One of the biggest burdens on any government agency or contractor is dealing with controlled unclassified information, or CUI. This information requires oversight, security, access control, and record-keeping – all part of the general “control” of that information – and keeping track of it all can be a huge task.
One way in which this task is made easier is through the process of decontrol. What is decontrol, how is it handled, what makes information eligible for decontrol, and how can you decontrol it? Let’s discuss.
What is Decontrol?
Decontrol is the official process whereby a specific piece of information is removed from the list of information that must be controlled. Sometimes, this occurs because of a change in laws, a change in the nature of the information, or a change in the nature of the agency. All of this is outlined in government documentation via the Code of Federal Regulations.
The idea behind decontrol is to prune the list of information that is considered CUI so that the burden of securing that information is relieved. Just because information is decontrolled does not mean you stop handling it; it is just that the burden of security is somewhat alleviated.
The relevant reference documentation is 32 CFR 2002.18, which you can read here if you want to follow along.
The first line of this document is an important guideline for agencies and information originators:
“Agencies should decontrol as soon as practicable any CUI designated by their agency that no longer requires safeguarding or dissemination controls, unless doing so conflicts with the governing law, regulation, or Government-wide policy.”
In other words, it’s generally considered best practice to decontrol information whenever possible to keep the CUI registry as minimized as possible. There will always be an immense amount of CUI extant within the government and contractor spheres, but the less that needs to be controlled, the easier it is for a contractor to handle it.
Who Can Decontrol CUI?
There are generally three entities that can decontrol any given piece of CUI.
The first is the information’s originator. If the entity, agency, or authority that created the information determines that it no longer requires control as CUI, they can decontrol that information.
The second is the original classification authority or OCA. This is the authority that classifies groups of information according to classification guides; if this authority determines that certain kinds of information are no longer of concern and can be decontrolled, a decontrol order can be issued.
The third is the designated offices for decontrolling CUI. These offices depend on the kind of information being controlled and where that information originates.
A government contractor is generally not going to be an originator of the information in a position to decontrol it. This is because, generally speaking, the laws that specify the kinds of information that need to be controlled supersede any given contractor’s control over that information.
What Does Decontrolling CUI Mean?
Decontrolling CUI means that the requirement to control the information according to CUI control rules is removed. Any information your service provider or contractor has that is decontrolled will need to be edited to remove the CUI markings.
Note that decontrolling does NOT mean that the information must be discarded or destroyed. It also does NOT mean that the information should be immediately released to the public. It simply means that the information does not need to be as strictly controlled as it was before.
Decontrolling CUI is also not a defense. If an agency or contractor is identified as having an unauthorized disclosure, it cannot attempt to decontrol the information in response to avoid the repercussions of an unauthorized disclosure. Even if the information likely should be decontrolled, until such time as it is actually decontrolled, it needs to be handled as controlled.
What Makes Information Eligible for Decontrol?
There are four specific conditions that can allow an agency to decontrol a piece of CUI, absent another regulation or conflict of interest that requires it to remain controlled.
1. When laws, regulations, or Government-wide policies no longer require its control as CUI and the authorized holder has the appropriate authority under the authorizing law, regulation, or Government-wide policy.
The list of what is considered CUI is long and significant, but occasionally, certain pieces of information can be removed from the list for various reasons. When the government removes a kind of information from the list of CUI categories, all such information can be decontrolled.
2. When the designating agency decides to release it to the public by making an affirmative, proactive disclosure.
Sometimes, a government agency creates information that is considered CUI, but it reaches a point where there’s more benefit to disclosing the information than there is in continuing to control it. In these cases, whether it’s for the public good or as a response to public pressure, the information can be decontrolled.
3. When the agency discloses it in accordance with an applicable information access statute, such as the FOIA, or the Privacy Act (when legally permissible), if the agency incorporates such disclosures into its public release processes.
The Freedom of Information Act allows the public to make an official request for the disclosure of specific information from the government. CUI information can be protected against disclosure via the FOIA, but CUI is not itself protection. Furthermore, information being delivered in response to an FOIA request does not automatically decontrol the information.
4. When a predetermined event or date occurs, as described in section 2002.20(g), unless law, regulation, or Government-wide policy requires coordination first.
32 CFR 2002.20(g) allows the originating agency to designate information as CUI until a specific date or event, whereupon it automatically decontrols, assuming no conflict of interest or other reason why the information might need to remain controlled.
Additionally, the designating agency can decontrol CUI in conjunction with a declassification order or other executive order to declassify or decontrol the information.
Finally, the Archivist of the United States can decontrol information when that information is transferred to the National Archives to facilitate public access. This is pursuant to 44 USC 2108 and 36 CFR 1235, 1250, and 1256. Again, this is as long as there are no other agreements or restrictions requiring ongoing control of the information.
How is Decontrolling CUI Handled?
When CUI is decontrolled, the process is relatively simple. The authority in control of the information will make their determination as to whether or not the information is eligible for decontrol. The requirements for this can vary depending on the kind of information it is, where it originated, and what it entails.
Prior to decontrolling information, a prepublication review needs to be conducted according to DODI 5230.09 and DODI 5230.29. This process is outlined as part of the Department of Defense information control protocols and is required as part of the review of information prior to its decontrol.
If the information is deemed eligible for decontrol, the CUI registry at the National Archives will be notified. Assuming there is no objection or extant conflict of interest, the information can be removed from the CUI registry and decontrolled. From there, any known holders of the information will be notified that the information has been decontrolled.
If you’re a service provider or contractor that handles CUI, you can expect to periodically receive notice that some information you handle has been decontrolled.
When this happens, your copies of the information will need to be altered to strike or remove the markings, designating them as controlled unclassified information. You must do this promptly; delaying can cause conflicts if the information needs to be accessed and you’re handling it as if it’s still controlled.
As mentioned above, you do not then disclose this information, nor are you required to destroy it. You simply no longer need to handle it with the same care as CUI and can use it more freely or with less stringent oversight than you previously would have.
This is not a license to release or disclose the information, nor is it freedom to become lax in your security posture. It’s simply a change in the designation of certain information.
Sometimes, the information you receive as CUI will have additional information attached about when that CUI will be decontrolled along a specific timeline. When this timeline elapses, the information may be decontrolled, but it’s not up to you to decontrol it; you wait for notification that the information has been decontrolled. There are frequently extenuating circumstances or other reasons why the information may not be decontrolled according to the original timeline.
CUI Decontrol Frequently Asked Questions
CUI decontrol is a common but nuanced process that needs to be well understood to avoid making costly mistakes.
Is there a difference between decontrolling and declassifying information?
Yes. Decontrolling information is for controlled, unclassified information, or CUI. Information that is not controlled cannot be decontrolled. Information that is classified can be declassified and potentially designated CUI rather than classified information. If information is declassified, it can also be decontrolled as necessary. The processes are separate but similar in intent.
Is information automatically decontrolled when it is revealed to the public?
Often, yes, but it depends on how the information is revealed. A leak, whistleblower, or compromise of a system resulting in the release of controlled unclassified information does not result in that information being decontrolled. Further review may later result in the removal of that information from the CUI registry or the general decontrol of the information, but often, this is not the case.
Which takes precedence: the originator of the information or the CUI registry?
Generally, the CUI registry will take precedence. If the government, in general, determines that information relating to, for example, a limited and valuable resource within a national park is controlled, the National Parks Service cannot decontrol that information without further approval from the government otherwise.
If the information is not broadly protected as one of the categories of controlled information in the CUI registry, and the originator of the information determines that it no longer needs to be controlled, they can decontrol the information.
In any instance where there are two or more authoritative entities controlling a given piece of information, they must all be in agreement that the information can be decontrolled in order for it to be decontrolled properly.
If your service provider handles CUI that is later decontrolled, do you need to destroy it?
No. Decontrolling information does not require you to destroy that information. If another reason indicates that you should destroy the information, then you can, but it is not a requirement of the decontrol process.
Can CUI be decontrolled automatically?
Sometimes. In some instances, when information is created, the originator of the information might recognize that it is important to control that information in the immediate short term, but not in the long term. For example, maybe it’s likely only relevant for a year, or it’s only important to a limited governmental action that will be both disclosed and completed by a given timeline. CUI related to that may be decontrolled when that event or timeline is up.
How can you manage CUI and decontrolled CUI within your systems?
Managing CUI means ensuring that your service provider or business maintains an appropriate security posture, generally according to CMMC rules, FedRAMP certification, or another security framework relevant to your business and the governmental relationships you seek.
At Ignyte, we help many businesses in varying industries achieve their security and information control goals. The Ignyte Platform assists with achieving compliance, our role as a 3PAO helps with auditing and passing the process, and our informational resources, such as blog posts like this one, assist with answering any questions you may have along the way.
If you’re interested in seeing what we can do for you, please feel free to reach out and discuss your needs and our potential role with you, or book a demo of the Ignyte Platform today. We look forward to working with you to achieve your security goals.
Max Aulakh is a distinguished Data Security and Compliance leader, recognized for implementing DoD-tested security strategies and compliance measures that protect mission-critical IT operations. His expertise was shaped in the United States Air Force, where he was responsible for the InfoSec and ComSec of network hardware, software, and IT infrastructure across global classified and unclassified networks. He also developed strategic relationships with military units in Turkey, Afghanistan, and Iraq. After his tenure with the USAF, Max played a pivotal role in driving Information Assurance (IA) programs for the U.S. Department of Defense (DoD). As a Senior Consultant for a leading defense contracting firm, he led a team that ensured data centers met Air Force Level Security audits for regulatory requirements like HIPAA, SOX, and FISMA. Currently, as the CEO of Ignyte Assurance Platform, he is at the forefront of cyber assurance and regulatory compliance innovation, catering to defense, healthcare, and manufacturing sectors. Max is also an esteemed speaker, having presented at several conferences on topics including cybersecurity GRC, medical device security, and cybersecurity perspectives in vendor management. You can follow him in LinkedIn here.