United States Nuclear Regulatory Commission - Protecting People and the Environment
Home > NRC Library > Controlled Unclassified Information Program (CUI)

Controlled Unclassified Information Program (CUI)

NIST CUI Resources

FIPS Publication 199, "Standards for Security Categorization of Federal Information and Information Systems"

FIPS Publication 200, "Minimum Security Requirements for Federal Information and Information Systems"

NIST Special Publication 800-53, Revision 4, "Security and Privacy Controls for Federal Information Systems and Organizations"

NIST Special Publication 800-171, "Protecting Unclassified Information in Nonfederal Information Systems and Organizations"

Related Information

Controlled Unclassified Information (CUI) is a new information security program utilized by the executive branch. The CUI program is intended to standardize the way the executive branch handles unclassified information that, although unclassified, is still sensitive and merits special controls to prevent unauthorized access. It introduces a new framework for the entire executive branch to designate, mark, safeguard, and disseminate unclassified information that laws, regulations, or government-wide policies require or allow agencies to protect using safeguarding or dissemination controls.

The CUI program was established pursuant to Executive Order 13556, "Controlled Unclassified Information." The National Archives and Records Administration (NARA) has issued government-wide implementing regulations for executive branch agencies to implement the CUI program at 32 CFR Part 2002. The CUI Executive Agent (CUI EA) at NARA also issues guidance to executive branch departments and agencies that handle such information. NARA maintains a list of information categories that qualify as CUI at the CUI Registry.

The CUI program will be implemented at the NRC through the NRC CUI Senior Agency Official (SAO). The NRC SAO is responsible for ensuring the agency has sufficient policies and guidance in place for NRC staff and contractors that handle CUI. The CUI program will eventually replace the NRC's current Sensitive Unclassified Information and Non-Safeguards Information (SUNSI) program. SUNSI is an internal NRC program for the handling of sensitive information such as proprietary and confidential financial information, security-related information, personal privacy information, and information relating to investigations or allegations. Safeguards Information (SGI) will also be included within the scope of the NRC's CUI program, though all SGI controls codified in NRC regulations will remain in effect.

The NRC currently expects to fully transition to CUI by the end of 2021. Until then, both the NRC's SUNSI program and the SGI program will remain in place.

As the NRC transitions through the various stages of CUI implementation, the NRC CUI SAO will communicate pertinent information to the NRC staff, contractors, and external stakeholders.

Page Last Reviewed/Updated Tuesday, July 09, 2019