In this KB, we will define controlled unclassified information (CUI), discuss erasure methods for erasing it, and provide step-by-step instructions for erasing CUI with BitRaser.
Federal Trade Commission defines CUI as, "The information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified." The CUI program was developed to guarantee uniformity and consistent practices among government agencies and contractors that have access to CUI. The CUI program is governed by regulations and policies like Executive Order 13556 and 32 CFR Part 2002
Executive Order 13556 created the CUI program and designated the National Archives and Records Administration (NARA) as the Executive Agent in charge of implementation and compliance. 32 CFR 2002, on the other hand, sets policies for dealing with CUI and it applies to all government and private organizations that have access to CUI. NARA delegated the responsibilities of the Executive Agency to the Director of the Information Security Oversight Office (ISOO), who is responsible for enacting and implementing the CUI policy.
Guidance for Destroying Controlled Unclassified Information:
According to the Defense Counterintelligence and Security Agency's (DCSA) CUI Destruction Guidance (Version July 2022), CUI policy mandates any organization that stores, processes, or has access to CUI must dispose of it in such a manner that the information becomes unreadable, indecipherable, and irrecoverable.
CUI can be of two types, Paper-based CUI and Media-based CUI. You can refer to the CUI Destruction Guidance to learn how to destroy Paper-based CUI. In this KB we will discuss how to destroy Media-based CUI.
Media-based CUI can be stored on a variety of drives and devices like smartphones, HDDs, SSDs, laptops, PCs, Mac devices, network devices, etc. Each device must be handled in a manner that is effective for that media type. According to 32 CFR 2018 (Page 505), "Agencies must use any destruction method specifically required by law, regulation, or Government-wide policy for that CUI." It further states that if no specific method has been specified by the authorities any of the below methods can be used:
- NIST SP 800–53 (Guidance for Destruction)
- Federal Information Systems and Organizations (Privacy Controls)
- NIST SP 800-88 (Media Sanitization Guidelines)
- 32 CFR 2001.47 (Any method approved for Classified National Security Information)
So, based on these points we can conclude that NIST Clear, Purge & Destroy methods can be used to erase CUI permanently. (Refer to Table 1)
Media Type |
Clear |
Purge |
Destroy |
Floppy Disks, Disk Drives |
Overwrite using agency-approved software |
Degauss in an NSA/CSS-approved degausser. |
Incinerate, Shred |
ATA Hard drives, SCSI Drives |
Overwrite using agency-approved software |
Secure Erase, Degauss, or Disassemble and degauss the enclosed platters. |
Incinerate, Shred, Pulverize Disintegrate |
Flash Media – USBs, Memory Cards, SSDs |
Overwrite using agency-approved software |
Secure data erasure |
Incinerate Shred Pulverize Disintegrate |
CDs/DVDs |
N/A |
N/A |
- Remove information using an optical disc grinding device
- Incinerate using a licensed facility
- Use Optical disk media shredder |
Table 1: NIST Clear, Purge & Destroy According to Media Type (Source: https://www.bitraser.com/article/nist-guidelines-media-sanitization.php)
Now we are informed about the method for erasing CUI. Let's discuss how you can erase this information using a professional data erasure software - BitRaser.
Erase CUI Using BitRaser:
There are two scenarios where you have to destroy CUI:
- The Agency no longer requires the CUI.
- NARA approves record disposition.
If the IT asset that contains CUI will be reused within the agency then you can use BitRaser File Eraser, on the other hand, if the IT asset is obsolete and has to be replaced you can use BitRaser Drive Eraser.
When you use File Eraser you can erase volumes, files, folders, and partitions that contain CUI, without harming the OS. Conversely, if you use Drive Eraser it will erase everything including the OS. So depending on your requirements, you can use the software that suits your needs. BitRaser supports the NIST 800-88 data wiping standard (both Clear and Purge), so you can be confident that CUI will be permanently erased beyond recovery as required by the CUI program. BitRaser is tested and approved by NIST and DHS.
Steps for Using BitRaser File Eraser for erasing CUI:
You can refer to our guide for installing BitRaser File Eraser here. Once the software is installed and ready for use you can begin the wiping process.
Step 1: Start the File Eraser application on your device. (Refer to Image 1)
Image 1: BitRaser File Eraser Corporate Home Screen
Step 2: Select the Folder that contains CUI. (Refer to Image 2)
Image 2: Select the Folder that contains CUI
Step 3: Click on 'Erase Now', and you will see a warning dialogue box click on 'Proceed'. (Refer to Image 3)
Image 3: Click Erase Now then Click Proceed
Step 4: Your system's CUI has been permanently deleted. (Refer to Image 4)
Image 4: CUI Erasure Process Completed
You can also verify CUI erasure using BitRaser's detailed report which is generated automatically.
Similarly, you can use Drive Eraser to erase CUI from your system. To learn how to use BitRaser Drive Eraser you can read our article How to Wipe Laptop or PC.
FAQs
What is CUI? 
Controlled Unclassified Information as per FTC is information that requires safeguarding and proper security controls but is not classified. Some examples of CUI are PII (Personally Identifiable Information), PBI (Proprietary Business Information), CBI (Confidential Business Information), UCTI (Unclassified Controlled Technical Information), etc.
Who makes the CUI policy?
NARA (National Archives and Records Administration) delegated the responsibilities of the Executive Agency to the Director of the Information Security Oversight Office (ISOO). The Director of the Information Security Oversight Office (ISOO), is responsible for enacting and implementing the CUI policy.
When does CUI need to be destroyed?
There are two scenarios where you have to destroy CUI:
- The Agency no longer requires the CUI.
- NARA approves record disposition.
What are the methods of destruction of CUI?
CUI can be destroyed using methods specified in NIST SP 800-88 Rev 1, namely NIST Clear, Purge & Destroy.
What is the goal of destroying controlled unclassified information?
The goal of destroying CUI is to make it unreadable, indecipherable, and irrecoverable.
+1-844-775-0101
