Sensitive but unclassified category simplified

The Bush administration has released new standards for how agencies should label sensitive but unclassified (SBU) information to simplify the more than 100 different markings or handling instructions that officials now attach to that data.

The number of categorizations for SBU data has worried lawmakers and government auditors who say that the agency-specific different labels and instructions were confusing and impeded sharing terrorism-related data. Advocates of open government advocates have expressed concern about how labeling unclassified data affects accessibility.

The new “Controlled Unclassified Information” (CUI) framework replaces the sensitive but unclassified (SBU) categorization and establishes three CUI categories, Under those categories, agencies that are part of the federal information sharing environment or the information sharing council should label unclassified data that is considered sensitive.

The framework sets out the three categories for the data.

  • Controlled with standard dissemination. This is information that requires standard safeguarding measures, dissemination is allowed to extent it is believed to further a lawful or official purpose.

  • Controlled with specified dissemination. This is information that requires safeguarding to reduce the risks of inadvertent disclosure and for when allowed contains additional dissemination instructions.

  • Controlled enhanced with specified dissemination. This information requires more stringent safeguards because unauthorized disclosure could produce significant harm and for when allowed contains additional dissemination instructions.

President Bush issued a memo in 2005 that called for the standardization of SBU data across the government and the Office of the Director of National Intelligence’s Program Manager for the Information Sharing Environment has been working to standardize SBU data.

On May 9, Bush issued a memo that said any additional markings can be prescribed only by the National Archives and Records Administration (NARA) , which will be the “executive agent” in charge of implementing the framework. The memorandum also stated that the new standards would not affect Freedom of Information Act requests and that CUI standard was not meant to classify or declassify any new or additional terrorism- related information.

Patrice McDermott, director of, said that the standard was a welcome first step, but that the real test will be how the new standards are implemented.

“I think the devil is going to be in the details and how this is implemented by NARA,” she said.

About the Author

Ben Bain is a reporter for Federal Computer Week.


  • Image: Shutterstock

    COVID, black swans and gray rhinos

    Steven Kelman suggests we should spend more time planning for the known risks on the horizon.

  • IT Modernization
    businessman dragging old computer monitor (Ollyy/

    Pro-bono technologists look to help cash-strapped states struggling with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help.

Stay Connected