An official website of the United States government
Here's how you know
Official websites use .mil
A
.mil
website belongs to an official U.S. Department of Defense organization in the United States.
Secure .mil websites use HTTPS
A
lock (
lock
)
or
https://
means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.
Skip to main content (Press Enter).
Toggle navigation
DoD CUI Program
DoD CUI Program
Search
Search DODCUI:
Search
Search DODCUI:
Search
Home
Policy
Training
About Us
About Us
Contact
Contact Us
OSD Components
Under Secretary of Defense for Research and Engineering (USD(R&E))
Under Secretary of Defense for Policy (USD(P))
Under Secretary of Defense for Comptroller/Chief Financial Officer (USD(C)/CFO)
Inspector General of the Department of Defense (DoD(IG))
Office of the General Council of the Department of Defense (DoD(OGC))
Director, Cost Assessment and Program Evaluation (CAPE)
Director, Operational Test and Evaluation (O&TE)
Office of Net Assessment (ONA)
Joint Staff
Combatant Commands
United States Africa Command (USAFRICOM)
United States Central Command (USCENTCOM)
United States Cyber Command (USCYBERCOM)
United States Northern Command (USNORTHCOM)
United States Indo-Pacific Command (USINDOPACOM)
United States South Command (USSOUTHCOM)
United States Special Operations Command (USSOCOM)
United States Strategic Command (USSTRATCOM)
United States Transportation Command (USTRANSCOM)
Military Departments
US Army
US Navy
US Air Force
Defense Agencies
Defense Advanced Research Projects Agency (DARPA)
Defense Contract Audit Agency (DCAA)
Defense Contract Management Agency (DCMA)
Defense Finance and Accounting Services (DFAS)
Defense Health Agency (DHA)
Defense Information Systems Agency (DISA)
Defense Intelligence Agency (DIA)
Defense Logistics Agency (DLA)
Defense Counterintelligence and Security Agency (DCSA)
Defense Threat Reduction Agency (DTRA)
National Geospatial-Intelligence Agency (NGA)
National Reconnaissance Office (NRO)
National Security Agency/ Central Security Service (NSA/CSS)
Pentagon Force Protection Agency (PFPA)
DoD Field Activities
Defense Media Activity (DMA)
Defense Technical Information Center (DTIC)
Department of Defense Test Resource Management Center (TRMC)
Washington Headquarters Services (WHS)
CMMC
Cybersecurity Maturity Model Certification
What's New
Frequently Asked Questions
CUI Registry Change Log
CUI Registry New
Home
Frequently Asked Questions
Is my CAC CUI because it contains the DoD ID number (EDIPI)?
No. While the DoD ID number is personally identifiable information (PII), it does not meet the criteria for CUI unless it is included in a grouping of information that contains the individual’s name or other unique identifier combined with one or more of the following:
Truncated SSN (such as last four digits)
Date of birth (month, day, and year)
Citizenship or immigration status
Ethnic or religious affiliation
Sexual orientation
Criminal history
Medical information
System authentication information such as mother's maiden name, account passwords, or personal identification numbers
I have a document that contains PII. Do I have to mark it as CUI?
Not necessarily. It depends on what PII is on the document. Examples of PII include social security number, passport number, driver’s license number, taxpayer identification number, patient identification number, financial account or credit card number, personal address and phone number, biometric records. The document becomes CUI when individual pieces of PII are combined which can then be used collaboratively to identify a specific individual.
When do I need to put a Privacy Act Statement (PAS) on a document?
When a Federal agency requests that you provide personal information (name, date of birth, social security number, etc) for a system of records, regardless of the method used to collect the information (i.e., forms, personal or telephonic interview, etc), a Privacy Act Statement (PAS) is required. If the information requested will not be included in a system of records, a PAS is not required.
We were told to put a distribution statement on a document, but there is no CUI in the document. Can a document have a distribution statement and not be CUI?
The application of a distribution statement does not automatically mean the document is CUI.
Do not confuse the two issues. Pursuant to DoDI 5230.24, “Distribution Statements on DoD Technical Information,” distribution statements are applied to technical documents, regardless of whether the document is classified, unclassified, or CUI. Certain CUI categories require a distribution statement because of the technical nature of the information. Not every document containing CUI requires a distribution statement.
Can we share CUI with Congress?
Yes. It is DoD policy to provide Congress with all the information it needs to conduct effective oversight. Any Member of Congress and their personal or professional staff are authorized to receive and share CUI from DoD.
Can I share CUI with foreign allies and partners?
Yes, you may share CUI with our foreign allies and partners unless sharing with that country is specifically restricted. However, DoD Components and sub-Components still have the latitude to restrict sharing in accordance with their specific policies.
Are all legacy marked FOUO documents now CUI?
No. It is not an automatic one-to-one swap. Some information previously marked as FOUO will qualify as CUI. FOUO information must be assessed against the CUI Registry to determine if it is now CUI.
Information previously marked as FOUO does not need to be re-marked as long it remains under DoD control or is accessed online and downloaded for use within the DoD.
However, if the same information is put in a new document or is shared outside the Department, it needs to be assessed to see if it meets the criteria for CUI and marked appropriately.
Not every Executive branch agency has implemented CUI, so you may still receive documents marked as FOUO. Documents with other markings should be handled in accordance with guidance from those agencies.
Can I take CUI home with me?
Yes, personnel can take CUI home. CUI materials hand-carried out of the office or approved telework location must have a CUI cover sheet (Standard Form 901) on top of the documents, with all materials placed in an opaque envelope, without CUI markings or indications on the outermost layer. In personal residences, secure CUI documents in desks, file cabinets, bookcases, or similarly-secured areas when not actively in use. Disconnect devices such as Alexa when discussing CUI.