Which approach is recommended when data contains both CUI and classified information regarding safeguarding and labeling?

Handling data that includes both CUI and classified information requires a policy-driven, risk-based approach that integrates formal safeguarding controls and makes the cloud provider responsible for implementing those safeguards in line with policy. This means using a structured risk management process to determine the appropriate data handling measures, then enforcing them through concrete controls such as labeling, access restrictions, encryption, data segregation, incident response, and continuous monitoring. Requiring cloud providers to implement CUI safeguarding per policy ensures consistent protection across the mixed data and provides an auditable, accountable framework that meets DoD requirements. Limiting data to specific regions, relying on a best-effort approach, or mandating only DoD-owned infrastructure do not by themselves guarantee the necessary level of protection for both CUI and classified information.