How to Store Physical CUI During Work Hours and After Hours

One of the most practical questions in the CUI world is also one of the most common: how exactly should physical CUI be stored during the day, and what changes after hours? The answer is not simply “put everything in a safe.” The baseline rule is that CUI must be protected from unauthorized access, and the storage method depends on the environment, the time of day, and whether sufficient physical security measures are in place.

NARA’s official FAQ says CUI is not required to be stored in a GSA-approved safe. Instead, it must be stored behind a locking barrier inside a controlled environment that prevents unauthorized access. NARA also notes that organizations have flexibility in determining what qualifies as a controlled environment, while warning that some CUI Specified categories may have additional physical security requirements.

That means the real issue is not whether you bought a particular cabinet. The real issue is whether unauthorized people can access, see, or overhear the information in the environment where it is being handled. That is why storage for physical CUI is really about combining barriers, access control, and handling discipline.

During work hours: focus on preventing exposure

DoDI 5200.48 gives the clearest practical rule for daytime handling. During working hours, organizations are supposed to take steps to minimize the risk of unauthorized access, such as not reading, discussing, or leaving CUI unattended where unauthorized personnel are present. In other words, daytime storage is not just about where the paper sits. It is also about what employees are doing with it in the moment.

That is an important distinction because many organizations think about storage only when the workday ends. But a lot of exposure happens while the work is actually being performed: documents left on desks, printed pages sitting at shared printers, conversations taking place in open areas, or screens visible to people without a lawful government purpose. The DoD rule is aimed directly at that risk.

So during normal working hours, physical CUI should generally be kept under the direct control of an authorized holder or placed in a way that prevents unauthorized people from accessing or viewing it. If someone without authorization may be nearby, the expectation is that CUI cannot be left out in the open.

After hours: the storage rule changes based on building security

After working hours, DoDI 5200.48 becomes more specific. If a government or government-contractor building provides security for continuous monitoring of access, CUI may be stored in unlocked containers, desks, or cabinets. If building security is not provided, the information should be stored in locked desks, file cabinets, bookcases, locked rooms, or similarly secured areas.

That is one of the most important physical CUI rules to understand because it shows the standard is based on the overall security of the environment, not just whether an individual drawer is locked. In a continuously monitored facility, DoD allows more flexibility. In a building without that level of monitoring, the expectation tightens and the storage barrier itself needs to be locked.

DoD’s own marking job aid repeats the same principle: after working hours, CUI may be stored in unlocked desks, containers, or cabinets if the facility provides continuous monitoring of access; otherwise it must be stored in locked desks, file cabinets, bookcases, locked rooms, or similarly secured areas. That consistency matters because it gives contractors a very usable operational rule.

What “continuous monitoring” really means

The phrase “continuous monitoring of access” matters because it is what separates the two after-hours storage paths. DoDI 5200.48 explains the underlying concept by saying a controlled environment has sufficient internal security measures in place to prevent or detect unauthorized access to CUI, and adds that for DoD, an open storage environment can meet that requirement.

So the question is not just whether the building has walls and doors. The question is whether the facility has enough security around access to detect or prevent unauthorized entry after hours. If it does, unlocked storage inside that environment may be acceptable under the DoD rule. If it does not, the container or room itself needs to provide the locked barrier.

For contractors, this is where a lot of confusion starts. Many hear “locking barrier” and assume every piece of physical CUI must always be locked away no matter what. But the DoD framework is more nuanced than that. It allows flexibility where the environment itself is sufficiently controlled.

What this looks like in practice

During the workday, compliant storage often looks like this: an authorized employee is actively using the document, the workspace is not accessible to unauthorized people, and the information is not left unattended in a place where someone could view or take it. After hours in a monitored facility, the same material may remain in a desk, cabinet, or container that is not individually locked because the facility itself provides continuous access security. After hours in an unmonitored or less-controlled facility, that same material should be moved into a locked desk, locked file cabinet, locked room, or similarly secured area.

This is why physical CUI storage should be thought of as a system, not a single product decision. The right answer depends on who has access to the area, how the space is monitored, whether visitors or cleaning crews may enter, and whether employees have obvious, usable places to secure documents when they step away or go home.

Do not overlook printers, shared surfaces, and output devices

A lot of physical CUI exposure happens outside the file cabinet. NIST SP 800-171 Rev. 3 is the federal baseline for protecting CUI in nonfederal systems and organizations, and its assessment companion highlights physical protection areas including physical access, visitor controls, output devices, and alternate work sites. That matters because CUI can be exposed at printers, copiers, fax machines, and shared work areas just as easily as at storage cabinets.

In practice, that means “storage” has to include what happens to printed output the moment it leaves the machine. A stack of CUI sitting on a shared printer tray is a physical storage problem even if no one planned to leave it there for long. The same is true for documents left in conference rooms, on drafting tables, or on counters in mixed-access areas.

Alternate work sites make storage harder, not easier

NIST’s CUI framework also includes safeguarding expectations for alternate work sites, and DoD guidance makes clear that physical protection still applies outside the main facility. That is important because telework, off-site meetings, and travel create the easiest opportunities for physical mishandling.

Even when people are not in the main office, the same core rule applies: CUI has to remain protected from unauthorized access. That means physical papers are not to be left in uncontrolled environments, even if the employee considers the location temporary or low-risk.

Contractors should still check the contract

There is also an important contract point here. NARA’s FAQ says that for compliance with DoD contracts, contractors should first check the contract itself or the point of contact for the contract. That matters because while the general CUI rule allows flexibility, a contract or program office may impose more specific requirements for particular information, spaces, or operating conditions.

So the safest way to think about the rule is this: the NARA and DoD guidance give you the baseline, but the contract may narrow the acceptable options.

The practical takeaway

If you want a simple way to think about physical CUI storage, use this:

During work hours, keep CUI under the active control of authorized individuals and do not leave it where unauthorized people can access, view, or overhear conversations involving CUI. After hours, decide storage based on whether the facility provides continuous monitoring of access. If it does, unlocked desks, cabinets, or containers may be acceptable under the DoD rule. If it does not, use locked desks, file cabinets, bookcases, locked rooms, or similarly secured areas.

That is the practical storage standard most organizations should be building around.

 

Share information about your brand with your customers. Describe a product, make announcements, or welcome customers to your store.