(a) The CUI EA:
(1) Develops and issues policy, guidance, and other materials, as needed, to implement the Order, the CUI Registry, and this part, and to establish and maintain the CUI Program;
(2) Consults with affected agencies, Government-wide policy bodies, State, local, Tribal, and private sector partners, and representatives of the public on matters pertaining to CUI as needed;
(3) Establishes, convenes, and chairs the CUI Advisory Council (the Council) to address matters pertaining to the CUI Program. The CUI EA consults with affected agencies to develop and document the Council's structure and procedures, and submits the details to OMB for approval;
(4) Reviews and approves agency policies implementing this part to ensure their consistency with the Order, this part, and the CUI Registry;
(5) Reviews, evaluates, and oversees agencies' actions to implement the CUI Program, to ensure compliance with the Order, this part, and the CUI Registry;
(6) Establishes a management and planning framework, including associated deadlines for phased implementation, based on agency compliance plans submitted pursuant to section 5(b) of the Order, and in consultation with affected agencies and OMB;
(7) Approves categories and subcategories of CUI as needed and publishes them in the CUI Registry;
(8) Maintains and updates the CUI Registry as needed;
(9) Prescribes standards, procedures, guidance, and instructions for oversight and agency self-inspection programs, to include performing on-site inspections;
(10) Standardizes forms and procedures to implement the CUI Program;
(11) Considers and resolves, as appropriate, disputes, complaints, and suggestions about the CUI Program from entities in or outside the Government; and
(12) Reports to the President on implementation of the Order and the requirements of this part. This includes publishing a report on the status of agency implementation at least biennially, or more frequently at the discretion of the CUI EA.
(b) Agency heads:
(1) Ensure agency senior leadership support, and make adequate resources available to implement, manage, and comply with the CUI Program as administered by the CUI EA;
(2) Designate a CUI senior agency official (SAO) responsible for oversight of the agency's CUI Program implementation, compliance, and management, and include the official in agency contact listings;
(3) Approve agency policies, as required, to implement the CUI Program; and
(4) Establish and maintain a self-inspection program to ensure the agency complies with the principles and requirements of the Order, this part, and the CUI Registry.
(c) The CUI SAO:
(1) Must be at the Senior Executive Service level or equivalent;
(2) Directs and oversees the agency's CUI Program;
(3) Designates a CUI Program manager;
(4) Ensures the agency has CUI implementing policies and plans, as needed;
(5) Implements an education and training program pursuant to § 2002.30;
(6) Upon request of the CUI EA under section 5(c) of the Order, provides an update of CUI implementation efforts for subsequent reporting;
(7) Submits to the CUI EA any law, regulation, or Government-wide policy not already incorporated into the CUI Registry that the agency proposes to use to designate unclassified information for safeguarding or dissemination controls;
(8) Coordinates with the CUI EA, as appropriate, any proposed law, regulation, or Government-wide policy that would establish, eliminate, or modify a category or subcategory of CUI, or change information controls applicable to CUI;
(9) Establishes processes for handling CUI decontrol requests submitted by authorized holders;
(10) Includes a description of all existing waivers in the annual report to the CUI EA, along with the rationale for each waiver and, where applicable, the alternative steps the agency is taking to ensure sufficient protection of CUI within the agency;
(11) Develops and implements the agency's self-inspection program;
(12) Establishes a mechanism by which authorized holders (both inside and outside the agency) can contact a designated agency representative for instructions when they receive unmarked or improperly marked information the agency designated as CUI;
(13) Establishes a process to accept and manage challenges to CUI status (which may include improper or absent marking);
(14) Establish processes and criteria for reporting and investigating misuse of CUI; and
(15) Follows the requirements for the CUI SAO listed in § 2002.38(e), regarding waivers for CUI.
(d) The Director of National Intelligence: After consulting with the heads of affected agencies and the Director of ISOO, may issue directives to implement this part with respect to the protection of intelligence sources, methods, and activities. Such directives must be in accordance with the Order, this part, and the CUI Registry.