What is the policy on using unofficial or personal email for official business involving CUI?

• A. DoD personnel will not use unofficial/personal email or non-DoD systems for official business involving CUI (with limited exceptions for approved/authorized contractor systems).
• B. DoD personnel may use unofficial/personal email for official CUI business if approved by a supervisor.
• C. Personal email and non-DoD systems are always permitted for convenience.
• D. DoD personnel must use only internal secure messaging platforms even for unclassified topics.

Answer: (A)

Handling CUI requires using DoD-approved systems to ensure protection, proper storage, and auditable access. Unofficial or personal email for official business involving CUI bypasses these safeguards, increasing the risk of data leaks, improper disclosures, and noncompliance with safeguarding and retention rules. Personal accounts may be on non-DoD servers, outside monitoring, and not compatible with the required controls, making it easy for CUI to be exposed or mishandled.

There are only limited exceptions when a contractor system has been explicitly approved or authorized to handle CUI, but even then that system must meet the applicable safeguarding standards and be specifically authorized for CUI use. In all other cases, unofficial or personal email should not be used for official CUI-related communications.

Options that imply permissiveness or routine use of personal email for CUI neglect the essential need for controlled, auditable, and secure handling of sensitive information, which is why the correct policy aligns with using DoD-approved channels for CUI.