Science Support

431.7 - Controlled Unclassified Information

 

U.S. GEOLOGICAL SURVEY DIRECTIVE

SURVEY MANUAL CHAPTER – ADMINISTRATION SERIES

 

Issuance Number:      431.7

Subject:                       Controlled Unclassified Information

Issuance Date:            5/21/2021

Expiration Date:          5 years from issue or as law or higher-level guidance becomes available

Responsible Office:    Office of the Associate Chief Information Officer

Instruction:                  This is a new Survey Manual (SM) chapter and does not supersede an existing policy.

Approving Official:       /s/ Katherine M. McCulloch

                                       Associate Director for Administration

 

1.    Purpose and Scope.  This SM chapter establishes the U.S. Geological Survey (USGS) controlled unclassified information (CUI) program and assigns responsibilities for program management and operations to ensure adequate protection of sensitive but unclassified information.

2.    Authority.  

A.  32 CFR 2002, Controlled Unclassified Information

B.  Executive Order 13556, November 4, 2010, Controlled Unclassified Information

C.  Executive Order 13526, December 29, 2009, Classified National Security Information

D.  National Institute of Standards and Technology (NIST) Special Publication (SP) 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST SP 800-171

3.    References.  

A.  CUI Marking Handbook

B.  CUI Registry

C.  NIST SP 8000-88, Guidelines for Media Sanitization  

D.  SM 431.6, Records Disposition

E.  SM 440.3, National Security Information

4.    Policy.  This SM chapter establishes the USGS CUI Program for the identification, handling, marking, protecting, sharing, dispositioning, and decontrolling of CUI.

A.  Identifying Controlled Unclassified Information.  CUI is unclassified information that requires protection as identified in a law, regulation, or Government-wide policy.  The CUI Registry provides the categories and subcategories of information that will be marked and handled as CUI.  The CUI registry also provides dissemination controls, if applicable.

B.  Marking. All information containing CUI regardless of format or media and systems must have authorized markings that are listed in the CUI Registry and comply with the instructions for marking contained in the Handbook for Marking Documents.  These markings are intended to ensure creators and recipients know the sensitivity of the information contained in the document, media, or system (i.e., subject line of an email sent or received).  Additionally, there are two categories when marking CUI – CUI Specified and CUI Basic (see the CUI Registry).  The authorized holder of a document or material is responsible for determining, at the time of creation, whether information in a document or material falls into a CUI category.  If so, the authorized holder is responsible for applying CUI markings and dissemination instructions accordingly.

C.  Controlled Access and Safeguarding.  When not under the direct control of an authorized holder, CUI must be protected with at least one physical or electronic barrier.  In the electronic environment, barriers should exist that ensure only those with a lawful Government purpose have access to controlled information.  This can be accomplished by controlling access to cloud storage, shared drives, file folders, and intranet sites that meet Federal security requirements.  Controlled access for physical records must:

(1)  Be capable of showing evidence of tampering or alteration;

(2)  Have physical barriers including locking doors, overhead bins, drawers, or file cabinets;

(3)  Have key control procedures or electronic access devices to limit or control access to areas where CUI is stored, handled, or processed; and

(4)  Must not be in common or public areas.

D.  Commingling CUI with Classified Information.  When CUI is included in a document that contains any type of classified information, that document is referred to as “commingled.”  Commingled documents are subject to CUI and Classified Security restrictions (refer to SM 440.3).

E.  Dissemination.  Access and dissemination of CUI is permitted for lawful Government purposes to authorized users unless otherwise prohibited by law, regulations, Government-wide policies, or USGS policy. Dissemination via electronic means should be through Government networks and approved electronic information communication technology and tools.

F.  Disposition.  Record and nonrecord copies of CUI documents are disposed of in accordance with the USGS retention schedule (refer to SM 431.6).  Additionally, when destroying CUI, including in electronic form, it must be done in a manner making it unreadable, indecipherable, and irrecoverable.  If the law, regulation, or Government-wide policy specifies a method of destruction, then that method must be followed (refer to NIST SP 8000-88).

G.  Misuse.  Misuse occurs when CUI is not used or protected in a manner consistent with each authority required by the statute, regulation, or Government-wide policy.  Misuse may include intentional violations, unauthorized disclosure, or errors in safeguarding or disseminating CUI to include designating or marking information as CUI when it does not qualify as CUI.  Misuse of CUI may result in sanctions such as administrative or disciplinary action, up to and including removal from Federal service.

H.  Reporting.  All misuse or suspected misuse of CUI must be reported to the USGS’s CUI Coordinator by sending an email to: gs_cui@usgs.gov.

5.    Definitions.  

A.  Authorized Holder.  An individual, agency, organization, or group of users that is permitted to designate or handle CUI.

B.  Controlled Unclassified Information.  Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.  CUI does not include classified information or information a non-Executive Branch entity possesses or maintains in its own systems that did not come from, or was not created or possessed by or for, an Executive Branch agency or an entity acting for an agency.

C.  Controlled Environment.  Any area or space with adequate physical or procedural controls to protect CUI from unauthorized access or disclosure.

D.  CUI Basic.  Information for which an (a) authorizing law, regulation, or Government-wide policy does not have specific handling or dissemination controls.

E.  CUI Executive Agent (CUI EA).  Issues guidance to Executive Branch departments and agencies that handle unclassified information that requires safeguarding or dissemination controls, pursuant to and consistent with applicable law, regulations, and Government-wide policies.

F.  CUI Specified.  Information for which an authorizing law, regulation, or Government-wide policy contains specific handling controls that it requires or permits agencies to use.  The CUI Registry provides the applicable laws, regulations, and Government-wide policies and specific requirements that apply to each category and subcategory.

G.  CUI Registry.  Online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the National Archives and Records Administration (NARA).  Among other information, the CUI Registry identifies all approved CUI categories and subcategories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

H.  Sanctions.  Some CUI authorities provide for a legal or financial penalty for misuse.  Each CUI authority links to the statute, regulation, or Government-wide policy that includes sanctions such as administrative or disciplinary action, up to and including removal from Federal service for CUI misuse, if applicable.

6.    Responsibilities.  Below are the responsibilities for the CUI-specific roles established to implement the USGS’s CUI program.

A.  Associate Chief Information Officer (ACIO) or designee is responsible for implementation of the CUI Program and is the primary point of contact for official correspondence, accountability reporting, and other matters of record between the Bureau and the CUI Executive Agent.

B.  Associate Directors, Regional Directors, and Office Chiefs are responsible for ensuring that USGS CUI requirements are carried out within their respective areas of responsibility.

C.  Science Center Directors are responsible for the following:

(1)  Ensuring staff identify, mark, control access, and disposition CUI in accordance with applicable requirements; and

(2)  Ensuring a CUI review for any new information systems and modifications to legacy systems.

D.  USGS Records Officer is responsible for oversight of the CUI Program, including the development of policies, procedures, training, and evaluating compliance of these requirements.

E.  USGS Contracting Officer Representatives/Program and Project Managers are responsible for:

(1)  Incorporating policy requirements and responsibilities into applicable statements of work;

(2)  Monitoring their awards to ensure compliance; and

(3)  Reviewing contracting documentation throughout the contract life cycle.

F.  Supervisors are responsible for ensuring ongoing protection and safekeeping of CUI even after their personnel leave employment.

G.  Information Technology Security Officers and System Managers are responsible for:

(1)  Incorporating appropriate security and control measures into IT systems that contain CUI, and

(2)  Coordinating with the USGS CUI Coordinator on IT system security and system reviews.

H.  USGS CUI Coordinator is responsible for the following:

(1)  Developing and implementing policy and procedures to ensure adequate and proper documentation of USGS activities and appropriate CUI requirements;

(2)  Coordinating implementation of CUI activities with the Department of the Interior CUI Program;

(3)  Developing and implementing records management training for USGS personnel based on roles and responsibilities; and

(4)  Coordinating requirements and soliciting feedback annually or as needed from the designated USGS Records Liaisons and routinely evaluating compliance.

I.  Records Liaisons are responsible for routinely evaluating compliance with their organization or office, and coordinating any questions, issues, and training needs with the CUI Coordinator.

J.  Employees are responsible for the following:

(1)  Annually reviewing CUI Categories impacting information created or received and reporting instances to the CUI Coordinator;

(2)  Marking CUI created with the appropriate markings;

(3)  Securing CUI created and received in accordance with applicable laws and regulations;

(4)  Reporting any CUI mishandling to the CUI Coordinator; and

(5)  Applying controlled disposition in approved methods to prevent unauthorized access to CUI.