Sensitive but unclassified category simplified

The Bush administration has released new standards for how agencies should label sensitive but unclassified (SBU) information to simplify the more than 100 different markings or handling instructions that officials now attach to that data.

The number of categorizations for SBU data has worried lawmakers and government auditors who say that the agency-specific different labels and instructions were confusing and impeded sharing terrorism-related data. Advocates of open government advocates have expressed concern about how labeling unclassified data affects accessibility.

The new “Controlled Unclassified Information” (CUI) framework replaces the sensitive but unclassified (SBU) categorization and establishes three CUI categories, Under those categories, agencies that are part of the federal information sharing environment or the information sharing council should label unclassified data that is considered sensitive.

The framework sets out the three categories for the data.

  • Controlled with standard dissemination. This is information that requires standard safeguarding measures, dissemination is allowed to extent it is believed to further a lawful or official purpose.

  • Controlled with specified dissemination. This is information that requires safeguarding to reduce the risks of inadvertent disclosure and for when allowed contains additional dissemination instructions.

  • Controlled enhanced with specified dissemination. This information requires more stringent safeguards because unauthorized disclosure could produce significant harm and for when allowed contains additional dissemination instructions.

President Bush issued a memo in 2005 that called for the standardization of SBU data across the government and the Office of the Director of National Intelligence’s Program Manager for the Information Sharing Environment has been working to standardize SBU data.

On May 9, Bush issued a memo that said any additional markings can be prescribed only by the National Archives and Records Administration (NARA) , which will be the “executive agent” in charge of implementing the framework. The memorandum also stated that the new standards would not affect Freedom of Information Act requests and that CUI standard was not meant to classify or declassify any new or additional terrorism- related information.

Patrice McDermott, director of, said that the standard was a welcome first step, but that the real test will be how the new standards are implemented.

“I think the devil is going to be in the details and how this is implemented by NARA,” she said.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.