Stack of Law Books


What is CUI?

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies as specified in Executive Order 13556 and Rule 32 CFR Part2002. National Archives and Records Administration (NARA) was appointed by the President to be the Executive Agent of the CUI Program.

FERC developed a policy to promote compliance for the protection of sensitive information mandates. The policy lays out procedures for labeling and handling sensitive information. There are eight CUI categories that FERC implemented from NARA’s guidelines. What does this mean to outside entities? You will see labels on the top of documents like CUI//PRIV or CUI//CEII instead of labels like FOUO or SBU. You could also find documents will be password protected and require a password to open.

How to Protect CUI?

FERC may employ one of two options to protect CUI:

  • Password protecting files or folders using WinZip: There are several versions of zip tools available to use to open, so you will need to Google the instructions for the version you are currently using.

  • Password protecting the actual file with Microsoft or Adobe products.



Critical Energy/Electric Infrastructure Information

Critical Energy Infrastructure Info: Engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that: a) Relates details about the production, generation, transportation, transmission, or distribution of energy; b) could be useful to a person in planning an attack on critical infrastructure; c) is exempt from mandatory disclosure under the FOIA, and d) does not simply give the general location of the critical infrastructure. See 18 C.F.R. § 388.113.
• Critical Electric Infrastructure Info: Refers to CEII that is designated as critical electric infrastructure information by the Commission or the Secretary of the Department of Energy pursuant to section 215A(d) of the Federal Power Act. Such term includes information that qualifies as critical energy infrastructure information under the Commission's regulations. Critical Electric Infrastructure Information is exempt from mandatory disclosure under the Freedom of Information Act,5 U.S.C. 552(b)(3) and shall not be made available by any Federal, State, political subdivision or tribal authority pursuant to any Federal, State, political subdivision or tribal law requiring public disclosure of information or records pursuant to section 215A(d)(1)(A) and (B) of the Federal Power Act. See 18 C.F.R. § 388.113.

Information Systems Vulnerability Information

Related to information that if not protected, could result in adverse effects to information systems. Information system means a discreet set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.


Law Enforcement: Related to techniques and procedures for law enforcement operations, investigations, prosecutions, or enforcement actions.
• Investigation: Related to information obtained during the course of a law enforcement investigation.


Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB Circular A-130 and OMB M-17-12, or "means of identification" as defined in 18 U.S.C. § 1028(d)(7).


1) Denotes information that section 388.112 of the Commission's regulations, 18 C.F.R. § 388.112, recognizes as privileged. 2) The term ‘privileged’ includes any work-product privilege, attorney-client privilege, governmental privilege, or other privilege recognized under Federal, State, or foreign law.

Procurement Sensitive

Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs, and direct labor rates.

Source Selection Sensitive

Per FAR 2.101: any of the following [sic] information that is prepared for use by an agency for the purpose of evaluating a bid or proposal to enter into an agency procurement contract, if that information has not been previously made available to the public or disclosed publicly.

Sensitive Security Information

As defined in 49 C.F.R. Part 15.5, Sensitive Security Information is information obtained or developed in the conduct of security activities, including research and development, the disclosure of which DOT has determined would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to transportation safety. As defined in 49 C.F.R. Part 1520.5, Sensitive Security Information is information obtained or developed in the conduct of security activities, including research and development, the disclosure of which DHS/TSA has determined would, among other things, be detrimental to the security of transportation.


This page was last updated on August 24, 2020