Is my organization’s information CUI?
In short, no. According to the National Archives and Records Administration (NARA), Controlled Unclassified Information is defined as:
Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information (see definition above) or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. (emphasis added)
NARA CUI Registry Glossary Definition of CUI
As you can see from the definition, a threshold requirement is that information must have been created or possessed by the government, or created or possessed for or on behalf of the government. If your organization’s information is not created or possessed for or on behalf of the government, then it will not meet the definition of CUI.
In fact, as the second sentence makes clear, the CUI definition only applies to executive branch information. Let’s look at that in a bit more detail. If the information meets the other requirements for CUI and is created by the judicial branch, but it was received by you through a contract with an executive branch agency, then that information will still be CUI. By contrast, if you were to enter into an agreement with the judicial branch directly, that information will not be CUI. We also examine how this applies to a specific type of CUI, social security numbers, in another FAQ entry.
Our FCI/CUI Decision Tree can help you understand when information is likely to be FCI or CUI, and if you need some additional guidance, the recording of our CUI Informed Event “Demystifying Controlled Unclassified Information” may also be helpful.