DATE: October 19, 2017
SUBJECT: Controlled Unclassified Information (CUI) Policy
- PURPOSE. This Directive establishes Treasury policy and a framework for Controlled Unclassified Information (CUI). It also assigns responsibilities for managing CUI within the Department. CUI is unclassified information that law, regulation, or government-wide policy subjects to safeguarding and dissemination controls.
- SCOPE. This directive applies to all bureaus, offices, and organizations in the Department of the Treasury, including the offices of inspectors general within the Department. The provisions of this directive shall not be construed to interfere with or impede the authorities or independence of the Department’s inspectors general.
- Executive Order 13556 Controlled Unclassified Information establishes an open and uniform program to standardize the way the executive branch handles information that requires protection and is not classified. A public registry lists information covered by laws, regulations, or government-wide policies that can be marked and handled as CUI. The CUI program also incorporates government-wide protocols for protecting and sharing sensitive information.
- CUI is information the government creates or possesses that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. CUI does not include classified information or information from a non-executive branch entity. CUI can be in any form.
- POLICY. This Directive establishes Treasury’s CUI program and also authorizes the release of Treasury Directive Publication (TD P) 80-08, Controlled Unclassified Information (CUI) Guide, as policy for the handling, marking, protecting, destroying, and decontrol of CUI in accordance with 32 CFR 2002.
- The Deputy Assistant Secretary for Privacy, Transparency, and Records is Treasury’s Senior Agency Official (SAO) for CUI and has overarching responsibility for the CUI Program within Treasury.
- The CUI Program Manager reports to the SAO and is responsible for coordinating Treasury’s CUI program.
- The Chief Information Officer is responsible for safeguarding CUI in Treasury IT systems and compliance with federal IT requirements.
- All employees, officials, detailees, interns and contractors, and IT users—everyone who comes in contact with CUI—is responsible for protecting and properly securing CUI and for following the CUI Guide, which contains other specific roles and responsibilities.
- TRAINING. Regulations require that anyone who has access to CUI receive training at least every two years. New employees, officials, detailees, interns, and contractors shall receive initial awareness training within 60 days of employment. TD P 80-08 delineates the specifics of mandatory training.
- IMPLEMENTATION. See TD P 80-08.
- MISUSE. There are penalties for failure to protect CUI, unauthorized disclosure of CUI (intentional or unintentional), and general misuse of CUI. Existing Treasury policies apply. Refer to TD P 80-08 for details.
- Treasury CUI Guide (TD P 80-08)
- Treasury Security Manual (TD P 15-71).
- NARA’s CUI webpage - archives.gov/cui.
- OFFICE OF PRIMARY INTEREST. Office of the Assistant Secretary for Management, Office of the Deputy Assistant Secretary for Privacy, Transparency, and Records.
Kody H. Kinsley
Assistant Secretary for