until either the dispute is resolved or the ISOO (the NARA component that oversees the CUI program, also referred to as the CUI EA or Executive Agent) tells them otherwise. So, it’s pretty clear that 32 CFR §2002 does not delegate to the contractor any authority to mark legacy information or suspected CUI as CUI.

Legacy Information Under DoD’s CUI Program

DoD Instruction 5200.48 (“DoDI 5200.48“) is an instruction from the Office of the Under Secretary of Defense for Intelligence and Security to all DoD components.  It lays out DoD’s approach to implementing the CUI program defined in 32 CFR §2002.  

DoDI 5200.48 Section 3.2 includes instructions on how to treat “legacy” information, including FOUO. DoDI 5200.48 Section 3.2.b. clearly states:

“DoD legacy information does not automatically become CUI.  It must be reviewed by the owner of the information to determine if it meets the CUI requirements.  If it is determined the specific legacy information meets the CUI requirements, it will be marked in accordance with this issuance and corresponding manual.” (emphasis added).

DoDI 5200.48 Section 3.2.b

So, DoDI 5200.48 makes it very clear that only the owner of the information is authorized to determine if information meets the CUI requirements. Contractors are not the owners of most CUI information (there may be some limited exceptions, but they are not likely to occur often for most contractors). Thus, contractors are not authorized to mark legacy information as CUI. If a contractor has information marked as FOUO and they suspect that it might be CUI, the contractor is expected to ask the information owner if the information is CUI.  Until the owner of the information makes a determination, it is not CUI.

Unmarked Suspected CUI Under DoD’s CUI Program

32 CFR §2002 includes language that gives agencies latitude to determine how to handle the “challenges” described above, including how to handle suspected CUI. Since DoDI 5200.48 does not have an explicit provision that describes how DoD will handle challenges, 32 CFR §2002 makes it clear that its rules apply. As noted above, 32 CFR §2002 does not grant contractors authorization to mark suspected CUI as CUI on their own. They must ask the information owner to make a determination and await the information owner’s decision.

Summary

Nothing in 32 CFR §2002 or DoDI 5200.48 grants contractors the authority to mark legacy information or suspected CUI as CUI. The contractors must ask the information owner for guidance on how to handle the information.

A Few Additional Notes

  1. When the contractor created or received legacy information (e.g., FOUO), their contract included provisions that told them how they are obligated to treat that information. Nothing in the foregoing analysis changes ANY of those obligations. The contractor must continue to treat the legacy information as per the contract under which it was created or received.  All that the above analysis says is that legacy information does not automatically become CUI, and that contractors do not have the authority to mark it as CUI on their own.
  2. Let’s also go one step deeper. There is a difference between a contractor’s legal obligations and practice. As noted above, legacy information must be protected as per the contract under which it was created/received. If a contractor thinks that legacy information constitutes CUI, they can’t mark it as such. But that doesn’t mean they can’t protect it anyway. Nobody will ding the contractor for doing the equivalent of putting a $100 bill into a safety deposit box.  That is, the contractor can always choose to “over protect” the information based on the legacy markings (or lack of markings). But the contractor shouldn’t expect the government to pay any additional costs they incur for the “extra” protection that the government hasn’t authorized/required.  
  3. Since contractors aren’t authorized to do so, they must not add CUI markings to unmarked or legacy information, even if they disseminate that information to a subcontractor.  Contractors can, however, put subcontractors on notice that the contractor is challenging the government’s analysis of the information and that the subcontractor might also want to treat it as though it was CUI just in case the challenge is successful.