32 C.F.R. § 2002.14
(a) General safeguarding policy.
(b) CUI safeguarding standards. Authorized holders must safeguard CUI using one of the following types of standards:
(2) CUI Specified.
(c) Protecting CUI under the control of an authorized holder. Authorized holders must take reasonable precautions to guard against unauthorized disclosure of CUI. They must include the following measures among the reasonable precautions:
(d) Protecting CUI when shipping or mailing. When sending CUI, authorized holders:
(e) Reproducing CUI. Authorized holders:
(f) Destroying CUI.
(1) Authorized holders may destroy CUI when:
(2) When destroying CUI, including in electronic form, agencies must do so in a manner that makes it unreadable, indecipherable, and irrecoverable. Agencies must use any destruction method specifically required by law, regulation, or Government-wide policy for that CUI. If the authority does not specify a destruction method, agencies must use one of the following methods:
(h) Information systems that process, store, or transmit CUI are of two different types: