What Is CUI? Controlled Unclassified Information Explained for Defense Contractors
Emily Bonnie
Senior Content Marketing Manager
Rob Gutierrez
Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP
If your company is pursuing a U.S. government contract, you’ve likely come across the term Controlled Unclassified Information (CUI). For many organizations, especially those in industries like defense, technology, and critical infrastructure, understanding CUI is not just helpful, it's foundational to your compliance strategy.
For defense contractors in particular, one determination shapes nearly every downstream requirement: whether you handle CUI. That single answer drives whether you need 15 controls or 110, whether CMMC Level 2 applies, whether DFARS 252.204-7012 is triggered, and whether a third-party C3PAO assessment is required.
This guide breaks down what CUI is, how it differs from other types of government information, what categories it includes, and what security controls are required to protect it.
What is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is government information that's sensitive, but not classified. It requires safeguarding or dissemination controls pursuant to federal law, regulation, or government-wide policy.
Per 32 CFR Part 2002, CUI is defined as: “Information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.”
In practical terms, CUI is information that is not Secret or Top Secret, but also not publicly releasable. It sits in the middle. It requires defined handling procedures, but not the infrastructure required for classified information.
Examples of CUI may include:
- Controlled Technical Information (CTI)
- Export-controlled technical data governed by ITAR or EAR
- Engineering drawings for defense components
- Test data from military prototypes
- Vulnerability scan results
- Personnel records containing Social Security numbers
- Sensitive procurement documents
If you are a contractor handling this type of information, you are required to protect it in accordance with federal safeguarding standards.
CUI vs FCI: Why the difference matters
One of the most important distinctions for contractors is the difference between CUI and Federal Contract Information (FCI).
FCI is information provided by or generated for the government under a contract that is not intended for public release. It is sensitive, but it does not meet the threshold for CUI.
Examples of FCI may include:
- Contract modification letters
- Meeting schedules with a government program manager
- Internal project timelines for a federal contract
CUI, on the other hand, includes sensitive technical, operational, or regulated information that requires specific safeguarding controls under federal law or regulation.
Why does this distinction matter?
Because CUI determines your CMMC level.
- If you handle only FCI, CMMC Level 1 (15 practices) may apply.
- If you handle CUI, CMMC Level 2 (110 NIST SP 800-171 controls) applies.
That difference significantly impacts compliance scope, cost, and assessment requirements.
Executive Order 13556 and the birth of the CUI Program
Before the CUI Program existed, federal agencies used inconsistent labeling systems such as “For Official Use Only” (FOUO), “Sensitive But Unclassified” (SBU), and “Law Enforcement Sensitive” (LES). There was no standardized approach across agencies.
This lack of uniformity created confusion for contractors and inefficiencies in interagency information sharing.
On November 4, 2010, President Barack Obama signed Executive Order 13556, officially establishing the Controlled Unclassified Information Program. The Order:
- Established a single, government-wide CUI Program
- Designated the National Archives and Records Administration (NARA) as the Executive Agent
- Standardized safeguarding and dissemination controls
- Extended protection requirements to non-federal systems handling CUI
Today, the CUI Program provides a unified framework that contractors must follow when handling sensitive unclassified government information.
What qualifies as CUI? CUI categories and types
Not all sensitive information is CUI. For information to qualify, it must be associated with a specific law, regulation, or government-wide policy that requires safeguarding.
The Information Security Oversight Office (ISOO), under NARA, maintains the official CUI Registry. The registry organizes CUI into categories and subcategories, each tied to specific legal authorities.
Let’s break down what qualifies as CUI and explore its main categories and types.
The ISOO and DoD CUI Registries
The ISOO CUI Registry is a critical component of the CUI Program. It serves as the official government-wide registry for all categories and subcategories of CUI, and is managed by NARA under the oversight of the Information Security Oversight Office (ISOO).
The CUI registry is publicly available via the National Archives, making it easy for government employees, contractors, and the public to see what qualifies as CUI and the applicable safeguarding requirements.
The ISOO CUI Registry organizes CUI into the following categories:
| CUI Category | Description | Example |
|---|---|---|
| Critical Infrastructure | Information related to physical or virtual systems essential for public safety, economic security, or national security | Energy infrastructure data, transportation systems information |
| Defense | Information related to military or national defense that is not classified | Controlled Technical Information (CTI), Export-controlled data under ITAR or EAR |
| Export Control | Information controlled by export regulations, such as International Traffic in Arms Regulations (ITAR) or Export Administration Regulations (EAR) | Technical data requiring export licenses |
| Financial | Information about financial institutions, systems, or individuals | Bank Secrecy Act (BSA) reports, tax information |
| Immigration | Information related to immigration, naturalization, or citizenship | Visa application records, refugee status information |
| Intelligence | Unclassified information related to intelligence activities, sources, and methods | Signals intelligence analysis, non-classified intelligence reports |
| International Agreements | Information related to agreements between the U.S. and foreign governments or international organizations | Details of treaties, trade agreements, or joint military operations with allied nations |
| Law Enforcement | Information pertaining to law enforcement investigations or operations | Criminal investigation reports, witness protection data |
| Legal | Legal or litigation-related information | Attorney-client privileged materials, court-sealed documents |
| Natural and Cultural Resources | Information related to the management and use of natural and cultural resources | Environmental impact assessments, wildlife conservation data |
| North Atlantic Treaty Organization (NATO) | Information related to NATO operations, policies, or agreements | NATO operational plans, joint defense strategies, and sensitive communication protocols shared between member nations |
| Nuclear | Information about nuclear technology or materials that is sensitive but not classified | Non-classified nuclear safety protocols, radiological incident reports |
| Patent | Information about unpublished or sensitive patent applications or technologies under development | Pending patent applications, proprietary designs submitted to the government |
| Privacy | Personally Identifiable Information (PII) or data protected under privacy laws like HIPAA | Medical records, Social Security numbers |
| Procurement and Acquisition | Information pertaining to government procurement processes and acquisition strategies | Contract proposals, bid evaluations, and supplier proprietary data submitted during the acquisition process |
| Proprietary Business Information | Sensitive commercial or business information provided to the government | Trade secrets, confidential R&D data |
| Provisional | A temporary category used for sensitive information not yet fully classified under a specific CUI category | Information awaiting classification or determination under an existing CUI category |
| Statistical | Information related to statistical analysis or data collection for government purposes | Census data, economic forecasts |
| Tax | Information about federal, state, or local tax-related matters | Taxpayer identification numbers, IRS records, or sensitive financial audits |
| Transportation | Information related to transportation systems, infrastructure, or operations | Passenger data, transportation security plans |
While the ISOO registry serves as the government-wide framework, the Department of Defense maintains its own CUI registry aligned with DFARS 252.204-7012, CMMC, and DoD-specific policy.
CUI Basic vs CUI Specified: Security requirements for different types of CUI
There are two main types of CUI: CUI Basic and CUI Specified. CUI Specified is a subset of CUI that has additional security requirements for how it must be handled.
- CUI Basic: Most CUI falls into this category. It follows the standard safeguarding and dissemination rules laid out in the CUI Program regulations. No special or unique requirements here, just the baseline protections. For example, personnel records that need safeguarding under the Privacy Act but don’t have extra restrictions.
- CUI Specified: This is CUI that comes with special safeguarding or dissemination requirements because of a federal law or regulation. These rules are over and above the standard ones for CUI Basic. An example would be export-controlled technical data governed by ITAR or EAR, which are more sensitive and require stricter export and access controls.
While all CUI must be protected, CUI Specified comes with additional requirements because it's tied to specific federal laws and regulations. These rules dictate exactly how certain types of sensitive information must be handled.
Understanding the unique requirements of these laws is critical for organizations that work with CUI Specified, as they outline not only the expectations for safeguarding it but also the potential consequences of noncompliance.
Are SSPs and POA&Ms considered CUI?
A common question is whether documents like System Security Plans (SSPs) and Plans of Action and Milestones (POA&Ms) count as CUI. In most cases, the answer is no.
For information to be considered CUI, it must be created or held as part of performing a government contract. Most of the time, SSPs and POA&Ms don’t meet that criteria. These documents are typically developed for internal business purposes, like preparing for an audit, assessing security posture, or meeting internal risk management goals. Since they aren’t produced or maintained as part of fulfilling a federal contract, they generally don’t fall under the definition of CUI.
That said, just because SSPs and POA&Ms aren’t often classified as CUI doesn’t mean they don’t need to be protected nor cannot ever be CUI. These documents often contain detailed information about an organization’s security systems, vulnerabilities, and remediation strategies. Depending on what the information is, how it relates to the government and/or national security, and its sensitivity, it can be considered CUI. If that information were to fall into the wrong hands, it could create serious security risks or give competitors an advantage.
Organizations should take steps to safeguard SSPs and POA&Ms by using security measures like encryption, strict access controls, and secure storage.
What is derivative CUI?
If you create new documents that incorporate or reference CUI source material, those derivative materials typically inherit the CUI designation.
For example:
- Engineering analyses based on CUI drawings
- Technical reports summarizing CUI test data
- Internal memos that reproduce CUI content
If the original information is CUI, derivatives are generally treated as CUI unless formally decontrolled.
What is CUI marking?
Because there are different types of CUI, it’s crucial for agency and contractor employees to clearly understand the type of CUI they’re handling to meet the correct safeguarding requirements. That’s why CUI marking is important..
Marking CUI is a method established by the CUI Program to label or identify CUI. By following marking requirements, organizations can minimize the risk of mishandling sensitive data while staying compliant with federal safeguarding standards.
- CUI banner marking: A header or banner at the top of the document/page indicating the information is CUI. Example: CONTROLLED // CUI
- CUI Category marking (optional): Agencies may include the CUI category or subcategory in the marking to specify the type of CUI. Example: CONTROLLED // CUI // Privacy
- Portion markings (optional): Some agencies may require marking specific paragraphs or sections as containing CUI. Example: (CUI) at the beginning of a paragraph.
- Dissemination control markings: Markings that limit how the information can be shared. For example: NOFORN (Not Releasable to Foreign Nationals) or REL TO USA, FVEY (Releasable to the U.S. and Five Eyes partners)
- Decontrolling CUI marking: If CUI is no longer considered sensitive, it should include a marking to indicate that it has been decontrolled.
Security frameworks for safeguarding CUI
To protect CUI, organizations follow specific security frameworks established by the federal government. These frameworks provide guidelines for implementing the necessary technical, physical, and administrative controls to meet federal security requirements. Let’s explore the key NIST frameworks and their role in protecting CUI to clarify when they apply and how they help organizations stay secure.
NIST 800-53
NIST 800-53 is a comprehensive framework designed for federal information systems and organizations. It provides a catalog of 1,000+ security and privacy controls that organizations can implement to protect sensitive information, including CUI. This framework applies when CUI is handled within federal systems or controlled environments, such as government-owned or operated facilities.
For organizations working directly with federal agencies, NIST 800-53 serves as the gold standard for information security. While its scope is broad and its controls are highly detailed, this framework ensures that federal systems remain resilient against evolving cybersecurity threats. By adhering to NIST 800-53, organizations demonstrate their commitment to maintaining the highest level of security for CUI and other sensitive data.
NIST SP 800-171
NIST Special Publication 800-171 was developed specifically for private sector organizations that process, store, or transmit CUI,, such as government contractors, subcontractors, and service providers. Unlike NIST 800-53, which is designed for federal systems, NIST 800-171 tailors its requirements to private organizations that need to meet federal safeguarding standards without the complexity of managing classified systems.
This framework includes 110 controls organized into 14 families, which provide clear and actionable steps for encrypting sensitive data, monitoring system activity, and managing access permissions.
Recommended reading
NIST 800-171 Compliance: How to Comply with the Latest Revision [+ Checklist]
The Cybersecurity Maturity Model Certification (CMMC)
CMMC adapts NIST 800-171 for organizations handling CUI within the defense industrial base. Introduced by the DoD, CMMC is structured into three maturity levels. Each level corresponds to the type and sensitivity of information being handled, ensuring that contractors implement the appropriate level of security for their operations.
By requiring third-party certification, CMMC also ensures that organizations are not only implementing the necessary controls but also maintaining them over time. This framework helps the DoD mitigate supply chain risks and protect national security while providing specific guidance for contractors to enhance their cybersecurity posture.
Federal Risk and Authorization Management Program (FedRAMP)
The Federal Risk and Authorization Management Program (FedRAMP) is a government-wide program designed to standardize security requirements and assessments for cloud service providers used by federal agencies. It simplifies the process of ensuring these services meet strict federal security standards for safeguarding sensitive information, including CUI.
By choosing FedRAMP-authorized cloud services, agencies and contractors can securely manage CUI in cloud environments, reduce risk, and streamline their operations while meeting federal compliance requirements.
How to identify CUI in your organization
Identifying CUI accurately is the foundation of your compliance strategy.
Step 1: Review your contracts
Look for DFARS 252.204-7012 and other clauses referencing CUI. Contracts should indicate whether CUI is involved and may reference DD Form 254.
Step 2: Map data flows
Determine where CUI enters your organization, where it is stored, who accesses it, and how it is transmitted.
Step 3: Identify derivative CUI
Assess whether internally generated documents inherit CUI designation from source material.
Step 4: Define your CUI boundary
Document the systems, devices, networks, and personnel that process, store, or transmit CUI. This boundary determines the scope of your NIST 800-171 implementation and CMMC assessment.
A well-defined boundary reduces compliance complexity and supports defensible scoping during third-party assessments.
Building a strong cybersecurity posture to protect CUI
Understanding what CUI is and where it lives is the starting point. Protecting it consistently is what federal frameworks measure.
Secureframe Defense helps contractors map their CUI boundary, scope applicable CMMC requirements, automate evidence collection, and accelerate C3PAO assessment readiness.
With Secureframe Defense, organizations can provision compliant cloud environments aligned with CMMC requirements, define their in-scope CUI systems, and generate documentation such as SSPs and POA&Ms directly from their live environment.
Whether you're identifying CUI for the first time or preparing for a CMMC Level 2 assessment, Secureframe Defense simplifies every step of the process.
Learn more about how Secureframe Defense supports CUI protection and federal compliance by scheduling a demo today.
Streamline federal compliance
FAQs
What does CUI mean?
Controlled Unclassified Information (CUI) is an umbrella term for information that requires safeguarding or dissemination controls pursuant to applicable laws, federal regulations, and government-wide policies, but is not classified under Executive Order 13526 or the Atomic Energy Act. The National Archives and Records Administration (NARA) maintains a CUI Registry that categorizes CUI into distinct types based on the nature of the information.
What are CUI security requirements?
CUI security requirements are outlined in 32 CFR Part 2002 and NIST 800-53 and depend on whether the information is CUI Basic or CUI Specified. For non-federal systems, they are further detailed in NIST SP 800-171. Key requirements include:
- Implementing access controls to limit who can view or handle CUI.
- Encrypting CUI in transit and at rest.
- Monitoring systems for unauthorized access or activities.
- Physical safeguards like locking up physical documents.
- Ensuring secure methods of data sharing and destruction.
What are the six categories of CUI?
CUI is grouped into categories and subcategories based on the CUI Registry. While there are many subcategories, some major categories include:
- Critical Infrastructure: Information about energy systems, transportation, etc.
- Defense: Data related to military operations or controlled technical information.
- Export Control: Information governed by ITAR or EAR regulations.
- Privacy: Personally identifiable information (PII) or health data (e.g., under HIPAA).
- Law Enforcement: Information about investigations or operations.
- Financial: Sensitive financial data like tax or banking information.
These categories represent types of information that require safeguarding and dissemination controls under federal laws or regulations.
How to mark CUI in emails?
To mark CUI in emails, you must ensure recipients are aware that the email contains CUI. Here’s how:
- Subject Line: Include "[CUI]" at the start of the subject line
- Email Body: Add a CUI banner at the top of the email body
- Attachments: Clearly mark any attached documents containing CUI with appropriate CUI markings (e.g., in the document header or filename)
You can also use tools like PreVeil and Regdox for CUI marking.
Does CUI need to be encrypted when emailed?
CUI must be encrypted when emailed if it is sent outside a secure internal network. If emailing within a secure, approved system, encryption may not be required, but this depends on the organization's specific policies.
Can CUI be stored in a locked desk after working hours?
CUI can be stored in a locked desk, cabinet, or other secure container after working hours, as long as it is not accessible to unauthorized personnel.
Can CUI be stored on any password protected system?
No, CUI cannot be stored on just any password-protected system. The system must meet specific security requirements outlined in NIST SP 800-171 and be CMMC authorized for non-federal systems or FISMA or FedRAMP for federal systems, including access controls (e.g., multifactor authentication), secure encryption at rest and in transit, and regular monitoring and auditing capabilities. Storing CUI on systems that do not meet these standards violates safeguarding requirements.
Emily Bonnie
Senior Content Marketing Manager
Emily Bonnie is a seasoned digital marketing strategist with over ten years of experience creating content that attracts, engages, and converts for leading SaaS companies. At Secureframe, she helps demystify complex governance, risk, and compliance (GRC) topics, turning technical frameworks and regulations into accessible, actionable guidance. Her work aims to empower organizations of all sizes to strengthen their security posture, streamline compliance, and build lasting trust with customers.
Rob Gutierrez
Senior Cybersecurity and Compliance Manager, CISA, CCSK, CMMC RP
Rob Gutierrez is an information security leader with nearly a decade of experience in GRC, IT audit, cybersecurity, FedRAMP, cloud, and supply chain assessments. As a former auditor and security consultant, Rob performed and managed CMMC, FedRAMP, FISMA, and other security and regulatory audits. At Secureframe, he’s helped hundreds of customers achieve compliance with federal and commercial frameworks, including NIST 800-171, NIST 800-53, FedRAMP, CMMC, SOC 2, and ISO 27001.