Skip to main content
background

ISOO (Information Security Oversight Office)

The Information Security Oversight Office (ISOO) is a component of the National Archives and Records Administration (NARA) that serves as the executive agent for the federal Controlled Unclassified Information (CUI) program. ISOO establishes the government-wide policies that define how CUI is designated, safeguarded, disseminated, marked, decontrolled, and disposed of — policies that directly shape the compliance requirements defense contractors encounter through DFARS and CMMC.

What Is ISOO?

ISOO operates within the National Archives and Records Administration (NARA) with delegated authority to administer the CUI program across the entire federal government. Originally focused on classified information oversight, ISOO’s role expanded significantly with Executive Order 13556, which established the CUI program to standardize how the government handles sensitive but unclassified information. ISOO is responsible for developing and issuing CUI policies, maintaining the CUI Registry (the authoritative list of CUI categories and subcategories), overseeing agency implementation of CUI requirements, and resolving disputes about CUI designation.

The CUI Registry

One of ISOO’s most important contributions is the CUI Registry, which catalogs every authorized CUI category and subcategory along with the specific laws, regulations, or government-wide policies that authorize the designation. For defense contractors, the Registry is the authoritative reference for understanding which types of information qualify as CUI and what handling requirements apply. Categories relevant to the DIB include Controlled Technical Information (CTI), Export Controlled information, and Critical Infrastructure information.

ISOO and 32 CFR Part 2002

ISOO issued 32 CFR Part 2002 (Controlled Unclassified Information), the foundational regulation for the CUI program. This rule establishes the requirements for designating, safeguarding, disseminating, marking, decontrolling, and disposing of CUI. It also defines the relationship between the CUI program and agency-specific requirements like DFARS 252.204-7012, which references NIST SP 800-171 as the standard for protecting CUI in nonfederal systems.

Why ISOO Matters for Defense Contractors

While defense contractors interact primarily with DFARS and CMMC requirements, those requirements trace back to the CUI program administered by ISOO. Understanding ISOO’s role helps contractors interpret CUI marking requirements, determine which CUI categories apply to their contracts, stay current with CUI program updates that may affect compliance obligations, and properly handle CUI throughout its lifecycle including decontrol and disposal procedures.