CUI Directive: Destroy Paper to 1mmx5mm Particle Size
The new ISOO CUI directive, which affects all Executive branch agencies, has clear requirements for information end-of-life, mandating that all CUI information be destroyed to NIST 800-88 specifications. The specification for paper is a 1mmx5mm final particle size, which is the same particle size as required by the NSA for classified and top secret information. All of SEM’s high security shredders meet this mandate.
All unclassified information throughout the Executive branch that requires any safeguarding or dissemination control is characterized as Controlled Unclassified Information (CUI) and includes nearly all government agencies. Further, unclassified data such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Personally Identifiable Information (PII), as well as information relating to critical infrastructure, defense, export control, financial, immigration, intelligence, international agreements, law enforcement, legal, natural and cultural resources, NATO, nuclear, patent, privacy, procurement and acquisition, proprietary business information, provisional, statistical, tax, and transportation all fall under this requirement.
Executive Order 13556 “Controlled Unclassified Information” (the Order) establishes a program for managing CUI across the executive branch and designates the National Archives and Records Administration (NARA) as Executive Agent to implement the Order and oversee agency actions to ensure compliance. The Archivist of the United States delegated these responsibilities to the Information Security Oversight Office (ISOO).
32 CFR Part 2002 “Controlled Unclassified Information” was issued by ISOO to establish policy for agencies on designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI, self-inspection and oversight requirements, and other facets of the program. The rule affects federal executive branch agencies that handle CUI and all organizations that handle, possess, use, share, or receive CUI — or which operate, use, or have access to federal information and information systems on behalf of an agency. Agencies therefore may not implement safeguarding or dissemination controls for any unclassified information other than those controls consistent with the CUI Program. Prior to the CUI Program, agencies often employed ad hoc, agency-specific policies, procedures, and markings to handle this information. This patchwork approach caused agencies to mark and handle information inconsistently.
The ISOO CUI directive, which affects all Executive branch agencies, has very clear requirements for information end-of-life, mandating that all CUI information be destroyed to NIST 800-88 specifications. For paper, the NIST 800-88 destruction specification is a 1mmx5mm final particle size, which is the same particle size as required by the NSA for classified and top secret information. Therefore, all CUI paper MUST be destroyed using a high security shredder that produces a final particle size of 1mmx5mm or less, such as those listed on the NSA/CSS 02-01 EPL for classified paper destruction. All of SEM’s high security shredders meet this mandate.