Controlled Unclassified Information (CUI) is a new information security program utilized by the executive branch. The CUI program is intended to standardize the way the executive branch handles unclassified information that, although unclassified, is still sensitive and merits special controls to prevent unauthorized access. It introduces a new framework for the entire executive branch to designate, mark, safeguard, and disseminate unclassified information that laws, regulations, or government-wide policies require or allow agencies to protect using safeguarding or dissemination controls.
The CUI program was established pursuant to Executive Order 13556, "Controlled Unclassified Information." The National Archives and Records Administration (NARA) has issued government-wide implementing regulations for executive branch agencies to implement the CUI program at 32 CFR Part 2002. The CUI Executive Agent (CUI EA) at NARA also issues guidance to executive branch departments and agencies that handle such information. NARA maintains a list of information categories that qualify as CUI at the CUI Registry.
The CUI program will be implemented at the NRC through the NRC CUI Senior Agency Official (SAO). The NRC SAO is responsible for ensuring the agency has sufficient policies and guidance in place for NRC staff and contractors that handle CUI. The CUI program will eventually replace the NRC's current Sensitive Unclassified Information and Non-Safeguards Information (SUNSI) program. SUNSI is an internal NRC program for the handling of sensitive information such as proprietary and confidential financial information, security-related information, personal privacy information, and information relating to investigations or allegations. Safeguards Information (SGI) will also be included within the scope of the NRC's CUI program, though all SGI controls codified in NRC regulations will remain in effect.
On November 12, 2021, the NRC's CUI Policy Statement was published in the Federal Register. On December 3, 2021, Management Directive 12.6, "NRC Controlled Unclassified Information (CUI) Program" (formerly titled "NRC Sensitive Unclassified Information Security Program") was published to describe the agency CUI program. It is important to note that implementation of the NRC's CUI program is not immediately effective upon the issuance of the updated MD 12.6.
The NRC currently expects to fully transition to CUI by the end of 2022. Until then, both the NRC's SUNSI program and the SGI program will remain in place.
As the NRC transitions through the various stages of CUI implementation, the NRC CUI SAO will communicate pertinent information, including a CUI implementation timeline, to the NRC staff, contractors, and external stakeholders.
Page Last Reviewed/Updated Tuesday, December 07, 2021