News | Feb. 23, 2021

DLA Intelligence publishes new controlled unclassified information policy

By Christine Born

Say goodbye to For Official Use Only. A Defense Logistics Agency policy published Jan. 28 by DLA Intelligence provides new guidance on labeling unclassified information that’s sensitive but doesn’t require classification.

In March 2020, the Defense Department released DOD Instruction 5200.48 directing the use of “Controlled Unclassified Information” on documents, emails and other products previously labeled by various designations including “For Official Use Only,” “Sensitive But Unclassified,” “Limited Official Use” and “Law Enforcement Sensitive.”

“At least 17 DOD and other federal agencies have over time adopted various identification, marking and safeguarding schemes to control access and dissemination of unclassified information that’s sensitive but doesn’t require classification. This inconsistency led to misunderstanding regarding what protection standards should be applied to those products,” said DLA Information Security Program Manager Matthew Baker.

The new DLA policy, DLAI 5200.48, outlines how employees should apply the new markings as well as standards like encrypting emails containing CUI. It also helps employees identify information that requires protection and provides instructions on applying appropriate safeguards to prevent unauthorized disclosure.

New mandatory training on CUI was launched Feb. 2 through the Learning Management System.

“It is important to take the CUI training because this is a new approach to identifying and protecting information, and employees need to understand how to do so. They have a responsibility to follow the guidance of the CUI program,” Baker said.

Baker said some of the changes include a requirement to include the following CUI designation indicator on the first page of all documents, unclassified or classified, that contain CUI:

Controlled by: [Name of DoD Component] (Only if not on letterhead)

Controlled by: [Name of Office]

CUI Category: [List category or categories of CUI]

Distribution/Dissemination Control: [Who is authorized to receive the information]

POC: [Phone or email address]

“The new policy streamlines how sensitive, unclassified information is protected and eliminates confusion on how to protect data that is often an adversary’s path of least resistance,” said DLA Intelligence Director Stephanie Samergedes. “When employees fail to protect sensitive information, they risk consequences for negligence and become unwitting insider threats.”

A DOD CUI registry also identifies CUI information.

Employees should direct CUI questions to their local DI office. A CUI resource page is available on eWorkplace.