An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

News | June 1, 2023

Press Release: Audit of the DoD’s Implementation and Oversight of the Controlled Unclassified Information (CUI) Program

Inspector General Robert P. Storch announced today that the Department of Defense Office of Inspector General (DoD OIG) released a report on the “Audit of the DoD’s Implementation and Oversight of the Controlled Unclassified Information (CUI) Program,” which highlights concerns regarding the implementation of the DoD CUI Program. 

The report released today identified that DoD Components did not effectively oversee the implementation of DoD CUI Program requirements to ensure that CUI documents and e-mails contained the required markings and that all personnel completed the appropriate CUI training.   

IG Storch stated:  “The DoD’s transition from the use of markings, such as For Official Use Only (FOUO), to the use of CUI is a significant change that requires continued emphasis and oversight from DoD leadership to ensure that DoD personnel properly and consistently mark documents and e-mails that contain CUI and complete CUI training.  The continued use of improper or inconsistent CUI markings can increase the risk of the unauthorized disclosure of CUI or unnecessarily restrict the dissemination of information and create obstacles to authorized information sharing with our Congressional leaders and the American public.”

While the audit report focuses on the effectiveness of DoD’s implementation of its CUI Program, the report also provides insights into issues with the use of limited dissemination controls (LDCs) on documents that contain CUI.  For example, the National Archives and Records Administration (NARA) and DoD CUI Registries state that the Federal employees only (FED ONLY) and Federal contractors only (FEDCON) LDCs authorize the sharing of CUI only with employees of the Executive Branch, which, by definition, excludes Congress.  That exclusion contradicts a statement made by a NARA official, who stated that LDCs were not intended to prevent Congress from receiving documents marked CUI or impede Congressional oversight.   

To address these issues, the OIG recommended, among recommendations related to training and implementation of program controls, that the Under Secretary of Defense for Intelligence and Security coordinate with NARA to clarify the intent of the FED ONLY and FEDCON LDCs and when they should apply.