You're sitting at your desk, staring at a document stamped with CONTROLLED or CUI. It's been three years since the project ended. The data feels stale. You want to send it to a vendor or maybe just archive it without the headache of double-locking cabinets and encrypted servers. But here's the kicker: you can't just decide it’s "safe" and hit send.
The question of who can decontrol controlled unclassified information isn't just bureaucratic red tape—it's a legal minefield. Honestly, most contractors and even some federal employees mess this up because they confuse "possession" with "authority." Just because you’re holding the paper doesn't mean you can strip the markings.
The Short Answer (and the Reality Check)
Basically, the power to decontrol CUI rests with the designating agency. If you didn't create the "rules" for that specific piece of info, you probably can't decontrol it.
According to 32 CFR Part 2002, the primary authority lies with the agency that originally designated the information as CUI. However, this authority often flows through specific roles.
- The Information Originator: This is the office or person who first created the document. They know why it was protected and when that reason expires.
- Original Classification Authorities (OCA): While usually associated with Top Secret stuff, OCAs often have the final word on decontrolling unclassified info that was once part of a larger classified program.
- Designated Decontrol Offices: Some agencies, especially within the DoD, have specific "Release" offices or Security Managers tasked with this exact job.
How Decontrol Actually Happens
It’s not always a guy with a red pen striking through lines. Sometimes it’s automatic. Imagine a contract that says "this technical spec is CUI until the product is publicly unveiled on January 20, 2026."
On January 21, that info is decontrolled. Period.
The Automatic Trigger
If a document has a "decontrol indicator" (like a specific date or event) in the footer or the designation line, the authorized holder can treat it as decontrolled once that date hits. You don't need to call the Pentagon to ask for permission if the document already told you when it expires.
The Affirmative Decision
This is the manual way. An agency decides the information is no longer sensitive. Maybe a law changed. Maybe the "Law Enforcement Sensitive" tag no longer applies because the trial is over and the records are public. In this case, the designating agency makes a proactive disclosure.
The FOIA Loophole
Sorta. If someone files a Freedom of Information Act (FOIA) request and the agency determines the info must be released, that release effectively decontrols it. But don't get ahead of yourself—a FOIA release for one person doesn't always mean the markings come off for everyone unless it's a "proactive disclosure."
What Most People Get Wrong
People think "Decontrolled" means "Public."
It doesn't.
This is the biggest trap. If a piece of info is decontrolled, it just means you don't have to follow the specific CUI safeguarding rules (like the NIST 800-171 controls or the fancy coversheets). It does not mean you can post it on X (formerly Twitter). It might still be proprietary, subject to export controls (ITAR/EAR), or covered by a non-disclosure agreement.
Decontrol is about the CUI Program, not necessarily the Publicity.
The Archivist's Special Power
There is one "hidden" person who can decontrol info: The Archivist of the United States.
When records are old enough to be sent to the National Archives (NARA), the Archivist has the authority to decontrol them to make sure the public can actually see history. If you're a history buff looking at 40-year-old unclassified memos, you're seeing the Archivist's decontrol power in action.
Rules for the "Authorized Holder"
If you are a contractor, you are an Authorized Holder. You have the info, but you are a steward, not the owner.
If you think something should be decontrolled, you have to request it. You can't just do it. You contact the Contracting Officer (CO) or the agency's CUI Point of Contact.
32 CFR 2002.18(h) explicitly says: "Authorized holders may request that the designating agency decontrol certain CUI." It’s a formal process. You send the request, they review it against the CUI Registry, and they give you a thumbs up or down.
💡 You might also like: Why the Dollar to the Euro Rate is More Than Just a Number on Your Screen
Actionable Steps for Handling Decontrol
Don't guess. If you're looking at a stack of CUI and wondering if you can move it to a lower-security folder, follow this checklist.
- Check the "Decontrol On" Line: Look at the first page. If there is a date that has already passed, you are clear to decontrol.
- Verify the Source: Identify the "Controlled by" line. This tells you which agency you need to talk to.
- Perform a Marking Strike-Through: When info is decontrolled, you don't just throw it in the trash. You are supposed to "strike through" or remove the markings if you are going to reuse the info in a new, non-CUI document.
- Confirm the "Public Release" Status: Before you put it on a public website, check with your Public Affairs Office or the Contracting Officer. Decontrolled $
eq$ Public. - Document the Change: Keep a record of why you treated the info as decontrolled. If an auditor asks why a CUI-marked file is sitting on an open server, you need to point to the specific date or the email from the CO.
The stakes are high. In the defense world, mishandling this can lead to "False Claims Act" trouble or losing your "Contractor of Choice" status. It’s always better to keep the controls on a little too long than to take them off a second too early.
Next Steps for Your Team
To keep your organization compliant, you should immediately audit your current CUI inventory for expired decontrol dates. Check the designation indicators on any project files older than two years; you might be able to significantly reduce your storage overhead by officially decontrolling stale data that has met its "event-based" expiration. If the decontrol date is missing, initiate a formal request to your designating agency's point of contact to clarify the lifespan of that information.