So you’ve got a stack of old files. Day to day, maybe they’re marked CUI. And you’re thinking, “Great, time to shred.Maybe you’re just pretty sure they are. ”
Hold on.
Why does this matter? In real terms, because “pretty sure” can get you—or your organization—into serious trouble. Controlled Unclassified Information isn’t just a label; it’s a legal and security designation. It’s a process. And destroying it isn’t a casual “shred day” event. A documented, reviewed, and verified process.
Let’s talk about what actually needs to happen before those cui documents hit the shredder, the incinerator, or the digital wipe.
What Is CUI (Controlled Unclassified Information)?
Here’s the thing: CUI isn’t some exotic, top-secret stuff. In real terms, it’s the information the U. S. Practically speaking, government creates or possesses that requires protection, but isn’t classified. Think export controls, critical infrastructure data, law enforcement details, or proprietary business data shared with a government agency.
It’s information that, if leaked, could harm national security, economic interests, or individual privacy. But since it’s not classified, it doesn’t fall under the same rigid rules as Top Secret material. Instead, it follows the CUI Program, which standardizes how agencies and contractors handle this info.
And yeah — that's actually more nuanced than it sounds.
The key is the marking: “CUI” or a specific category like “CUI//LAW-ENF.So the safe move? ” If it’s marked, it’s CUI. If it should be marked but isn’t, a court or auditor might still treat it as such if the content demands protection. Assume it needs a review before destruction.
The Two Types You’ll Actually See
Most CUI falls into two buckets:
- Basic CUI: Requires protection but no extra handling beyond the standard baseline.
- CUI with Specified Safeguarding: Needs stricter controls, like encryption or limited access.
Before you destroy anything, you need to know which type you’re holding. That’s step one.
Why It Matters / Why People Care
Why go through all this? Can’t you just shred and forget?
Legal liability. If you destroy CUI improperly—or destroy something that should have been retained—you could violate the Federal Records Act, the CUI Executive Order, or specific agency regulations. Fines, lawsuits, and loss of government contracts are real possibilities Took long enough..
Security risk. If you destroy something that should have been kept (say, a document needed for an ongoing audit or investigation), you’ve just obstructed a potential review. That’s a crime.
Operational integrity. Your organization’s reputation hinges on handling sensitive data correctly. A single mistake in destruction can unravel years of trust.
In short: skipping the review isn’t just cutting a corner. It’s gambling with legal exposure and national security.
How It Works (or How to Do It)
Alright, let’s get into the actual steps. This isn’t theoretical—it’s the checklist you run through before any destruction That's the whole idea..
1. Identify and Segregate the Documents
First, gather everything you think might be CUI. Practically speaking, spread it out. Don’t just grab a box and start feeding it to the shredder. Look for markings. If it’s not marked but the content feels sensitive—like a report on a government contract with technical data—flag it for review The details matter here. But it adds up..
Segregate by category if you can. Basic CUI in one pile, Specified Safeguarding in another. This makes the next steps cleaner Worth keeping that in mind..
2. Verify the CUI Status
This is the heart of the review. g.(e.)
- What’s the specific category? And if unmarked, does the content fall under a CUI category? , CUI//EXPORT-CONTROL)
- Does it have a “Do Not Destroy” or “Permanent” designation? Check the marking. You need to confirm:
- Is it actually CUI? (Refer to the CUI Registry.Some records, even if CUI, must be preserved permanently under the National Archives.
If you’re unsure, stop. Get a subject matter expert—legal, compliance, or the original creator—to weigh in.
3. Check the Record Retention Schedule
Every piece of CUI is also a federal record. And federal records have a lifecycle: create, maintain, dispose. That disposal authorization comes from a Record Retention Schedule approved by the National Archives and Records Administration (NARA) Took long enough..
You must check:
- Has the retention period expired? Which means (e. g., “Destroy 3 years after contract completion”)
- Is there an ongoing legal hold or audit that pauses destruction?
If the retention period hasn’t run out, you legally cannot destroy it—CUI or not That alone is useful..
4. Apply the Correct Destruction Method
Once you’ve confirmed it’s CUI and the retention period is over, choose the destruction method based on the type:
- Physical documents: Cross-cut shredding (to at least 5/32" x 1/2" particles), incineration, or pulping.
- Electronic media: Secure wiping (DoD 5220.22-M standard), degaussing, or physical destruction.
The method must be documented. Why? Because you need to prove it was done correctly if audited No workaround needed..
5. Document the Destruction
This is the part everyone hates but everyone needs. You must create a Certificate of Destruction that includes:
- Description of the material destroyed
- Date of destruction
- Method of destruction
- Name of the person authorizing it
- Name of the witness (if required)
- Chain of custody if it changed hands
Most guides skip this. Don't.
Keep this certificate in your records for at least three years (or as your contract requires).
6. Train Your Team
The process fails if only one person knows it. Everyone who handles CUI—from the intern to the project manager—needs training on:
- How to identify CUI
- The review steps before destruction
- The legal consequences of skipping steps
Regular refreshers aren’t optional; they’re part of compliance.
Common Mistakes / What Most People Get Wrong
Here’s where I see even smart teams trip up:
“If it’s not marked CUI, it’s safe to shred.”
Wrong. Content trumps marking. If the document contains information that meets a CUI category (like proprietary manufacturing data for a defense article), it’s CUI—even without a stamp. The review catches this.
“We followed the contract’s destruction clause, so we’re good.”
Maybe. But that clause must align with the CUI Executive Order and NARA schedules. If your contract says “destroy after one year” but NARA says “retain permanently,” you’re still on the hook.
“We shredded it, so it’s gone. No one will know.”
Except the audit trail. If you can
If you can’t produce that certificate, it’s treated as if the destruction never happened—and the liability falls on you Simple, but easy to overlook..
“We used a cross-cut shredder, so it’s secure.”
Not necessarily. If you’re destroying something like a hard drive or a classified data tape, shredding alone isn’t enough. You need destruction methods validated for that specific media type, or you risk data remanence Most people skip this — try not to..
“Once it’s destroyed, we’re done.”
Not quite. You also need to confirm that any digital remnants—like temporary files, cached copies, or backups—are addressed according to the same rules. Destruction isn’t complete until all forms of the information are rendered unrecoverable.
Conclusion
Proper destruction of Controlled Unclassified Information isn’t just an administrative task—it’s a legal and ethical obligation. That said, every step, from initial identification to final documentation, exists to protect national security, comply with federal law, and shield your organization from serious consequences. Skipping steps or assuming “it’s probably fine” can lead to breaches, audits, fines, or even criminal liability.
Counterintuitive, but true.
Treat the destruction process with the same rigor you apply to creation and handling. Because when it comes to CUI, what you discard can be just as critical as what you safeguard. Compliance isn’t optional—it’s the cost of working with information that matters Easy to understand, harder to ignore. No workaround needed..
