NASA Procedural Requirements

NPR 2810.7 Effective Date: October 22, 2021 Expiration Date: October 22, 2026

Subject: Controlled Unclassified Information

Responsible Office: Office of the Chief Information Officer

Appendix A Definitions

Agreements and arrangements are any vehicle that sets up specific CUI handling requirements for Contractors and other information-sharing partners when the arrangement with the other party involves CUI. Agreements and arrangements include, but are not limited to contracts, grants, licenses, certificates, memoranda of agreement/arrangement or understanding, and information sharing agreements or arrangements. When disseminating or sharing CUI with non-executive branch entities, agencies should enter into agreements or arrangements when feasible.

Authorized holder is an individual, agency, organization, or group of users that is permitted to designate or handle CUI, in accordance with 32 CFR pt. 2002, and approved NASA CUI policy and guidelines. Generally, this is all trained NASA employees and contractors.

Controlled is an alternative banner marking used by some departments and agencies to indicate that the presence of CUI information in the document. “Controlled” is equivalent to the banner marking “CUI.”

Note: NASA will not use this banner marking.

Controlled Environment is any area or space an authorized holder deems to have adequate physical or procedural controls (e.g., barriers or managed access controls) to protect CUI from unauthorized access or disclosure.

Controls are safeguarding or dissemination controls that a law, regulation, or Government-wide policy requires or permits agencies to use when handling CUI. The authority may specify controls it requires or permits the agency to apply, or the authority may generally require or permit agencies to control the information (in which case the agency applies controls from the E.O., 32 CFR pt. 2002, and the CUI Registry).

CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or Government-wide policy requires or permits an agency to handle with safeguarding or dissemination controls.

CUI Basic is the subset of CUI for which the authorizing law, regulation, or Government-wide policy does not set out specific handling or dissemination controls. Agencies handle CUI Basic according to the uniform set of controls set forth in 32 CFR pt. 2002 and the CUI Registry. CUI Basic differs from CUI Specified (see definition for CUI Specified in this section), and CUI Basic controls apply whenever CUI Specified controls do not cover the involved CUI.

CUI Executive Agent is The National Archives and Records Administration (NARA) who has delegated those responsibilities to the Director of their Information Security Oversight Office (ISOO).

CUI Registry is the online repository for all information, guidance, policy, and requirements on handling CUI, including everything issued by the CUI Executive Agent other than the CUI regulations in 32 CFR pt. 2002. Among other information, the CUI Registry identifies all approved CUI categories, provides general descriptions for each, identifies the basis for controls, establishes markings, and includes guidance on handling procedures.

CUI Specified is the subset of CUI in which the authorizing law, regulation, or Government-wide policy contains specific handling controls that requires or permits agencies to use procedures and protections that exceed those for CUI Basic. The CUI Registry indicates which laws, regulations, and Government-wide policies include such specific requirements. CUI Specified controls may be more stringent than, or may simply differ from, those required by CUI Basic; the distinction is that the underlying authority spells out specific controls for CUI Specified information and does not for CUI Basic information. CUI Basic controls apply to those aspects of CUI Specified where the authorizing laws, regulations, and Government-wide policies do not provide specific guidance.

Decontrolling occurs when an authorized holder, consistent with the CUI regulations and the CUI Registry, removes safeguarding or dissemination controls from CUI that no longer requires such controls. Decontrol may occur automatically or through agency action. See 32 CFR § 2002.18.

Designating CUI occurs when an authorized holder, consistent with 32 CFR pt. 2002 and the CUI Registry, determines that a specific item of information falls into a CUI category.

Designator is an individual, agency, organization, or group of users that is permitted to designate or handle CUI, in accordance with 32 CFR pt. 2002, and approved NASA CUI policy and guidelines. Generally, this is all trained NASA employees and contractors.

Dissemination occurs when authorized holders provide access, transmit, or transfer CUI to other authorized holders through any means, whether internal or external to an agency.

Handling is any use of CUI, including but not limited to marking, safeguarding, transporting, disseminating, re-using, and disposing of the information.

Lawful Government Purpose is any activity, mission, function, operation, or endeavor that the U.S. Government authorizes or recognizes as within the scope of its legal authorities or the legal authorities of non-executive branch entities (such as state and local law enforcement).

Legacy material is unclassified information that an agency marked as restricted from access or dissemination in some way, or otherwise controlled, prior to the CUI Program.

Limited Dissemination Control is any CUI Executive Agent-approved control that agencies may use to limit or specify CUI dissemination.

Misuse of CUI occurs when someone uses CUI in a manner not in accordance with the policy contained in these guidelines, the CUI regulations, E.O. 13556, 32 CFR pt. 2002, the CUI Registry, agency CUI policy, or the laws, regulations, and Government-wide policies that govern the affected information. This may include intentional violations or unintentional errors in safeguarding or disseminating CUI. This may also include designating or marking information as CUI when it does not qualify as CUI.

Uncontrolled Unclassified Information or UUI is information that neither the E.O. 13556 nor the authorities governing classified information cover as protected. Although this information is not controlled or classified, agencies will still handle it in accordance with Federal Information Security Modernization Act (FISMA) requirements.

Underlying Authority is any law, regulation, or Government-wide policy that prescribes a type of CUI Specified.

DISTRIBUTION:
NODIS

This document does not bind the public, except as authorized by law or as incorporated into a contract. This document is uncontrolled when printed. Check the NASA Online Directives Information System (NODIS) Library to verify that this is the correct version before use: https://nodis3.gsfc.nasa.gov.