Step 1: Define CUI (Controlled Unclassified Information)CUI is information thatrequires safeguarding or dissemination controlspursuant to and consistent with applicable law, regulations, and government-wide policies, butis not classifiedunder Executive Order 13526 or the Atomic Energy Act.
✅Step 2: Authority over CUI — NARA’s RoleNARA – National Archives and Records Administration, specifically theInformation Security Oversight Office (ISOO), is thegovernment-wide executive agentresponsible for implementing the CUI program.
Source:
32 CFR Part 2002 – Controlled Unclassified Information (CUI)
Executive Order 13556 – Controlled Unclassified Information
CUI Registry – https://www.archives.gov/cui
NARA:
Maintains theCUI Registry,
Issuesmarking and handling guidance,
DefinesCUI categoriesand their authority under law or regulation,
Trains and informs Federal agencies and contractors on CUI policy.
B. NIST✘ NIST (National Institute of Standards and Technology) developstechnical standards(e.g., SP 800-171), but it doesnot define or mark CUI. It helps secure CUI once it’s identified.
C. CMMC-AB (now Cyber AB)✘ The Cyber AB is theCMMC ecosystem’s accreditation body, not a government agency, and hasno authority over CUI classification or marking.
D. Department of Homeland Security (DHS)✘ While DHS mayhandle and protect CUI internally, it is not the executive agent for the CUI program.
❌Why the Other Options Are Incorrect
NARAis theofficial U.S. government authorityresponsible for defining, categorizing, and marking CUI via theCUI Registryand associated policies underExecutive Order 13556.
