What is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is a category of information in the United States federal government that requires protection under laws, regulations, or government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

CUI replaces the previous system of "Sensitive But Unclassified" (SBU) information, which was a designation used for decades but without a clear or consistent set of rules for how to handle such information. The CUI program standardizes the way the federal government handles non-classified information that requires protection, such as personal privacy information, proprietary business information, critical infrastructure information, and law enforcement investigation information, to name a few.

Here are key aspects of CUI:

  • Categorization: CUI is categorized into various groups and subcategories to reflect the nature of the information and the need for access and dissemination controls.
  • Marking: Documents or materials that contain CUI must be properly marked to alert handlers to the presence of CUI.
  • Handling: There are specific requirements and guidelines for handling CUI, including storage, transmission, and destruction.
  • Training: Agencies are required to train their employees on handling CUI properly.
  • Compliance: Contractors and other non-federal entities who handle CUI must comply with federal standards for protecting CUI, often outlined in the National Institute of Standards and Technology (NIST) publications, such as NIST SP 800-171.

The CUI program is managed by the National Archives and Records Administration (NARA), and it affects a wide range of stakeholders across the federal government, as well as state and local entities, private sector organizations, and academic institutions that work with the federal government.