But it’s not classified,
Ever Heard of Unclassified Controllable Information (UCI) ?
There are over 100 ways of characterizing Sensitive but Unclassified (SBU) information, and even more opinions on how it should be protected, marked and disseminated.
We all have experience with handling information that is SBU/FOUO/PII and any number of the other 100 characterizations of sensitive information that are out there. We know that having experience handling FOUO for one customer rarely prepares you to handle it for another. Everyone has their own rules on how they want their information to be protected, even if the markings are the same.
The Information Security Oversight Office (ISOO) is working to change that.
You have probably already heard the term, “Controlled Unclassified Information” or “CUI”. These are the terms that will be used to describe all information that is unclassified, but sensitive enough that it still needs extra protection.
Information that is currently being marked SBU, FOUO, PII, LEO, etc. will be pulled in under the CUI program. This program hopes to establish a common understanding of CUI control, promote information sharing, reinforce existing legislation and regulations, and clarify the difference between CUI and FOIA exemptions.
By providing one stop for guidance on protecting and handling CUI, ISOO’s program will provide a foundation similar to what we have in the NISPOM for classified information.
When we are all playing by the same rules, we can be confident that we continue to do our best to protect sensitive information.