What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is a category of information in the United States federal government that requires safeguarding or dissemination controls according to and consistent with applicable laws, regulations, and government-wide policies. Established by Executive Order 13556, the CUI program standardized how the government handles sensitive but unclassified information, replacing the inconsistent patchwork of prior designations like SBU, FOUO, and LES.

CUI Categories and the CUI Registry

CUI is organized into categories and subcategories maintained by NARA in the CUI Registry. Key aspects of CUI categorization include:

• CUI Basic: The default type of CUI, requiring uniform handling controls as specified in 32 CFR Part 2002.
• CUI Specified: CUI for which specific laws, regulations, or policies prescribe particular handling controls that differ from CUI Basic.

Categories relevant to defense contractors include Controlled Technical Information (CTI), Export Controlled information, Critical Infrastructure information, and Privacy-related information. Each category has specific marking, safeguarding, and dissemination requirements.

CUI Marking Requirements

Documents and materials containing CUI must be properly marked to alert handlers to the presence of controlled information. CUI markings include a CUI banner at the top of each page, category indicators identifying the specific CUI category, distribution and dissemination control statements, and the identity of the designating agency or organization. Contractors who generate CUI must apply correct markings in accordance with NARA’s marking guidance in 32 CFR Part 2002.

CUI Handling Requirements

There are specific requirements for handling CUI across its lifecycle, including storage in approved systems with appropriate access controls, transmission only through approved encrypted channels, destruction using methods that prevent reconstruction (NIST SP 800-88 guidelines), and training for all personnel who access CUI on proper handling procedures. Agencies and contractors who handle CUI must comply with federal standards for protecting this information.

CUI and CMMC Compliance

The presence of CUI in a defense contract is what triggers the requirement for CMMC Level 2 certification. Contractors handling CUI must implement all 110 security requirements in NIST SP 800-171 and undergo assessment by a C3PAO. Understanding whether your contracts involve CUI (versus only Federal Contract Information) is the critical first step in determining your CMMC compliance obligations.

CUI vs. FCI: Key Differences

Federal Contract Information (FCI) is the broader category of non-public contract information, while CUI is specifically designated information requiring safeguarding controls. FCI triggers CMMC Level 1 (17 practices, self-assessment), while CUI triggers Level 2 (110 practices, third-party assessment). This distinction directly impacts compliance costs, assessment requirements, and the scope of security controls a contractor must implement.