Controlled Unclassified Information
CUI Navigation Menu
Controlled Unclassified Information
These pages require SLAC Authentication:
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is information the government, or those on behalf of the government, create or possess that a law, regulation, or government-wide policy (LRGWP) specifies that the information is to be protected.
In simpler terms:
Controlled Unclassified Information (CUI) is essentially sensitive government information created by or for the US government, that needs to be protected, even though the information is not considered classified. SLAC is a Department of Energy (DOE) contractor and produces and handles CUI regularly.
CUI is not secret but still requires special handling to prevent unauthorized access, which could pose serious risks to SLAC or the DOE, including reputational damage, financial loss, intellectual property theft, or espionage.
Who can access CUI?
CUI can be shared with authorized users who has a Lawful Government Purpose (LGP). When sharing CUI, it is important to consider whether the contents of the CUI will help achieve the goals of a common project or operation. CUI owners can place Limited Dissemination Controls on CUI to limit and control who can access the information.
Lawful Government Purpose (LGP) Definition
Lawful Government Purpose, as defined by the CUI Registry, is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement). An employee's LGP may be defined by DOE policy, position descriptions, or contractual requirements.
How do I know if it is CUI?
If you create information on behalf of the government that falls in a law, regulation, or government-wide policy (LRGWP) and is in a category that is applicable and gives the DOE authority to use it, the information is CUI.
Some examples of CUI are:
The examples listed are considered CUI when the information is shared outside of SLAC.
- Financial data and accounting records
- Unclassified controlled technical specifications
- Technical designs and blueprints
- Export control information
- Procurement and acquisition information
- Sensitive business information
- Patent applications and related intellectual property
- Emergency Management
- Information Systems Vulnerability Information
- Collective Bargaining
- Information related to critical infrastructure
Common CUI FAQs
If you receive CUI, you must:
- Ensure that only authorized individuals have access to CUI
- Ensure CUI is not exposed to unauthorized parties
- Retain all CUI markings
- Only store CUI on approved secure systems (e.g., separate SharePoint site only for CUI)
- Take the full CUI Training course (CUI100: Overview of Controlled Unclassified Information)
If you share or send CUI, you must:
- Retain all CUI markings
- Ensure that you are only sharing CUI with authorized individuals
- Follow any limited dissemination markings that are used to limit who can access the CUI
- Encrypt CUI data that moves outside your perimeter that includes both files and emails that contain CUI
If you create CUI, you must:
- Clearly mark CUI to distinguish it from other information
- Only allow access to authorized individuals with a lawful government purpose (LWP)
- Ensure CUI is not exposed to unauthorized persons
- Retain all CUI markings
- Use strong encryption standards for storing and transmitting CUI to protect it from unauthorized access
- Use secure methods to transmit CUI electronically and physically
- Take the full CUI Training course (CUI100: Overview of Controlled Unclassified Information)
