What You Need to Know About Controlled Unclassified Information (CUI): Categories, Controls, and Compliance
If your company is pursuing a government contract, you’ve likely come across the term Controlled Unclassified Information (CUI). For many organizations, especially those in industries like defense, technology, and critical infrastructure, understanding CUI is a crucial step toward meeting compliance requirements and building trust with federal agencies.
CUI can be a variety of things from personal data to defense-related technical documents, and knowing the different types of CUI and their security requirements is essential for protecting sensitive data against threats.
This guide will break down what CUI is, the types of information it includes, and the controls you need to implement to stay compliant and secure. Whether you're navigating a federal contract, ensuring your information systems meet NIST standards, or just trying to understand the different CUI requirements, this article will help you understand why CUI matters and how to handle it securely.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is government information that's sensitive, but not classified. It’s the type of data the government doesn’t want out in the open because it could pose a risk to privacy, security, or critical infrastructure if mishandled, but it’s not quite sensitive enough to be labeled “classified.” CUI still needs protection, but the rules aren’t as strict as they are for classified information.
Examples of CUI include Social Security numbers, information related to national security, or sensitive defense or warfare related information that contractors handle. If you're a business working with government agencies, they might require you to follow certain rules to keep CUI secure, like encrypting emails or limiting who can access the information.
Executive Order 13556 and the birth of the CUI Program
Before the CUI program existed, federal agencies had a lot of freedom in how they handled sensitive unclassified information. Each agency came up with its own rules, labels, and information systems. You might hear terms like “For Official Use Only” (FOUO), “Sensitive But Unclassified” (SBU), or “Law Enforcement Sensitive” (LES) — but there was no consistency across agencies.
This led to a few major problems, including confusion for government contractors, state governments, and other partners working with federal agencies, who were often left guessing which rules applied to which CUI documents. It also led to inefficiencies, as different labeling systems and protection rules made sharing information between agencies complicated and prone to error.
The need for a unified, government-wide CUI framework became clear, especially as federal agencies increasingly relied on third-party contractors and needed to better manage cybersecurity risks.
President Barack Obama signed Executive Order 13556 on November 4, 2010, officially creating the Controlled Unclassified Information Program. This Executive Order laid the groundwork for standardizing how sensitive unclassified information is identified, marked, shared, and protected across the federal government by:
- Establishing a single CUI Program: The CUI Program replaced the patchwork of agency-specific systems that previously governed sensitive unclassified information. By standardizing processes, all federal agencies now follow the same rules for identifying, handling, and protecting CUI.
- Designating NARA as the Executive Agent: The National Archives and Records Administration (NARA) was tasked with overseeing the CUI Program. NARA manages the official CUI Registry, which defines all CUI categories and subcategories while linking them to the specific laws, regulations, or policies that require their protection.
- Standardizing safeguarding and dissemination controls: The Executive Order established uniform rules for safeguarding and sharing CUI. These include clear requirements for CUI markings, storage, and transmission. This makes secure information sharing between federal agencies, contractors, and other stakeholders easier while ensuring sensitive data remains protected.
- Extending safeguards to non-federal systems: The CUI Program requires non-federal systems that process, store, or transmit CUI to implement the same protections as federal systems. Security frameworks like NIST 800-171 play a critical role in guiding contractors and service providers on how to meet these requirements.
By creating the CUI Program, Executive Order 13556 reduced the risk of mishandling sensitive government information and streamlined processes for contractors and other stakeholders. Today, the program is essential for managing cybersecurity, ensuring privacy, and protecting national security.
What qualifies as CUI? CUI categories and types
Not all sensitive information is considered CUI — it must meet specific criteria set by federal laws, regulations, or policies. CUI is organized into categories and subcategories, each with unique safeguarding requirements designed to protect it from unauthorized access or unauthorized disclosure. By understanding these categories and the criteria that define them, you can confidently identify, manage, and protect CUI.
Let’s break down what qualifies as CUI and explore its main categories and types.
The ISOO and DoD CUI Registries
The ISOO CUI Registry is a critical component of the CUI Program. It serves as the official government-wide registry for all categories and subcategories of CUI, and is managed by NARA under the oversight of the Information Security Oversight Office (ISOO).
The CUI registry is publicly available via the National Archives, making it easy for government employees, contractors, and the public to see what qualifies as CUI and the applicable safeguarding requirements.
The ISOO CUI Registry organizes CUI into the following categories:
| CUI Category | Description | Example |
|---|---|---|
| Critical Infrastructure | Information related to physical or virtual systems essential for public safety, economic security, or national security | Energy infrastructure data, transportation systems information |
| Defense | Information related to military or national defense that is not classified | Controlled Technical Information (CTI), Export-controlled data under ITAR or EAR |
| Export Control | Information controlled by export regulations, such as International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) | Technical data requiring export licenses |
| Financial | Information about financial institutions, systems, or individuals | Bank Secrecy Act (BSA) reports, tax information |
| Immigration | Information related to immigration, naturalization, or citizenship | Visa application records, refugee status information |
| Intelligence | Unclassified information related to intelligence activities, sources, and methods | Signals intelligence analysis, non-classified intelligence reports |
| International Agreements | Information related to agreements between the U.S. and foreign governments or international organizations | Details of treaties, trade agreements, or joint military operations with allied nations |
| Law Enforcement | Information pertaining to law enforcement investigations or operations | Criminal investigation reports, witness protection data |
| Legal | Legal or litigation-related information | Attorney-client privileged materials, court-sealed documents |
| Natural and Cultural Resources | Information related to the management and use of natural and cultural resources | Environmental impact assessments, wildlife conservation data |
| North Atlantic Treaty Organization (NATO) | Information related to NATO operations, policies, or agreements | NATO operational plans, joint defense strategies, and sensitive communication protocols shared between member nations |
| Nuclear | Information about nuclear technology or materials that is sensitive but not classified | Non-classified nuclear safety protocols, radiological incident reports |
| Patent | Information about unpublished or sensitive patent applications or technologies under development | Pending patent applications, proprietary designs submitted to the government |
| Privacy | Personally Identifiable Information (PII) or data protected under privacy laws like HIPAA | Medical records, Social Security numbers |
| Procurement and Acquisition | Information pertaining to government procurement processes and acquisition strategies | Contract proposals, bid evaluations, and supplier proprietary data submitted during the acquisition process |
| Proprietary Business Information | Sensitive commercial or business information provided to the government | Trade secrets, confidential R&D data |
| Provisional | A temporary category used for sensitive information not yet fully classified under a specific CUI category | Information awaiting classification or determination under an existing CUI category |
| Statistical | Information related to statistical analysis or data collection for government purposes | Census data, economic forecasts |
| Tax | Information about federal, state, or local tax-related matters | Taxpayer identification numbers, IRS records, or sensitive financial audits |
| Transportation | Information related to transportation systems, infrastructure, or operations | Passenger data, transportation security plans |
While the ISOO CUI Registry serves as the government-wide framework for CUI, the DoD’s unique mission and requirements meant it needed its own CUI registry to address the specific and complex needs of defense operations and contractors.
The DoD CUI registry aligns with defense-specific regulations, such as the DoD CUI policy, DFARS 252.204-7012, and the Cybersecurity Maturity Model Certification (CMMC. Contractors working with the DoD rely on this registry to identify what qualifies as CUI within their contracts and understand the associated safeguarding, marking, and reporting requirements.
CUI Basic vs CUI Specified: Security requirements for different types of CUI
There are two main types of CUI: CUI Basic and CUI Specified. CUI Specified is a subset of CUI that has additional security requirements for how it must be handled.
- CUI Basic: Most CUI falls into this category. It follows the standard safeguarding and dissemination rules laid out in the CUI Program regulations. No special or unique requirements here, just the baseline protections. For example, personnel records that need safeguarding under the Privacy Act but don’t have extra restrictions.
- CUI Specified: This is CUI that comes with special safeguarding or dissemination requirements because of a federal law or regulation. These rules are over and above the standard ones for CUI Basic. An example would be export-controlled technical data governed by ITAR or EAR, which are more sensitive and require stricter export and access controls.
While all CUI must be protected, CUI Specified comes with additional requirements because it's tied to specific federal laws and regulations. These rules dictate exactly how certain types of sensitive information must be handled.
Understanding the unique requirements of these laws is critical for organizations that work with CUI Specified, as they outline not only the expectations for safeguarding it but also the potential consequences of noncompliance.
What is CUI marking?
Because there are different types of CUI, it’s crucial for agency and contractor employees to clearly understand the type of CUI they’re handling to meet the correct safeguarding requirements. That’s why CUI marking is important..
Marking CUI is a method established by the CUI Program to label or identify CUI. By following marking requirements, organizations can minimize the risk of mishandling sensitive data while staying compliant with federal safeguarding standards.
- CUI banner marking: A header or banner at the top of the document/page indicating the information is CUI. Example: CONTROLLED // CUI
- CUI Category marking (optional): Agencies may include the CUI category or subcategory in the marking to specify the type of CUI. Example: CONTROLLED // CUI // Privacy
- Portion markings (optional): Some agencies may require marking specific paragraphs or sections as containing CUI. Example: (CUI) at the beginning of a paragraph.
- Dissemination control markings: Markings that limit how the information can be shared. For example: NOFORN (Not Releasable to Foreign Nationals) or REL TO USA, FVEY (Releasable to the U.S. and Five Eyes partners)
- Decontrolling CUI marking: If CUI is no longer considered sensitive, it should include a marking to indicate that it has been decontrolled.
Security frameworks for safeguarding CUI
To protect CUI, organizations follow specific security frameworks established by the federal government. These frameworks provide guidelines for implementing the necessary technical, physical, and administrative controls to meet federal security requirements. Let’s explore the key NIST frameworks and their role in protecting CUI to clarify when they apply and how they help organizations stay secure.
NIST 800-53
NIST 800-53 is a comprehensive framework designed for federal information systems and organizations. It provides a catalog of 1,000+ security and privacy controls that organizations can implement to protect sensitive information, including CUI. This framework applies when CUI is handled within federal systems or controlled environments, such as government-owned or operated facilities.
For organizations working directly with federal agencies, NIST 800-53 serves as the gold standard for information security. While its scope is broad and its controls are highly detailed, this framework ensures that federal systems remain resilient against evolving cybersecurity threats. By adhering to NIST 800-53, organizations demonstrate their commitment to maintaining the highest level of security for CUI and other sensitive data.
NIST SP 800-171
NIST SP 800-171 was developed specifically for private sector organizations that process, store, or transmit CUI,, such as government contractors, subcontractors, and service providers. Unlike NIST 800-53, which is designed for federal systems, NIST 800-171 tailors its requirements to private organizations that need to meet federal safeguarding standards without the complexity of managing classified systems.
This framework includes 110 controls organized into 14 families, which provide clear and actionable steps for encrypting sensitive data, monitoring system activity, and managing access permissions.
Recommended reading
NIST 800-171 Compliance: How to Comply with the Latest Revision [+ Checklist]
The Cybersecurity Maturity Model Certification (CMMC)
The CMMC adapts NIST 800-171 for organizations handling CUI within the defense industrial base. Introduced by the DoD, CMMC is structured into three maturity levels. Each level corresponds to the type and sensitivity of information being handled, ensuring that contractors implement the appropriate level of security for their operations.
By requiring third-party certification, CMMC also ensures that organizations are not only implementing the necessary controls but also maintaining them over time. This framework helps the DoD mitigate supply chain risks and protect national security while providing specific guidance for contractors to enhance their cybersecurity posture.
Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program designed to standardize security requirements and assessments for cloud service providers used by federal agencies. It simplifies the process of ensuring these services meet strict federal security standards for safeguarding sensitive information, including CUI.
By choosing FedRAMP-authorized cloud services, agencies and contractors can securely manage CUI in cloud environments, reduce risk, and streamline their operations while meeting federal compliance requirements.
Building a strong cybersecurity posture to protect CUI
Secureframe’s security and compliance automation platform is built to simplify federal compliance, helping government contractors navigate the complexities of protecting CUI and demonstrate a strong security posture. By combining expertise, automation, and comprehensive support, we’ve helped companies achieve compliance with key frameworks like NIST 800-53 up to 70% faster.
- Automated monitoring and evidence collection: Secureframe integrates with your existing tech stack, including government cloud variants like AWS GovCloud, to automatically collect evidence and continuously monitor your tech stack for nonconformities.
- Trusted partner network: Our Partner Network includes certified Third Party Assessment Organizations (3PAOs) and CMMC 3PAOs (C3PAOs) that can support CMMC, FISMA, FedRAMP, and other federal audits.
- Federal compliance expertise: Secureframe’s dedicated, world-class support team of former FISMA, FedRAMP, and CMMC auditors and consultants guide you through federal readiness and audits and keep the platform up-to-date on the latest changes to federal compliance requirements.
- In-platform training: Deliver in-platform, proprietary employee training that meets federal requirements including insider threat, information spillage, anti-counterfeit training, and role-based training such as secure coding.
Learn more about how we simplify compliance with CMMC 2.0, NIST 800-53, NIST 800-171, NIST CSF, TX-RAMP, FedRAMP, CJIS, and more by scheduling a demo today.
Use trust to accelerate growth
FAQs
What does CUI mean?
Controlled Unclassified Information (CUI) is an umbrella term for information that requires safeguarding or dissemination controls pursuant to applicable laws, federal regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act. The National Archives and Records Administration (NARA) maintains a CUI Registry that categorizes CUI into distinct types based on the nature of the information.
What are CUI security requirements?
CUI security requirements are outlined in 32 CFR Part 2002 and NIST 800-53 and depend on whether the information is CUI Basic or CUI Specified. For non-federal systems, they are further detailed in NIST SP 800-171. Key requirements include:
- Implementing access controls to limit who can view or handle CUI.
- Encrypting CUI in transit and at rest.
- Monitoring systems for unauthorized access or activities.
- Physical safeguards like locking up physical documents.
- Ensuring secure methods of data sharing and destruction.
What are the six categories of CUI?
CUI is grouped into categories and subcategories based on the CUI Registry. While there are many subcategories, some major categories include:
- Critical Infrastructure: Information about energy systems, transportation, etc.
- Defense: Data related to military operations or controlled technical information.
- Export Control: Information governed by ITAR or EAR regulations.
- Privacy: Personally identifiable information (PII) or health data (e.g., under HIPAA).
- Law Enforcement: Information about investigations or operations.
- Financial: Sensitive financial data like tax or banking information.
These categories represent types of information that require safeguarding and dissemination controls under federal laws or regulations.
How to mark CUI in emails?
To mark CUI in emails, you must ensure recipients are aware that the email contains CUI. Here’s how:
- Subject Line: Include "[CUI]" at the start of the subject line
- Email Body: Add a CUI banner at the top of the email body
- Attachments: Clearly mark any attached documents containing CUI with appropriate CUI markings (e.g., in the document header or filename)
You can also use tools like PreVeil and Regdox for CUI marking.
Does CUI need to be encrypted when emailed?
CUI must be encrypted when emailed if it is sent outside a secure internal network. If emailing within a secure, approved system, encryption may not be required, but this depends on the organization's specific policies.
Can CUI be stored in a locked desk after working hours?
CUI can be stored in a locked desk, cabinet, or other secure container after working hours, as long as it is not accessible to unauthorized personnel.
Can CUI be stored on any password protected system?
No, CUI cannot be stored on just any password-protected system. The system must meet specific security requirements outlined in NIST SP 800-171 and be CMMC authorized for non-federal systems or FISMA or FedRAMP for federal systems, including access controls (e.g., multifactor authentication), secure encryption at rest and in transit, and regular monitoring and auditing capabilities. Storing CUI on systems that do not meet these standards violates safeguarding requirements.