Sensitive but unclassified category simplified

The Bush administration has released new standards for how agencies should label sensitive but unclassified (SBU) information to simplify the more than 100 different markings or handling instructions that officials now attach to that data.

The number of categorizations for SBU data has worried lawmakers and government auditors who say that the agency-specific different labels and instructions were confusing and impeded sharing terrorism-related data. Advocates of open government advocates have expressed concern about how labeling unclassified data affects accessibility.

The new “Controlled Unclassified Information” (CUI) framework replaces the sensitive but unclassified (SBU) categorization and establishes three CUI categories, Under those categories, agencies that are part of the federal information sharing environment or the information sharing council should label unclassified data that is considered sensitive.

The framework sets out the three categories for the data.

  • Controlled with standard dissemination. This is information that requires standard safeguarding measures, dissemination is allowed to extent it is believed to further a lawful or official purpose.

  • Controlled with specified dissemination. This is information that requires safeguarding to reduce the risks of inadvertent disclosure and for when allowed contains additional dissemination instructions.

  • Controlled enhanced with specified dissemination. This information requires more stringent safeguards because unauthorized disclosure could produce significant harm and for when allowed contains additional dissemination instructions.

President Bush issued a memo in 2005 that called for the standardization of SBU data across the government and the Office of the Director of National Intelligence’s Program Manager for the Information Sharing Environment has been working to standardize SBU data.

On May 9, Bush issued a memo that said any additional markings can be prescribed only by the National Archives and Records Administration (NARA) , which will be the “executive agent” in charge of implementing the framework. The memorandum also stated that the new standards would not affect Freedom of Information Act requests and that CUI standard was not meant to classify or declassify any new or additional terrorism- related information.

Patrice McDermott, director of, said that the standard was a welcome first step, but that the real test will be how the new standards are implemented.

“I think the devil is going to be in the details and how this is implemented by NARA,” she said.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected