[Federal Register Volume 80, Number 89 (Friday, May 8, 2015)] [Proposed Rules] [Pages 26501-26511] From the Federal Register Online via the Government Publishing Office [www.gpo.gov] [FR Doc No: 2015-10260] ======================================================================= ----------------------------------------------------------------------- NATIONAL ARCHIVES AND RECORDS ADMINISTRATION Information Security Oversight Office 32 CFR Part 2002 [FDMS No. NARA-15-0001; NARA-2015-037] RIN 3095-AB80 Controlled Unclassified Information AGENCY: Information Security Oversight Office, NARA. ACTION: Proposed rule. ----------------------------------------------------------------------- SUMMARY: As the Federal Government's Executive Agent for Controlled Unclassified Information (CUI), the Information Security Oversight Office (ISOO) of the National Archives and Records Administration (NARA) implements the Federal Government-wide CUI Program. As part of that responsibility, ISOO proposes this rule to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the Program. DATES: Submit comments on or before July 7, 2015. ADDRESSES: You may submit comments, identified by RIN 3095-AB80, by any of the following methods:Federal eRulemaking Portal: http://www.regulations.gov. Follow the instructions for submitting comments. Email: [email protected]. Include RIN 3095-AB80 in the subject line of the message. Fax: 301-837-0319. Include RIN 3095-AB80 in the subject line of the fax cover sheet. Mail (for paper, disk, or CD-ROM submissions. Include RIN 3095-AB80 on the submission): Regulations Comment Desk, Strategy Division (SP); Suite 4100; National and Archives Records Administration; 8601 Adelphi Road; College Park, MD 20740-6001. Hand delivery or courier: Deliver comments to front desk at the address above. Instructions: All submissions must include NARA's name and the regulatory information number for this rulemaking (RIN 3095-AB80). We may publish any comments we receive without changes, including any personal information you include. FOR FURTHER INFORMATION CONTACT: Kimberly Keravuori, by email at [email protected], or by telephone at 301-837-3151. You may also find more information about the CUI Program, and some FAQs, on [[Page 26502]] NARA's Web site at http://www.archives.gov/cui/. SUPPLEMENTARY INFORMATION: Background. The President is committed to making the Government more open to the American people, as outlined in his January 21, 2009, memorandum to the heads of executive branch agencies. However, the Government must still protect some unclassified information, pursuant to and consistent with applicable laws, regulations, and Government-wide policies. This information is called Controlled Unclassified Information (CUI). Prior to Executive Order 13556, Controlled Unclassified Information, 75 FR 68675 (November 4, 2010) (the Order), more than 100 different markings for such information existed across the executive branch. This ad hoc, agency-specific approach created inefficiency and confusion, led to a patchwork system that failed to adequately safeguard information requiring protection, and unnecessarily restricted information-sharing. As a result, the Order established the CUI Program to standardize the way the executive branch handles information that requires safeguarding or dissemination controls (excluding information that is classified under Executive Order 13526, Classified National Security Information, 75 FR 707 (December 29, 2009), or any predecessor or successor order; or the Atomic Energy Act of 1954 (42 U.S.C. Sec. 2011, et seq.), as amended. To develop policy and provide oversight for the CUI Program, the Order also appointed NARA as the CUI Executive Agent. NARA has delegated this authority to the Director of ISOO, a NARA component. Regulatory Analysis Review Under Executive Orders 12866 and 13563 Executive Order 12866, Regulatory Planning and Review, 58 FR 51735 (September 30, 1993), and Executive Order 13563, Improving Regulation and Regulation Review, 76 FR 23821 (January 18, 2011), direct agencies to assess all costs and benefits of available regulatory alternatives and, if regulation is necessary, to select regulatory approaches that maximize net benefits (including potential economic, environmental, public health and safety effects, distributive impacts, and equity). This proposed rule is ``significant'' under section 3(f) of Executive Order 12866 because it sets out a new program for Federal agencies. The Office of Management and Budget (OMB) has reviewed this regulation. Review Under the Regulatory Flexibility Act (5 U.S.C. 601, et seq.) This review requires an agency to prepare an initial regulatory flexibility analysis and publish it when the agency publishes the proposed rule. This requirement does not apply if the agency certifies that the rule will not, if promulgated, have a significant economic impact on a substantial number of small entities (5 U.S.C. 603). NARA certifies, after review and analysis, that this proposed rule will not have a significant adverse economic impact on small entities. However, information on the number of small entities contracting, or wishing to contract, with the executive branch that have not already implemented appropriate information systems standards for handling CUI is unreported and difficult to collect, in part because it could reflect adversely on a contractor in other ways. As a result, while NARA believes from all available information that the economic impact would be minimal, if any, we are opening this issue to public comment in addition to the content of the proposed rule, in case reviewers have additional information to the contrary that was not available to NARA. The CUI Program provides a unified system for handling unclassified information that requires safeguarding or dissemination controls, and sets consistent, executive branch-wide standards and markings for doing so. The CUI Program has established controls pursuant to and consistent with already-existing applicable law, Federal regulations, and Government-wide policy. However, because those authorities, as well as ad hoc agency policies and practices, were often applied in different ways by different agencies, the CUI Program also establishes unambiguous policy, requirements, and consistent standards. The Order establishes that the CUI Executive Agent, designated as NARA, ``shall develop and issue such directives as are necessary'' to implement the CUI Program (Section 4b). NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO). Consistent with this tasking, and with the CUI Program's mission to establish uniform policies and practices across the Federal Government, NARA is issuing a regulation, to establish the required controls and markings Government-wide. There is no viable alternative to a rule for meeting the Order's mandate to establish consistent information security standards Government-wide. A regulation binds agencies throughout the executive branch to uniformly apply the Program's standard safeguards, markings, and disseminating and decontrol requirements. The proposed rule contains a consistent program that NARA developed in consultation with affected stakeholders, including private industry and Federal agencies. While developing this program, NARA conducted working group discussions and surveys, consolidated and streamlined current practices, and developed initial drafts that underwent both formal and informal agency comment and CUI Executive Agent comment adjudication for individual policy elements. NARA believes that this proposed rule will benefit industry that contracts with the Federal Government, including small businesses. In the present contractor environment, differing requirements and conflicting guidance from agencies for the same types of information gives rise to confusion and inefficiencies for contractors working with more than one agency or handling information originating from different agencies. A single standard that de-conflicts requirements for contractors or potential contractors when contracting with multiple Government agencies will be simpler to execute and reduce costs. Because the regulation's uniform controls derive from already-required laws, regulations, and Government-wide policies, the standards are already ones with which businesses should be complying and the impact of the rule should be minimal or non-existent. Those entities that currently do not implement information systems security controls for CUI consistent with requirements contained in the regulation will need to make changes and implement new practices, which could therefore have an impact on such businesses. Consistent with the Order, these requirements are based on applicable Government-wide standards and guidelines issued by the National Institute of Standards and Technology (NIST), and applicable policies established by OMB (Section 6a3). These standards, which OMB and NIST established, have been in effect for some time, and were not created by this proposed rule. Rather, the proposed rule requires use of these standards in the same way throughout the executive branch, thereby reducing current complexity for agencies and contractors. The potential impact on businesses currently not in compliance with these standards arises from the possibility that some might need to take actions to bring themselves into compliance with [[Page 26503]] already-existing requirements if they are not already. From all available information, NARA believes this impact will be minimal, but reporting on non-compliance with these OMB and NIST standards is limited. If any businesses are not in compliance with these requirements, or are substantially out of compliance, the impact on those entities may be significant. NARA has taken steps, however, to alleviate the difficulty for contractors and small businesses of complying with information systems requirements, whether they already comply or will need to comply in future. Many of the security controls contained in the NIST guidelines are specific to Government systems, and thus have been difficult for contractors to implement with their own already-existing systems. This has also limited some businesses from competing for Federal contracts. Non-Federal systems are often built using different processes from the Government-specific ones outlined in the NIST guidelines, even while achieving the same standard of protection as set forth in the Federal Information Processing Standards (FIPS). NARA has therefore partnered with NIST to develop a special publication on applying the information systems security requirements in the contractor environment. Doing so should make it easier for businesses to comply with the standards using the systems they already have in place, rather than trying to use the Government-specific approaches currently described. This publication has already undergone one round of public comment as NIST SP-800-171 and is undergoing a second round of public comment until May 12, 2015; we expect to finalize it in June 2015. The CUI Executive Agent is also planning a single Federal Acquisitions Regulation (FAR) clause that will apply the requirements of the proposed rule to the contractor environment and further promote standardization to benefit a substantial number of businesses, including small entities that may be struggling to meet the current range and type of contract clauses. In the process of this three-part plan (rule, NIST publication, standard FAR clause), businesses will not only receive streamlined and uniform requirements for any unclassified information security needs, but will have information systems requirements tailored to contractor systems, allowing the businesses to help develop the requirements and to be in compliance with Federal uniform standards with less difficulty than currently. Businesses that currently meet all standards will have a clearer and easier time doing so in the future with virtually no negative impact, and businesses that do not currently meet standards will be able to bring themselves into compliance more easily as well, thus reducing the potential impact coming into compliance would have on them. Despite all of this, there may still be a significant impact on small businesses, related to bringing themselves into compliance with existing standards that will be applied uniformly under this rule. NARA does not have data on how many small businesses may be impacted by this rule, or to what degree, because such information on compliance with the standards involved is not tracked for small businesses. NARA therefore opens this topic for input from small businesses during the public comment period. Review Under the Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et seq.) This proposed rule does not contain any information collection requirements subject to the Paperwork Reduction Act. Review Under Executive Order 13132, Federalism, 64 FR 43255 (August 4, 1999) Review under Executive Order 13132 requires that agencies review regulations for Federalism effects on the institutional interest of states and local governments, and, if the effects are sufficiently substantial, prepare a Federal assessment to assist senior policy makers. This proposed rule will not have any direct effects on State and local governments within the meaning of the Executive Order. Therefore, no Federalism assessment is required. List of Subjects in 32 CFR Part 2002 Administrative practice and procedure, Archives and records, Controlled unclassified information, Freedom of information, Government in the Sunshine Act, Information, Information security, National security information, Open government, Privacy. For the reasons stated in the preamble, NARA proposes to amend 32 CFR, Chapter XX, by adding part 2002 to read as follows: PART 2002--CONTROLLED UNCLASSIFIED INFORMATION (CUI) Subpart A--General Information Sec. 2002.1 Purpose and scope. 2002.2 Definitions. 2002.3 CUI Executive Agent. 2002.4 Roles and responsibilities. Subpart B--Key Elements of the CUI Program 2002.10 The CUI Registry. 2002.11 CUI categories and subcategories. 2002.12 Safeguarding. 2002.13 Accessing and disseminating. 2002.14 Decontrolling. 2002.15 Marking. 2002.16 Waivers of CUI requirements in exigent circumstances. 2002.17 Limitations on applicability of agency CUI policies. Subpart C--CUI Program Management 2002.20 Education and training. 2002.21 Agency self-inspection program. 2002.22 Challenges to designation of information as CUI. 2002.23 Dispute resolution. 2002.24 Misuse of CUI. 2002.25 Sanctions for misuse of CUI. 2002.26 Transfer of records. 2002.27 CUI and the Freedom of Information Act (FOIA). 2002.28 CUI and the Privacy Act. Authority: E.O. 13556, 75 FR 68675, 3 CFR, 2010 Comp., pp. 267- 270. Subpart A--General Information Sec. 2002.1 Purpose and scope. (a) This part describes the executive branch's Controlled Unclassified Information (CUI) Program (the CUI Program) and establishes policy for designating, handling, and decontrolling information that qualifies as CUI. (b) The CUI Program standardizes the way the executive branch handles sensitive information that requires protection under laws, regulations, or Government-wide policies, but that does not qualify as classified under Executive Order 13526, Classified National Security Information, December 29, 2009 (3 CFR, 2010 Comp., p. 298), or the Atomic Energy Act of 1954 (42 U.S.C. 2011, et seq.), as amended. (c) Prior to the CUI Program, agencies often employed ad hoc, agency-specific policies, procedures, and markings to handle this information. This patchwork approach caused agencies to mark and handle information inconsistently, implement unclear or unnecessarily restrictive disseminating policies, and create obstacles to sharing information. (d) An executive branch-wide CUI policy balances the need to safeguard CUI with the public interest in sharing information appropriately and without unnecessary burdens. (e) This part applies to all executive branch agencies that designate or handle information that meets the standards for CUI. This part also applies, by extension, to agency practices involving non- executive branch CUI recipients, as follows: (1) Contractors handling CUI for an agency. Executive branch agencies must [[Page 26504]] include a requirement to comply with Executive Order 13556, Controlled Unclassified Information, November 4, 2010 (3 CFR, 2011 Comp., p. 267) (the Order), and this part in all contracts that require a contractor to handle CUI for the agency. The contractual requirement must be consistent with standards prescribed by the CUI Executive Agent. (2) Other non-executive branch entities. When feasible, executive branch agencies should enter formal information-sharing agreements and include a requirement that any non-executive branch party to the agreement comply with the Order, this part, and the CUI Registry. When an agency's mission requires it to disseminate CUI without entering into an information-sharing agreement, the agency must communicate to the recipient that because of the sensitive nature of the information, the Government strongly encourages the non-executive branch entity to protect CUI consistent with the Order, this part, and the CUI Registry. (f) This part rescinds Controlled Unclassified Information (CUI) Office Notice 2011-01: Initial Implementation Guidance for Executive Order 13556 (June 9, 2011). (g) This part creates no right or benefit, substantive or procedural, enforceable by law or in equity by any party against the United States, its departments, agencies, or entities, its officers, employees, or agents, or any other person. (h) Nothing in this part alters, limits, or supersedes a requirement stated in laws, regulations, or Government-wide policies. Where laws, regulations, or Government-wide policies articulate the requirements for protection of unclassified information, this part accommodates and recognizes those requirements as ``CUI Specified.'' However, where agency-specific policy or ad hoc practices articulate requirements for protection of unclassified information, the CUI Executive Agent has the authority under the Order to establish control policy. In such cases, this part would override such agency-specific or ad hoc requirements if they are in conflict. Sec. 2002.2 Definitions. Agency includes any ``executive agency,'' as defined in 5 U.S.C. 105; the United States Postal Service; and any other independent entity within the executive branch that designates or handles CUI. Authorized holder is an individual, organization, or group of users that is permitted to designate or handle CUI, consistent with this part. Classified information is information that Executive Order 13526, ``Classified National Security Information,'' December 29, 2009 (3 CFR, 2010 Comp., p. 298), or the Atomic Energy Act of 1954, as amended, requires to have classified markings and protection against unauthorized disclosure. Controlled environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers and managed access controls) to protect CUI from unauthorized access or disclosure. Control level is a general term that encompasses the category or subcategory of specific CUI, along with any specific safeguarding and disseminating requirements. Controlled Unclassified Information (CUI) is information that laws, regulations, or Government-wide policies require to have safeguarding or dissemination controls, excluding classified information (see definition of classified information, above). CUI Basic is the default, uniform set of standards for handling all categories and subcategories of CUI. CUI Basic differs from CUI Specified in that, although laws, regulations, or Government-wide policies establish the CUI Basic information as protected, it does not specifically spell out any handling standards for that information. The CUI Basic standards therefore apply whenever CUI Specified standards do not cover the involved CUI. CUI categories and subcategories are those types of information for which laws, regulations, or Government-wide policies requires safeguarding or dissemination controls, and which the CUI Executive Agent has approved and listed in the CUI Registry. CUI category or subcategory markings are the markings approved by the CUI Executive Agent for the categories and subcategories listed in the CUI Registry. CUI Executive Agent is the National Archives and Records Administration (NARA), which implements the executive branch-wide CUI Program and oversees Federal agency actions to comply with the Order. NARA has delegated this authority to the Director of the Information Security Oversight Office (ISOO). CUI Program is the executive branch-wide program to standardize CUI handling by all Federal agencies. The Program includes the rules, organization, and procedures for CUI, established by the Order, this part, and the CUI Registry. CUI Program manager is an agency official, designated by the agency head or CUI senior agency official, to serve as the official representative to the CUI Executive Agent on the agency's day-to-day CUI Program operations, both within the agency and in interagency contexts. CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than this part. Agencies and authorized holders must follow the requirements in the CUI Registry. Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, and sets out handling procedures. CUI senior agency official is a senior official designated in writing by an agency head and responsible to that agency head for implementation of the CUI Program within that agency. The CUI senior agency official is the primary point of contact for official correspondence, accountability reporting, and other matters of record between the agency and the CUI Executive Agent. CUI Specified are the sets of standards that apply to CUI categories and subcategories that have specific handling standards required or permitted by authorizing laws, regulations, or Government- wide policies. Only CUI categories and subcategories the CUI Executive Agent approves and designates in the CUI Registry as CUI Specified may use the specified standards rather than CUI Basic standards. Agencies must apply CUI Basic standards to all CUI that is not included in a CUI Specified category in the Registry, or when a CUI Specified authority is silent on any aspect of handling the involved CUI. CUI Specified standards may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out the standards for CUI Specified categories and does not for CUI Basic ones. Decontrolling occurs when an agency removes safeguarding or dissemination controls from CUI that no longer requires such controls. Designating occurs when an authorized holder determines that a CUI category or subcategory covers a specific item of information and then marks that item as CUI. Designating agency is the executive branch agency that designates a specific item of information as CUI. Disseminating occurs when authorized holders transmit, transfer, or provide access to CUI to other authorized holders through any means. [[Page 26505]] Document means any tangible thing, which constitutes or contains information, and means the original and any copies (whether different from the originals because of notes made on such copies or otherwise) of all writings of every kind and description over which an agency has authority, whether inscribed by hand or by mechanical, facsimile, electronic, magnetic, microfilm, photographic, or other means, as well as phonic or visual reproductions or oral statements, conversations, or events, and including, but not limited to: Correspondence, email, notes, reports, papers, files, manuals, books, pamphlets, periodicals, letters, memoranda, notations, messages, telegrams, cables, facsimiles, records, studies, working papers, accounting papers, computer disks, computer tapes, telephone logs, computer mail, computer printouts, worksheets, sent or received communications of any kind, teletype messages, agreements, diary entries, calendars and journals, printouts, drafts, tables, compilations, tabulations, recommendations, accounts, work papers, summaries, address books, other records and recordings or transcriptions of conferences, meetings, visits, interviews, discussions, or telephone conversations, charts, graphs, indexes, tapes, minutes, contracts, leases, invoices, records of purchase or sale correspondence, electronic or other transcription of taping of personal conversations or conferences, and any written, printed, typed, punched, taped, filmed, or graphic matter however produced or reproduced. Document also includes the file, folder, exhibits, and containers, and the labels on them, associated with each original or copy. Document also includes voice records, film, tapes, video tapes, email, personal computer files, electronic matter, and other data compilations from which information can be obtained, including materials used in data processing. Handling is any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information. Lawful Government purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes within the scope of its legal authorities. Legacy material is unclassified information that was marked or otherwise controlled prior to implementation of the CUI Program. Limited dissemination is any type of control on disseminating CUI approved for use by the CUI Executive Agent. Misuse of CUI occurs when someone uses CUI in a manner inconsistent with the policy contained in the Order, this part, and the CUI Registry, or any of the laws, regulations, and Government-wide policy that establish CUI categories and subcategories. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. Non-executive branch entity is a person or organization established, operated, and controlled by individual(s) acting outside the scope of any official capacity as officers, employees, or agents of the executive branch of the Federal Government. Such entities may include elements of the legislative or judicial branches of the Federal government; State, interstate, Tribal, local, or foreign government elements; and private or international organizations, including contractors and vendors. Portion is ordinarily a section within a document, and may include subjects, titles, graphics, tables, charts, bullet statements, sub- paragraphs, bullets points, or other sections, including those within slide presentations. Protection includes all controls an agency applies or must apply when handling information that qualifies as CUI. Public release occurs when an agency makes information formerly designated as CUI available to members of the public through the agency's official release processes. Disseminating CUI to non-executive branch entities as authorized does not constitute public release; nor does releasing information to an individual pursuant to the Privacy Act of 1974. Records are agency records and Presidential papers or Presidential records (or Vice-Presidential), as those terms are defined in 44 U.S.C. 3301 and 44 U.S.C. 2201 and 2207. Records also include such items created or maintained by a Government contractor, licensee, certificate holder, or grantee that are subject to the sponsoring agency's control under the terms of the contract, license, certificate, or grant. Re-use means incorporating, disseminating, restating, or paraphrasing CUI from its originally designated form into a newly created document. Self-inspection is an agency's internally managed review and evaluation of its activities to implement the CUI Program. Unauthorized disclosure occurs when individuals or entities that do not have a lawful Government purpose to access the CUI gain access to it. Unauthorized disclosure may be intentional or unintentional. Uncontrolled unclassified information is information that neither the Order nor classified information authorities cover as protected. Although this information is not controlled or classified, agencies must still handle it consistently with Federal Information Security Modernization Act (FISMA) requirements. Working papers are documents or materials, regardless of form, that an agency or user expects to revise prior to creating a finished product. Sec. 2002.3 CUI Executive Agent. (a) Section 2(c) of the Order designates NARA as the CUI Executive Agent to implement this Order and to oversee agency efforts to comply with the Order, this part, and the CUI Registry. (b) NARA's Director of the Information Security Oversight Office (ISOO) performs the duties assigned to NARA as the CUI Executive Agent. Sec. 2002.4 Roles and responsibilities. (a) The CUI Executive Agent: (1) Develops and issues policy, guidance, and other materials, as needed, to implement the Order and this part, and to establish and maintain the CUI Program. (2) Consults with affected agencies, State, local, Tribal, and private sector partners, and representatives of the public on matters pertaining to CUI. (3) Establishes, convenes, and chairs the CUI Advisory Council (the Council) to address matters pertaining to the CUI Program. The CUI Executive Agent consults with affected agencies to develop and document the Council's structure and procedures, and submits the details to OMB for approval. (4) Reviews and approves agency policies implementing this part before agencies issue them to ensure their consistency with the Order, this part, and the CUI Registry. (5) Reviews, evaluates, and oversees agencies' actions to implement the CUI Program, to ensure compliance with the Order, this part, and the CUI Registry. (6) Establishes a management and planning framework, including associated deadlines for phased implementation, based on agency compliance plans submitted pursuant to section 5(b) of the Order, and in consultation with affected agencies and the Office of Management and Budget (OMB). (7) Approves categories and subcategories of CUI as needed and publishes them in the CUI Registry. (8) Prescribes standards, procedures, guidance, and instructions for oversight [[Page 26506]] and agency self-inspection programs, to include performing on-site inspections. (9) Standardizes forms and procedures to implement the CUI Program. (10) Considers and resolves, as appropriate, disputes, complaints, and suggestions about the CUI Program from entities in or outside the Government; and (11) Reports to the President on implementation of the Order and the requirements of this part. This includes publishing a report on the status of agency implementation at least biennially, or more frequently at the discretion of the CUI Executive Agent. (b) Agency heads: (1) Ensure agency senior leadership support, and make adequate resources available to implement, manage, and comply with the CUI Program as administered by the CUI Executive Agent. (2) Designate a CUI senior agency official responsible for ensuring agency implementation, management, and oversight of the CUI Program. (3) Approve agency policies, as required, to implement the CUI Program. (c) CUI senior agency officials: (1) Must be at the Senior Executive Service level or equivalent; (2) Direct and oversee the agency's CUI Program; (3) Designate a CUI Program manager; (4) Ensure the agency has CUI implementing policies and plans, as needed; (5) Implement an education and training program pursuant to Sec. 2002.20 of this part; (6) Upon request of the CUI Executive Agent under section 5(c) of the Order, provide an update of CUI implementation efforts for subsequent reporting; (7) Develop and implement the agency's self-inspection program; (8) Establish a process to accept and manage challenges to CUI status, consistent with existing processes based in laws, regulations, and Government-wide policies; and (9) Establish processes and criteria for reporting and investigating misuse of CUI. (d) The Director of National Intelligence: After consultation with the heads of affected agencies and the Director of the Information Security Oversight Office, may issue directives to implement this part with respect to the protection of intelligence sources, methods, and activities. Such directives must be consistent with the Order, this part, and the CUI Registry. Subpart B--Key Elements of the CUI Program Sec. 2002.10 The CUI Registry. (a) The CUI Executive Agent maintains the CUI Registry, which serves as the central repository for all information, guidance, policy, and requirements on handling CUI, including authorized CUI categories and subcategories, associated markings, and applicable decontrolling procedures. (b) The CUI Registry: (1) Is the sole authoritative repository for information on CUI except the Order and this part; (2) Is publicly accessible; (3) Includes citation(s) to laws, regulations, or Government-wide policies that form the basis for each category and subcategory; and (4) Notes any sanctions or penalties for misuse of each category or subcategory of CUI that are included in applicable statutes or regulations. Sec. 2002.11 CUI categories and subcategories. (a) CUI categories and subcategories are the exclusive means of designating CUI throughout the executive branch. They identify unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable laws, regulations, and Government-wide policies. Agencies may not control any unclassified information outside of the CUI Program. (b) Agencies must designate CUI only by use of a category or subcategory approved by the CUI Executive Agent and published in the CUI Registry. Sec. 2002.12 Safeguarding. (a) General safeguarding policy. (1) Agencies must safeguard CUI at all times in a manner that minimizes the risk of unauthorized disclosure while allowing for access by authorized holders. (2) Agency personnel must comply with policy in the Order, this part, and the CUI Registry, and review their agency's CUI policies for additional instructions. For categories designated as CUI Specified, employees must also follow the procedures in the underlying laws, regulations, or Government-wide policies that established the specific category or subcategory involved. (3) Safeguarding measures that are authorized or accredited for classified information are also sufficient for safeguarding CUI. (4) Pursuant to the Order and this part, and in consultation with affected agencies, the CUI Executive Agent issues safeguarding standards in the CUI Registry, and updates them as needed. (b) CUI safeguarding standards. Agencies must safeguard CUI using one of two types of standards: (1) CUI Basic. CUI Basic is the default set of standards agencies must apply to all CUI unless the CUI Registry annotates the relevant information as CUI Specified. (2) CUI Specified. (i) Agencies safeguard CUI using CUI Specified standards only when the involved information falls into a category or subcategory designated in the CUI Registry as CUI Specified. In such cases, agencies should apply the specified set of standards required by the underlying authorities, as indicated in the CUI Registry. (ii) When the authorizing laws, regulations, or Government-wide policies for a specific CUI Specified category or subcategory is silent on a safeguarding or disseminating requirement, agencies must handle that requirement using the CUI Basic standards, unless this results in any treatment that is inconsistent with the CUI Specified authority. If such a conflict occurs, agencies follow the CUI Specified authority's requirements. (c) Protecting CUI under the control of an authorized holder. (1) Authorized holders must have access to controlled environments in which to protect CUI from unauthorized access or observation. (2) When discussing CUI, you must reasonably ensure that unauthorized individuals cannot overhear the conversation. (3) When outside a controlled environment, you must keep the CUI under your direct control or protect it with at least one physical barrier. You or the physical barrier must reasonably protect the CUI from unauthorized access or observation. (4) Agencies must protect the confidentiality of CUI that is processed, stored, or transmitted on Federal information systems consistently with the security requirements and controls established in FIPS Publication 199, FIPS Publication 200, and NIST SP 800-53. (d) Protecting CUI not under control of an authorized holder. (1) You may use the United States Postal Service or any commercial delivery service when you need to transport or deliver CUI to another organization. (2) We encourage you to use in-transit automated tracking and accountability tools when you send CUI. (3) You may use interoffice or interagency mail systems to transport CUI. (4) Mark packages that contain CUI to indicate that they are intended for the [[Page 26507]] recipient only and should not be forwarded. (5) Do not put CUI markings on the outside of an envelope or package. (e) Reproducing CUI. (1) You may reproduce (e.g., copy, scan, print, electronically duplicate) CUI in furtherance of a lawful Government purpose. (2) When reproducing CUI documents on equipment such as printers, copiers, scanners, or fax machines, you must ensure that the equipment does not retain data or you must otherwise sanitize it in accordance with NIST SP 800-53. (f) Destroying CUI. (1) You may destroy CUI when: (i) Your agency no longer needs the information; and (ii) Records disposition schedules published or approved by NARA or other applicable laws, regulations, or Government-wide policies no longer require your agency to retain the records. (2) When destroying CUI, including in electronic form, you must do so in a manner that makes it unreadable, indecipherable, and irrecoverable, using any of the following: (i) Guidance for destruction in NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, and NIST SP 800-88, Guidelines for Media Sanitization; (ii) Any method of destruction approved for Classified National Security Information, as delineated in 32 CFR 2001.47, Destruction, or any implementing or successor guidance; or (iii) Any specific destruction methods required by laws, regulations, or Government-wide policies for that item. (g) Information systems that process, store, or transmit CUI. (1) Agencies must apply information system requirements to CUI that are consistent with already-required NIST standards and guidelines and OMB policies. The Federal Information Security Modernization Act (FISMA) of 2014, 44 U.S.C. 3541, et seq., requires all Federal agencies to apply the standards in FIPS Publication 199 and FIPS Publication 200. FIPS Publication 200 and OMB Memorandum-14-04, November 18, 2013, require all Federal agencies to also apply the appropriate security requirements and controls from NIST SP 800-53. All three sets of publications are free and available from the NIST Web site at http://www.nist.gov/publication-portal.cfm. (2) Consistent with this already-established framework governing all Federal information systems, CUI is categorized at the moderate confidentiality impact level in accordance with FIPS Publication 199. Likewise, agencies must also apply the appropriate security requirements and controls from FIPS Publication 200 and NIST SP 800-53 consistently with any risk-based tailoring decisions. Agencies may increase the confidentiality impact level above moderate and apply additional security requirements and controls only internally; they may not require anyone outside the agency to use a higher impact level or more stringent security requirements and controls. Sec. 2002.13 Accessing and disseminating. (a) General policy. (1) Agencies should disseminate and permit access to CUI, provided such access or dissemination: (i) Abides by the laws, regulations, or Government-wide policies that established the CUI category or subcategory; (ii) Furthers a lawful Government purpose; (iii) Is not restricted by an authorized limited dissemination control established by the CUI Executive Agent; and, (iv) Is not otherwise prohibited by law. (2) Agencies should impose controls only as necessary to abide by restrictions on access to CUI. Agencies may not impose controls that unlawfully or improperly restrict access to CUI. (3) Prior to disseminating CUI, you must mark CUI according to marking guidance issued by the CUI Executive Agent. (4) Non-executive branch entities may receive CUI directly from members of the executive branch or as sub-recipients from other non- executive branch entities. (5) In order to disseminate CUI to a non-executive branch entity, you must have a reasonable expectation that the recipient will continue to control the information in accordance with the Order, this part, and the CUI Registry. (6) When feasible, agencies should enter into a written agreement with any intended non-executive branch entity. At a minimum, such agreements must specify that: (i) CUI remains under the legal control of the Federal Government and its misuse is subject to penalties permitted under applicable laws, regulations, or Government-wide policies; (ii) Non-executive branch entities must handle CUI consistently with the Order, this part, and the CUI Registry; and (iii) The non-executive branch entity must report any non- compliance with handling requirements to the disseminating agency's CUI senior agency official. When the disseminating agency is not the designating agency, the disseminating agency must notify the designating agency. (b) Controls on accessing and disseminating CUI--(1) CUI Basic. You should disseminate and encourage access to CUI Basic for any recipient when it meets the requirements set out in paragraph (a)(1) of this section. (2) CUI Specified. You may disseminate and allow access to CUI Specified as permitted by the authorizing laws, regulations, or Government-wide policies that established that category or subcategory of CUI Specified. (i) The CUI Registry annotates CUI categories and subcategories that contain Specified controls. (ii) In the absence of specific dissemination restrictions, agencies may disseminate and allow access to the CUI as they would for CUI Basic. (3) Limited dissemination. (i) You may place limits on disseminating CUI only through the use of limited dissemination controls approved by the CUI Executive Agent and published in the CUI Registry. (ii) Use of limited dissemination controls to unnecessarily restrict access to CUI is contrary to the stated goals of the CUI Program. You may therefore use these controls only when it serves a lawful Government purpose, or you are required by laws, regulations, or Government-wide policies to do so. (iii) You may apply limited dissemination controls to any CUI that is required or permitted to have restricted access by or to certain entities. (iv) You may combine the approved limited dissemination controls listed in the CUI Registry to accommodate necessary practices. (c) Methods of disseminating CUI. (1) Before disseminating CUI, you must reasonably expect that all intended recipients are authorized to receive the CUI. You may then disseminate the CUI by any method that meets the safeguarding requirements of this part and ensures receipt in a timely fashion, unless the laws, regulations, or Government-wide policies that govern that category or subcategory of CUI requires otherwise. (2) To disseminate CUI using systems or components that are subject to NIST guidelines and publications (e.g., email applications, text messaging, facsimile, or voicemail), you must do so consistently with the moderate confidentiality value set out in the [[Page 26508]] FISMA-mandated FIPS Publication 199, FIPS Publication 200, and NIST SP 800-53. Sec. 2002.14 Decontrolling. (a) Agencies may decontrol CUI that they have designated: (1) When laws, regulations or Government-wide policies no longer require its control as CUI; (2) In response to a request by an authorized holder to decontrol it, if the agency is the designating agency; (3) When the designating agency decides to release it to the public by making an affirmative, proactive disclosure; (4) When the agency releases it in accordance with an applicable information access statute, such as the Freedom of Information Act (FOIA); (5) Consistent with any declassification action under Executive Order 13526 or any predecessor or successor order; or (6) When a pre-determined event or date occurs, as described in the decontrol indicators section of this part. (b) Decontrolling may occur automatically upon the occurrence of one of the conditions in paragraph (a) of this section, or through an affirmative decision by the designating agency. (c) Only personnel that an agency authorizes may decontrol CUI. (d) Decontrolling CUI relieves authorized holders from requirements to handle the information under the CUI Program, but does not constitute authorization for public release. (e) Agencies should decontrol any CUI designated by their agency that no longer requires CUI controls as soon as practicable. (f) You must remove or strike through with a single straight line all CUI markings when restating, paraphrasing, re-using, releasing to the public, or donating CUI to a private institution. Otherwise, you are not required to mark, review, or take other actions to indicate the CUI is no longer controlled. (1) Agencies may establish policy that allows holders to remove or strike through only those markings on the first or cover page of the CUI. (2) If you use the decontrolled CUI in a newly created document, you must remove all CUI markings for the decontrolled information. (g) Once decontrolled, any public release of information that was formerly CUI must be in accordance with existing agency policies on the public release of information. (h) You may request that the designating agency decontrol certain CUI. Agency heads or the CUI senior agency official must establish processes for handling CUI decontrol requests submitted by authorized holders. (i) If an authorized holder publicly releases CUI in accordance with the designating agency's authorized procedures, the release constitutes decontrol of the information. (j) Unauthorized disclosure of CUI does not constitute decontrol. (k) You must not decontrol CUI in an attempt to conceal, circumvent, or mitigate an identified unauthorized disclosure. (l) When laws, regulations, and Government-wide policies require specific decontrol procedures, you must follow such requirements. (m) The Archivist of the United States may decontrol records transferred to the National Archives in accordance with Sec. 2002.26 of this part, absent a specific agreement otherwise with the originating agency. The Archivist decontrols records to facilitate public access pursuant to 44 U.S.C. 2108 and NARA's regulations at 36 CFR parts 1235, 1250, and 1256. Sec. 2002.15 Marking. (a) General marking policy. (1) CUI markings listed in the CUI Registry are the only control markings authorized to designate unclassified information requiring safeguarding or dissemination controls. You must mark CUI exclusively in accordance with this part and the CUI Registry. (2) You must uniformly and conspicuously apply CUI markings to all CUI prior to disseminating it unless otherwise specifically permitted by the CUI Executive Agent or as provided below. (3) The CUI Program prohibits using markings or practices not included in this part or the CUI Registry. Agencies must take active measures to discontinue use of any other markings, in accordance with guidance from the CUI Executive Agent. Agencies may not modify CUI Program markings or deviate from the method of use prescribed by the CUI Executive Agent in an effort to accommodate existing agency marking practices, except in extraordinary circumstances approved by the CUI Executive Agent. (4) The designating agency determines that the information qualifies for CUI status and applies the appropriate CUI marking at the time of designation. (5) You must not mark information as CUI to conceal illegality, negligence, ineptitude, or other disreputable circumstances embarrassing to any person, any agency, the Federal Government, or any partners thereof. (6) The CUI Program does not require agencies to redact or re-mark documents that bear legacy markings. However, agencies must mark as CUI any information they derive from such documents and re-use in a new document, if the information qualifies as CUI. (7) When marking is excessively burdensome, an agency's CUI senior agency official may approve waivers of all or some of the marking requirements for CUI designated within that agency. However, all CUI must be marked when disseminated outside of that agency. (i) When CUI senior agency officials grant such waivers, they must still ensure that the agency appropriately safeguards and disseminates the CUI. (ii) The CUI senior agency official must detail in each waiver the alternate protection methods the agency must employ to ensure protection of the CUI in question. (iii) All such waivers apply to CUI only while in possession of employees of that agency. (8) The lack of a CUI marking on information does not exempt the information from applicable handling requirements set forth in laws, regulations, or Government-wide policies. (b) The CUI banner marking. You must mark all CUI with a CUI banner marking, which may include up to three elements: (1) The CUI control marking (mandatory). (i) The CUI control marking may consist of either the word ``CONTROLLED'' or the acronym ``CUI'' (at the designator's discretion). You may not use alternative markings to identify or mark items as CUI. (ii) If you include in the banner marking other authorized CUI markings in addition to the CUI control marking (as set out below), separate those elements from the CUI control marking by a single slash (``/''). (2) CUI category and subcategory markings (mandatory for CUI Specified). (i) The CUI Registry lists the category and subcategory markings, which align with the CUI's designated category or subcategory. (ii) The CUI senior agency official may approve optional use of CUI category and subcategory markings for CUI Basic, through agency policy. The policy may also address whether to include these markings in the CUI banner marking. When the CUI senior agency official has approved CUI Basic category or subcategory markings through agency policy, you may include those markings in the CUI banner marking when multiple categories or subcategories are present. (iii) You must use CUI category and subcategory markings for CUI Specified. [[Page 26509]] If laws, regulations, or Government-wide policies require specific marking, disseminating, informing, or warning statements, you must use those indicators as required by those authorities. However, you must not include these additional indicators in the CUI banner marking or portion markings. (iv) Include in the CUI banner marking all CUI Specified category or subcategory markings; other category or subcategory markings that may apply are optional. (v) List category or subcategory markings in alphabetical order, using the approved abbreviations listed in the CUI Registry, and separate multiple categories or subcategories from each other by a single slash (``/''). (3) Limited dissemination control markings. (i) CUI limited dissemination control markings align with limited dissemination controls established under Sec. 2002.13(b)(3) of this part. (ii) Designating agencies must establish agency policy that includes specific criteria for when, and by whom, they will allow the use of limited dissemination controls and control markings, and ensure the policy aligns with the requirements in Sec. 2002.13(b)(3) of this part. (iii) In accordance with its policy, the designating agency may apply limited dissemination control markings when it designates information as CUI and may approve later requests by authorized holders to apply them. Authorized holders may apply limited dissemination control markings only with the approval of the designating agency. (iv) When including limited dissemination control markings in the CUI banner marking, use a double slash (``//'') to separate them from the previous element of the CUI banner marking (e.g. ``CUI//NOFORN'' or ``CONTROLLED/LEI//NOFORN''). (v) List limited dissemination control markings in alphabetical order, using the approved abbreviations listed in the CUI Registry, and separate them from each other by a single slash (``/''). (c) Using the CUI banner marking. (1) The content of the CUI banner marking must apply to the whole document (e.g., inclusive of all CUI within the document) and must be the same on every page on which you use it. (2) The CUI banner marking must appear, at a minimum, at the top center of each page containing CUI. (3) For non-document formats, the container or portion of the item that is first visible must carry the banner. (d) CUI designation indicator (mandatory). (1) All media containing CUI must carry an indicator of who designated the CUI within it. This should include: (i) The designator's agency (at a minimum); and (ii) If not otherwise evident, the designating agency or office via a ``Controlled by'' line. For example, ``Controlled by: Division 5, Department of Good Works.'' (2) The designation indicator must be readily apparent to authorized holders and may appear only on the first page or cover. (e) CUI decontrolling indicators. (1) Where feasible, designating agencies must include a specific decontrolling date or event with all media containing CUI. This may be accomplished in any manner that makes the decontrolling schedule readily apparent to an authorized holder. (2) When used, decontrolling indicators must use the format: ``Decontrol On:'' followed by a date or name of a specific event. (3) If using a specific decontrolling date, list it in the format ``YYYYMMDD.'' (i) Decontrol is presumed at midnight local time on the date indicated. (ii) Authorized holders may consider specific items of CUI as decontrolled as of the date indicated, requiring no further review by, or communication with, the designator. (4) If using a specific event after which the CUI is considered decontrolled: (i) The event must be foreseeable and verifiable by any authorized holder (e.g., not based on or requiring special access or knowledge); (ii) State the event title in bullet format rather than a narrative statement; and (iii) Include point of contact and preferred method of contact information in the decontrol indicator when using this method, to allow authorized holders to verify that a specified event has occurred. (f) Portion marking CUI. (1) Agencies are permitted and encouraged to portion mark all CUI, to facilitate information sharing and proper handling. (2) You may mark CUI only with portion markings approved by the CUI Executive Agent and listed in the CUI Registry. (3) CUI portion markings consist of the following elements: (i) The CUI control marking, which must be the acronym ``CUI''; (ii) CUI category/subcategory portion markings (if required); and (iii) CUI limited dissemination control portion markings (if required). (4) When using portion markings: (i) You must indicate CUI portions by placing the required portion marking for each portion inside parentheses, immediately before the portion to which it applies (e.g. ``(CUI)'' or ``(CUI/LEI//NF).'' (ii) CUI category and subcategory markings are optional for CUI Basic. Agencies should manage their use by means of agency policy. (iii) You must portion mark both CUI and uncontrolled unclassified portions. Indicate the uncontrolled unclassified portions by using a ``(U)'' immediately preceding the portion to which it applies. (5) In cases where portions consist of several segments, such as paragraphs, sub-paragraphs, bullets, and sub-bullets, and the control level is the same throughout, you may place a single portion marking at the beginning of the primary paragraph or bullet. However, if the portion includes different CUI categories or subcategories, you must portion mark all segments separately to avoid improper control of any one segment. (6) Each portion must reflect the control level of that individual portion and not any other portions. If the information contained in a sub-paragraph or sub-bullet is a different CUI category or subcategory from its parent paragraph or parent bullet, this does not make the parent paragraph or parent bullet controlled at that same level. (g) Commingling CUI markings with classified information. (1) When you include CUI in documents that also contain classified information, you must make the following changes to the CUI marking scheme: (i) Portion mark all CUI to ensure that CUI portions can be distinguished from portions containing classified and uncontrolled unclassified information; (ii) Include CUI Specified category and subcategory markings in the overall banner marking; (iii) Include the CUI control marking (``CUI'') in the overall marking banner directly before the CUI category and subcategory markings (e.g., ``CUI/SP-PCII''). This applies only when CUI category and subcategory markings are included in the banner; (iv) Separate category and subcategory markings from each other by a single slash (e.g. ``CUI/SP-PCII/SP-UCNI''); (v) Include all CUI limited dissemination controls with each CUI portion and in the CUI section of the overall classified marking banner, if applicable. Separate limited dissemination markings from each other by a single slash (``/''); and [[Page 26510]] (vi) Separate the entire CUI marking string for the CUI banner marking from other parts of the overall classified marking banner by using a double slash (``//'') on either end. However, if the CUI marking string is the final portion of the overall classified marking banner, do not use an ending double slash (``//''). (2) Commingling restricted data (RD) and formerly restricted data (FRD) with CUI. (i) To the extent possible, avoid commingling RD or FRD with CUI in the same document. When it is not practicable to avoid such commingling, follow the marking requirements in the Order, this part, and the CUI Registry, as well as the marking requirements in 10 CFR part 1045, Nuclear Classification and Declassification. (ii) The decontrolling provisions of the Order do not apply to portions marked as containing RD or FRD. (iii) Add ``Not Applicable (or N/A) to RD/FRD portions'' to the ``Decontrol On'' line for commingled documents. (iv) Follow the requirements of 10 CFR part 1045 when extracting an RD or FRD portion for use in a new document. (v) Follow the requirements of the Order, this part, and the CUI Registry if extracting a CUI portion for use in a new document. (vi) The lack of declassification instructions for RD or FRD portions does not eliminate the requirement to process commingled documents for declassification in accordance with the Atomic Energy Act, or 10 CFR part 1045. (h) Transmittal document marking requirements. (1) When a transmittal document accompanies CUI, the transmittal document must include a CUI marking on its face (``CONTROLLED'' or ``CUI''), indicating that CUI is attached or enclosed. (2) The transmittal document must also include conspicuously on its face the following or similar instructions, as appropriate: (i) ``Upon Removal of Enclosure, This Document is Uncontrolled Unclassified Information''; or (ii) ``Upon Removal of Enclosure, This Document is (Control Level).'' (i) Working papers. Mark working papers containing CUI as required for any CUI contained within them and handle them in accordance with this part and the CUI Registry. (j) Using supplemental administrative markings with CUI. (1) Agency heads may authorize the use of supplemental administrative markings (e.g. ``Pre-decisional,'' ``Deliberative,'' ``Draft'') for use with CUI. (2) Agency heads may not authorize the use of supplemental administrative markings to establish safeguarding requirements or disseminating restrictions, or to designate the information as CUI. (3) To be eligible for use with CUI, agencies must detail use and requirements for supplemental administrative markings in agency policy that is available to anyone who may come into possession of CUI carrying these markings. (4) Do not incorporate or include supplemental administrative markings in the CUI markings. (5) Supplemental administrative markings must not duplicate any CUI marking described in this part and the CUI Registry. (k) Unmarked CUI. Treat unmarked information that qualifies as CUI as described in the Order, this part, and the CUI Registry. Sec. 2002.16 Waivers of CUI requirements in exigent circumstances. (a) In exigent circumstances, the agency head or the CUI senior agency official may waive the requirements established in this part or the CUI Registry for any CUI within the agency's possession or control, unless specifically prohibited by applicable laws, regulations, or Government-wide policies. (b) When the circumstances requiring the waiver end, the agency must reinstitute the requirements for all CUI covered by the waiver. Sec. 2002.17 Limitations on applicability of agency CUI policies. (a) Agency policies pertaining to CUI do not apply to entities outside that agency unless the CUI Executive Agent approves their application and publishes them in the CUI Registry. (b) Agencies may not include any requirements on handling CUI other than those contained in the Order, this part, or the CUI Registry when entering into contracts, treaties, or other agreements with entities outside of that agency. Subpart C--CUI Program Management Sec. 2002.20 Education and training. (a) The agency head or CUI senior agency official must establish policies that address the means, methods, and frequency of agency CUI training. (b) At a minimum, agencies must ensure that personnel who have access to CUI receive training on creating CUI, relevant CUI categories and subcategories, the CUI Registry, associated markings, and applicable safeguarding, disseminating, and decontrolling policies and procedures. Agencies must ensure that it trains employees on these matters when the employees first begin working for the agency and at least once every two years thereafter, at a minimum. (c) The CUI Executive Agent may review agency training materials to ensure consistency and compliance with the Order, this part, and the CUI Registry. Sec. 2002.21 Agency self-inspection program. (a) Agency heads must establish and maintain a self-inspection program to ensure compliance with the principles and requirements of the Order, this part, and the CUI Registry. (b) The self-inspection program must include no less than annual periodic review and assessment of the agency's CUI program. The agency head or CUI senior agency official should determine frequency based on program needs and the degree of designation activity. (c) The self-inspection program must include: (1) Self-inspection methods, reviews, and assessments that serve to evaluate program effectiveness, measure the level of compliance, and monitor the progress of CUI implementation; (2) Formats for documenting self-inspections and recording findings, when not prescribed by the CUI Executive Agent; (3) Procedures by which to integrate lessons learned and best practices arising from reviews and assessments into operational policies, procedures, and training; (4) A process for resolving deficiencies and taking corrective actions in an accountable manner; and (5) Analysis and conclusions from the self-inspection program, documented on an annual basis and as requested by the CUI Executive Agent. Sec. 2002.22 Challenges to designation of information as CUI. (a) Authorized holders of CUI who, in good faith, believe that its designation as CUI is improper or incorrect should notify the designating agency of this belief. (b) Agency CUI senior agency officials must create a process within their agency to accept and manage challenges to CUI status. At a minimum, this process must include a timely response to the challenger that: (1) Acknowledges receipt of the challenge; (2) States an expected timetable for response to the challenger; (3) Provides an opportunity for the challenger to define their rationale for belief that the CUI in question is inappropriately designated; (4) Gives contact information for the official making the agency's decision in this matter; and [[Page 26511]] (5) Ensures that challengers are not subject to retribution for bringing such challenges. (c) Until the challenge is resolved, continue to safeguard and disseminate the challenged CUI at the control level indicated in the markings. (d) If a challenging party disagrees with the response to their challenge, that party may use the Dispute Resolution procedures described in Sec. 2002.23 of this part. Sec. 2002.23 Dispute resolution. (a) All parties to a dispute arising from implementation or interpretation of the Order, this part, or the CUI Registry should make every effort to resolve the dispute expeditiously. Disputes should be resolved within a reasonable, mutually acceptable time period, taking into consideration the mission, sharing, and protection requirements of the parties concerned. (b) If parties to a dispute cannot reach a mutually acceptable resolution, either party may refer the matter to the CUI Executive Agent. (c) The CUI Executive Agent is the impartial arbiter of the dispute and has the authority to render a decision on the dispute after consultation with all affected parties, unless laws, regulations, or Government-wide policies otherwise specifically govern requirements for the involved category or subcategory of information. If a party to the dispute is also a member of the Intelligence Community, the CUI Executive Agent must consult with the Office of the Director of National Intelligence beginning when the CUI Executive Agent receives the dispute for resolution. (d) Until the dispute is resolved, continue to safeguard and disseminate any disputed CUI at the control level indicated in the markings. (e) Per section 4(e) of the Order, parties may appeal the CUI Executive Agent's decision through the Director of OMB to the President for resolution. Sec. 2002.24 Misuse of CUI. (a) CUI senior agency officials establish agency processes and criteria for reporting and investigating misuse of CUI. (b) The CUI Executive Agent reports findings on any incident involving misuse of CUI to the offending agency's CUI senior agency official or CUI Program manager for action, as appropriate. Sec. 2002.25 Sanctions for misuse of CUI. (a) To the extent that agency heads are otherwise authorized to take administrative action against agency personnel who misuse CUI, agency CUI policy governing misuse should reflect that authority. (b) Where laws, regulations, or Government-wide policies governing certain categories or subcategories of CUI specifically establishes sanctions, agencies must adhere to such sanctions. Sec. 2002.26 Transferring records. (a) When feasible, agencies must decontrol records containing CUI prior to transferring them to NARA. (b) When an agency cannot decontrol records before transferring them to NARA, the agency must: (1) Indicate on a Transfer Request (TR) in NARA's Electronic Records Archives (ERA) or on an SF 258 paper transfer form, that the records should continue to be controlled as CUI (subject to NARA's regulations on transfer, public availability, and access; see 36 CFR parts 1235, 1250, and 1256); and (2) For hard copy transfer, place the appropriate CUI marking on the outside of the container to indicate that it contains information designated as CUI. (c) If the agency does not indicate the CUI status on both the container and the TR or SF 258, NARA may assume the information was decontrolled prior to transfer, regardless of any CUI markings on the actual records. Sec. 2002.27 CUI and the Freedom of Information Act (FOIA). (a) The mere fact that information is designated as CUI has no bearing on determinations pursuant to any law requiring the disclosure of information or permitting disclosure as a matter of discretion. (b) Accordingly, agencies must ensure that: (1) They do not cite the FOIA as a CUI safeguarding or disseminating control authority for CUI; and (2) Agency FOIA reviewers use FOIA release standards and exemptions to determine whether or not to release records in response to a FOIA request; they do not use CUI markings and designations as a dispositive factor in making a FOIA disclosure determination. Sec. 2002.28 CUI and the Privacy Act. The fact that records are subject to the Privacy Act of 1974 does not mean that agencies must mark them as CUI. Consult agency guidance to determine which records may be subject to the Privacy Act. However, information contained in Privacy Act systems of records may be subject to controls under other CUI categories or subcategories and the agency may need to mark that information as CUI for that reason. Dated: April 27, 2015. David S. Ferriero, Archivist of the United States. [FR Doc. 2015-10260 Filed 5-7-15; 8:45 am] BILLING CODE 7515-01-P