Handling CUI

This question of U.S. ONLY and CUI comes up a lot. To be clear, although I have deep experience on the sharing of intelligence information with foreign countries, I am just another retiree. This is my take on the governing regulation as written.

First, foundationally CUI is not No Foreign (NOFORN). It is not ASSUMED to be US ONLY based on the regulation. CUI is founded in 32CFR2002 ( This is THE document that establishes CUI as a thing and is applicable to the entire federal government.

CUI is:

2002.1.(c) All unclassified information throughout the executive branch that requires any safeguarding or dissemination control is CUI. Law, regulation (to include this part), or Governmentwide policy must require or permit such controls. Agencies therefore may not implement safeguarding or dissemination controls for any unclassified information other than those controls consistent with the CUI Program.

It is information, that has not been CLASSIFIED, is Federal Information (so not your or your companies information) and information that law, regulation, or government wide policy says requires protection. The regulation does not lay out any citizenship requirement.

In the publication of this rule ( we see why. Section 2002.2 adds:

2002.2 We received comments on several definitions within this section. One comment asked if there are restrictions on who may be an “authorized holder,” and pointed to provisions where it was not clear if an authorized holder should be the actor. We clarified throughout the regulation whether authorized holders or agencies are the actors. However, the rule does not specify who may be an authorized holder and we decline to add specific criteria. There are no simple, universal rules for authorized holders such as those the comment suggests (U.S. citizens, those with clearances, etc.), and the factors applicable are too multiple and cumbersome to include in a regulation. For some types of CUI, certain laws, regulations, or Government-wide policies establish who may be an authorized holder. Authorized holders may include people outside an agency who have a lawful Government purpose to have, transport, store, use, or process CUI, but also include people within an agency who must handle, process, store, or maintain CUI in the course of their jobs. Agencies differ widely in structure and size, so do not always have the same sets of staff positions or offices; designating particular people within agencies as authorized holders would thus not be practical. Lawful purposes to have CUI outside an agency also vary greatly with the differing missions of agencies and would be equally impractical to list. Agencies must therefore have the discretion to determine who is an authorized holder within the context of that agency's structure, missions, and governing authorities, and in compliance with the CUI EA's policies on handling CUI, including the requirements in this rule.

Ok so 32CFR2002 the foundation of CUI leaves that kind of determination to the agencies and Executive Agents (EA)s. If we then look at this through the DoD lens, the DoD has issued their EA instruction on the handling of CUI in DODI 5200.48, they discuss release to Foreign Nationals:

b. CUI not controlled as NOFORN may be released or disclosed to non-U.S. citizens employed by the DoD if:

(1) Access to such information is within the scope of their assigned duties.

(2) Access to such information would help accomplish a lawful and authorized DoD mission or purpose and would not be detrimental to the interests of the DoD or the U.S. Government.

(3) There are no contract restrictions prohibiting access to such information.

(4) Access to such information is in accordance with DoDIs 8500.01 and 5200.02 and export control regulations, as applicable.

So, if it is NOT marked NOFORN, and it is not ITAR, and does not have other contract prohibitions, accessing the information by foreign nationals as a part of their assigned duties is fine.

Now there is CUI that is not releasable. CUI that is marked NOFORN is a clear example. Known Export Controlled (ITAR/EAR) for which there is not a relevant export license etc. CUI Basic is not one of these specialized categories.

Broadly in the government and intelligence space we often default to an assumption that all information is NOFORN. Deny ALL permit by EXCEPTION. In reality in law and regulation that is often not how those are really written. With CUI I often see people looking for additional “permission” so that they can “just be sure.” I understand the hesitancy but in this case you may be looking for permission that does not exist because it is already in the governing regulation.

To be clear, although I have deep experience on releasability and sharing of intelligence information with foreign countries, I am just another retiree. This is my take on the governing regulation as written.