Berkleley Lab

Information Technology

You are here: Home / IT Policy / Policy / Controlled Unclassified Information (CUI) / CUI FAQ

CUI FAQ

What do I do if I need to receive, send, store or access files marked CUI?

The first step is to request a CUI-enabled account. You can do that by completing the request form using this link.

You can also use that link to request access to an existing CUI shared drive, or to create a new CUI shared drive to store CUI you have received. But for all instances, you are required to have a CUI-enabled account.

What does it mean to have a CUI-enabled Gmail? 

Having a CUI-enabled Gmail account allows you to receive and store CUI. This enablement includes making you a member of the “CUI-Enabled” Google Group, which applies specific configuration settings to your account. Additionally, it disables “Less secure apps,” thereby enforcing MFA by deactivating legacy password authentication.

While some requirements are not technically enforced, it is mandatory to adhere to certain policies. You must disable auto-forwarding, meaning you cannot automatically forward emails to other accounts like @berkeley.edu or @gmail.com. Furthermore, delegation must be disabled, allowing delegated access only from other CUI-enabled accounts, with the exception of calendar delegation. Upon enabling your account for CUI, you are required to complete the SEC 471- CUI Briefing training.

Where can I access the CUI Onboarding Slide Deck?

You can access the CUI Onboarding Slide Deck here.

How do I send CUI?

If you want to send CUI to another Berkeley Lab employee, you should do so via the share settings on the CUI Shared Drive.

If you are sending CUI to someone outside of Berkeley Lab, please contact itpolicy@lbl.gov for additional guidance.

What do I do if my research requires computation with CUI data?

If you have computational needs that are greater than email or Google Drive please reach out to itpolicy@lbl.gov

What about marking files CUI?

Lab employees must not mark information as CUI until marking guidance is published through the IT Policy Group. As part of the three-year implementation schedule, we are building out our approach and guidance on marking files CUI. Due to existing policies and guidance that disallowed CUI, we do not anticipate significant marking needs going forward. We have identified pockets of CUI, such as Emergency Management documents related to Critical Infrastructure, Controlled Technical Information with military or space application, and General Privacy for research that contains PII. There may be additional pockets of CUI at the Lab which will be identified with the Information Protection Program rollout.

What about files previously marked OUO?

Legacy OUO, which are documents previously marked as OUO, do not have to be marked or treated as CUI unless they were modified after May 15, 2022.

Where can I access the complete list of CUI Categories?

https://www.archives.gov/cui/registry/category-list

Is Federal-owned information treated differently to Contractor-owned and CRADA/SPP-governed information? 

Yes, the requirements of 471.7 and 800.171 only apply to Federal-owned CUI. Any information owned by the Contractor (like Berkeley Lab) or governed through a CRADA or Strategic Partnership Program (SPP) with Non-Federal sponsor protected information will be controlled at the level commensurate with the risk determined at a local level. All that to say, the Lab will determine the appropriate controls for the information type if it is not Federal-owned information.

Is EAR99 Export Controlled Information considered CUI?

This is part of an ongoing and evolving conversation on accurately marking information as CUI. We are currently not requiring Lab employees to mark EAR99 research as CUI. But please remember that if a Federal Agency sends us Federal-owned information marked CUI, we must protect it at the level of CUI.

Contractors working for a Federal Agency related to a project I’m involved with are marking files as CUI. Do I have to protect those files at the level of CUI?

Given the sensitive nature of this type of research, especially as it concerns Military or Defense related research projects, you must protect this information at the level of CUI.

Help / Feedback

If you have questions or comments about this page, please contact IT Policy at itpolicy@lbl.gov.

Was this page useful?

Send
like not like
Back to Top