How do we handle classified or CUI records held by a cloud provider or contractor when the contract is ending?
When a contract or cloud agreement ends, the controlling agency remains accountable for any classified or controlled unclassified information (CUI) the provider held on its behalf. A contractor or cloud vendor is a custodian, not the owner of the records. The closeout therefore has to confirm that every protected record is accounted for, returned or properly destroyed, and that nothing sensitive lingers in the provider’s environment.
Confirm Ownership and Scope First
Federal records do not belong to the contractor. Begin by identifying which holdings are agency records, their classification or CUI markings, and the retention obligations that attach to them. Records still under retention must be transferred back to the agency or to an authorized successor; they cannot simply be deleted because a contract lapsed. Marking and handling rules for CUI continue to apply throughout the transition.
Return, Transfer, or Destroy Under Authority
For each category of protected information, the contract and your records schedule should drive one of three outcomes:
- Return or transfer records the agency must keep, in a usable and properly labeled format.
- Destroy material that has met retention, using methods approved for that classification level.
- Sanitize the underlying storage, backups, and replicas so no recoverable copy remains in the provider’s systems.
Classified information and CUI must be handled according to the safeguarding and destruction standards set for their level, and the agency should document each action.
Verify and Document the Handoff
Obtain written certification from the provider that all copies, including backups, snapshots, and cached data across regions, have been returned or destroyed. Reconcile that certification against an inventory so there are no gaps. Address access as well: revoke credentials, keys, and any standing data-sharing connections.
Declassification, if it applies, is a separate determination made by the agency under its own authority. A contract ending does not declassify anything; protected records keep their classification until the originating authority changes it.
Key Takeaways
- The agency, not the vendor, owns the obligation to protect and account for the records.
- Build return, destruction, and sanitization terms into the contract before it ends, not after.
- Document and certify every disposition, then verify against an inventory.
For broader context on declassification authority and review, see /topics/declassification/.
Sources & further reading
Authoritative government and non-profit references.
- Controlled Unclassified Information (CUI) — National Archives (NARA)
- Information Security Oversight Office (ISOO) — National Archives (NARA)
How to cite this page
APA
RM University Editorial. (2026). How do we handle classified or CUI records held by a cloud provider or contractor when the contract is ending?. Records Management University. https://www.recordsmgmt.org/questions/how-to-handle-classified-records-held-by-a-vendor-when-the-contract-ends/
MLA
RM University Editorial. "How do we handle classified or CUI records held by a cloud provider or contractor when the contract is ending?." Records Management University, 16 June 2026, www.recordsmgmt.org/questions/how-to-handle-classified-records-held-by-a-vendor-when-the-contract-ends/.
Related questions
- Can a hospital or research university hold classified records, and how do FCL and HIPAA rules interact?
- Can a law firm representing a government client retain classified discovery, and who declassifies it after the case?
- Can a multinational company use ISO 15489 as a single recordkeeping standard across all of its countries?
- Can a private citizen request that a specific classified record be declassified?
- Can AI and machine learning reliably assist with declassification review of classified records?