If you’ve worked around federal data (or plan to), you’ve probably heard the term Controlled Unclassified Information, or CUI.
It refers to information that isn’t classified, but still sensitive enough not to be shared freely. Examples are operational plans, export control data, or personally identifiable information.
In this post, we’ll answer the key question: Which DoD instruction implements the DoD CUI program?
What Implements the DoD CUI Program?
That would be DoD Instruction 5200.48, officially titled “Controlled Unclassified Information (CUI),” which was issued on March 6, 2020.
Again, CUI is any information that’s sensitive but not classified. And just so there’s no confusion, you can’t release CUI to the public without going through a formal review, as required by other DoD policies and manuals.
In short, DoDI 5200.48 is a formal guide on how to handle CUI. It explains who’s responsible for what and sets clear rules for how CUI should be identified, marked, shared, protected, stored, decontrolled, and destroyed.
Before this, different parts of the DoD used a patchwork of labels like “For Official Use Only (FOUO)” or “Sensitive But Unclassified (SBU).”
To establish a unified, government-wide approach to managing CUI, DoDI 5200.48 was created.
Who the Instruction Applies To
This instruction applies to just about everyone in the Department of Defense, including:
- The Office of the Secretary of Defense (OSD)
- All branches of the military (Army, Navy, Air Force, Marines, Space Force)
- The Joint Chiefs of Staff and Joint Staff
- Combatant Commands
- The DoD Inspector General (OIG DoD)
- Defense Agencies and Field Activities
- Any other organizational units that are part of the DoD
In addition, it covers any contracts, agreements, or arrangements where someone needs access to CUI.
That includes grants, licenses, MOUs, and information-sharing deals, even when they’re outside traditional DoD structures. These must follow the rules laid out in federal regulations and acquisition policies.
What CUI Is Not For
You can’t use the CUI label just to:
- Hide illegal activity or mistakes
- Avoid embarrassment
- Block fair competition
- Restrict access to info that doesn’t legally need protection (unless specifically approved by the CUI Executive Agent)
What’s in DoDI 5200.48?
Here’s what you’ll find inside the instruction, boiled down to the essentials:
- Designation and Marking: Information must be correctly marked with CUI designations, per the National Archives and Records Administration (NARA) CUI Registry.
- Training: All DoD personnel with access to CUI must complete education and training.
- Safeguarding: CUI must be stored, transmitted, and destroyed using specific procedures that prevent unauthorized access or dissemination.
- Dissemination, Decontrolling, and Destruction: When data no longer needs safeguarding, the instruction explains how to remove CUI markings and handle it accordingly.
You can view the full documentation of DoDI 5200.48 here.
Final Thoughts
DoDI 5200.48 is part of a broader federal initiative to improve how unclassified but sensitive information is managed.
So, next time someone asks what DoD instruction implements the DoD CUI program, you’ll know exactly where to point them.