Step 1: Define CUI (Controlled Unclassified Information)
CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.
✅Step 2: Authority over CUI — NARA’s Role
NARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.
Source:
32 CFR Part 2002 – Controlled Unclassified Information (CUI)
Executive Order 13556 – Controlled Unclassified Information
CUI Registry – https://www.archives.gov/cui
NARA:
Maintains theCUI Registry,
Issuesmarking and handling guidance,
DefinesCUI categoriesand their authority under law or regulation,
Trains and informs Federal agencies and contractors on CUI policy.
❌Why the Other Options Are Incorrect
B. NIST
✘NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.
C. CMMC-AB (now Cyber AB)
✘The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.
D. Department of Homeland Security (DHS)
✘While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.
NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.
