IMPLEMENTATION OF DODI 5200.48, CONTROLLED UNCLASSIFIED INFORMATION
Date Signed: 11/3/2020 | MARADMINS Number: 664/20
MARADMINS : 664/20

R 031916Z NOV 20
MARADMIN 664/20
MSGID/GENADMIN/CMC WASHINGTON DC PPO PS//
SUBJ/IMPLEMENTATION OF DODI 5200.48, CONTROLLED UNCLASSIFIED INFORMATION//
REF/A/DODI 5200.48//
NARR/REF A IS THE DEPARTMENT OF DEFENSE INSTRUCTION IMPLEMENTING THE CONTROLLED UNCLASSIFIED INFORMATION PROGRAM. REF B IS THE DEPARTMENT OF THE NAVY INFORMATION SECURITY POLICY. REF C IS THE MARINE CORPS ORDER REGARDING INFORMATION AND PERSONNEL SECURITY.//
POC/WILLIAM T. POTTS/CIV/ HQMC PP&O PS/-/TEL: 703-695-7162/EMAIL: WILLIAM.T.POTTS@USMC.MIL//
GENTEXT/REMARKS/1.  This MARADMIN is a supplement to previously published guidance regarding the release of Ref A.  Information was forwarded to Command Security Managers (CSM) across the Marine Corps following the release of Ref A and immediately after the completion of the DOD Virtual Security Conference held 23-24 June 2020 which discussed Controlled Unclassified Information (CUI) Implementation.
2.  Implementation of Ref A is intended to be done slowly and in a phased approached.  Phase I is to train the force.  The Center for Development of Security Excellence (CDSE), an element of the Defense Counterintelligence & Security Agency (DCSA), has developed and released the only authorized and approved DOD CUI training module.  The training module is accessed at https:(slash)(slash)www.dodcui.mil/Home/Training/.  Click on the CDSE link to access the “CDSE Current CUI” page.  This training is mandatory and a certificate is provided upon completion for verification.
3.  Background.  In response to information sharing challenges from inconsistent definitions and marking requirements applied to CUI, Part 2002 of Title 32 Code of Federal Regulation (CFR) standardized the definition of CUI and codified the identification, sharing, safeguarding, marking, storage, distribution, transmission, decontrol, destruction, training, monitoring, and reporting requirements across the Executive Branch of government.  REF A is the DOD’s implementing guidance to Part 2002 of Title 32 CFR and replaces DOD Manual 5200.01, Volume 4.  Additional CUI Program implementation guidance is provided below.
3.A.  Who can access CUI?  The overall question of who can access CUI is based on whether the individual has a “Lawful Government Purpose.”  While similar to “Need to Know” for classified information, it is not intended to be the same.  Refer to REF A for more information on “Lawful Government Purpose.”
3.B.  Investigation Requirement.  The most common question regarding access to CUI is, “is there an investigation requirement to access CUI?”  Commands should use the Office of Personnel Management (OPM) Position Description Tool when determining what background investigation is required for execution of duties outlined within a position description.  If the Tool states Tier 2 or Tier 4 (T2/T4), commands will default to a Tier 3, as the Department of the Navy (DON) does not process T2/T4 investigations.  Additionally, if the position does not require IT system access to PII or access to Classified National Security Information, a Tier 1 must be processed.
3.C.  DOD CUI Registry.  The DOD CUI Registry provides an official list of Indexes and Categories used to identify the various types of CUI.  The approved CUI Registry can be accessed on the DOD CUI Program site at https:(slash)(slash)www.dodcui.mil/.  Additionally, there are specific Defense CUI categories, but they are not the only authorized categories.  DOD is authorized to use all 19 categories and their subcategories when identifying CUI.
3.D.  CUI and For Official Use Only (FOUO) are not interchangeable terms/acronyms.  Remember, information identified as FOUO must have met one or more Freedom of Information Act (FOIA) Exemptions.  When handling legacy type information (e.g., FOUO), the material is not required to be re-marked while it remains under DOD control or is accessed online and downloaded for use within the DoD.  However, any such document or new derivative document must be marked as CUI if the information qualifies as CUI and the document is being shared outside DOD.  Individuals must use the CUI Registry to ensure all CUI is identified appropriately.
3.E.  Policies, guidance, training tools, and other toolkit items are posted on the PSI Blog page on the Security SharePoint site at https:(slash)(slash)eis.usmc.mil/ sites/hqmcppo/PS/PSS/Blog/default.aspx.  The DoD CUI Program site is another authorized location to access up-to-date policies, registry information, etc.
4.  DOD Components and Military Departments are encouraged to not use the notices, resources, or training provided by the Information Security Oversight Office (ISOO).  We encourage CSMs, or designated CUI Program Managers, to use the PSI Blog, DOD CUI Program, and CDSE websites when accessing policies, training, and program updates.
5.  Previously released guidance from the office of the Deputy Under Secretary of the Navy for Security & Intelligence (DUSN S&I) is available on their SharePoint site at https:(slash)(slash)portal.secnav.navy.mil/orgs/DUSNP/Security-Directorate/Information-Security/SitePages/Home.aspx.  Specific information is also available from the POC of this message.
6.  Release authorized by SES Randy R. Smith, Director, Plans, Policies, and Operations (Security).//