Controlled Unclassified Information, almost universally referred to as CUI, is the formal designation for information that the federal government creates or possesses, or that an entity creates or possesses on behalf of the federal government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. The category was established by Executive Order 13556 in November 2010 and is codified in federal regulation at 32 CFR Part 2002. CUI is the standard the executive branch applies to sensitive unclassified information across all federal civilian and defense agencies.
The program affects far more than the Department of Defense. Federal civilian agencies including the Department of Health and Human Services, the Department of Energy, the Department of Justice, and the Internal Revenue Service all generate and handle CUI. Information sharing partners including state and local governments, research universities, and private sector contractors also encounter CUI when working with federal agencies. The CUI category replaces more than 100 different agency-specific markings that previously existed for sensitive unclassified information, including For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Limited Official Use (LOU).
Where the CUI Program Came From
Before 2010, federal agencies used a fragmented patchwork of markings and handling regimes for sensitive unclassified information. Different agencies labeled similar information with incompatible markings, applied different protection requirements, and used inconsistent dissemination controls. A document marked For Official Use Only at one agency might be the equivalent of Limited Official Use at another and Sensitive But Unclassified at a third. The result was confusion for federal employees, contractors, and information sharing partners, and a meaningful gap between the protection assumed by the originating agency and the protection actually applied by recipients.
President Obama issued Executive Order 13556, "Controlled Unclassified Information," on November 4, 2010, to standardize the executive branch approach. The Order directed federal agencies to consolidate the existing markings into a single program with uniform definitions, marking standards, and protection requirements. The National Archives and Records Administration, through its Information Security Oversight Office, was designated the executive agent for the program.
The implementing regulation, 32 CFR Part 2002, was published in 2016 and took effect on November 14, 2016. The regulation establishes the policy framework, the categories of information that qualify as CUI, the marking standards, the safeguarding requirements for federal agencies, and the framework for non-federal organizations that receive CUI under federal agreements. Federal agencies were given a phased implementation timeline, and the program is now in active use across the executive branch.
How CUI Is Categorized: The CUI Registry
Not all sensitive unclassified information qualifies as CUI. Information may only be designated CUI if it falls within a category listed in the CUI Registry maintained by the National Archives and Records Administration. The Registry is publicly accessible at archives.gov and lists every approved CUI category along with the underlying law, regulation, or government-wide policy that authorizes the protection.
The Registry organizes categories into approximately twenty broad organizational groupings. Each grouping contains specific categories that map to particular laws or policies. Common groupings include the following.
The Registry distinguishes between Basic and Specified CUI. Basic CUI is the default category for information that requires standard CUI protections without additional handling requirements imposed by the underlying authority. Specified CUI is information protected by laws or policies that impose specific handling requirements above the standard CUI baseline, such as additional dissemination controls, encryption standards, or storage requirements. Each Specified category in the Registry identifies the additional requirements that apply.
How CUI Is Marked
CUI is marked on the documents, files, and other materials that contain it. The marking communicates to recipients that the information requires CUI handling and identifies the relevant category and any additional requirements. The CUI marking standard is established in 32 CFR Part 2002 and detailed in the CUI Marking Handbook published by the National Archives. The basic marking elements include the following.
Banner Marking
Every page of a CUI document carries a banner marking at the top that begins with the designation CUI followed by category designators if applicable. The banner is the primary indicator that the information must be handled as CUI. Banner markings appear on every page of multi-page documents and on the front cover of bound materials.
Category Designators
For Basic CUI, the banner marking is simply CUI. For Specified CUI, the banner includes category designators that identify the specific category and any associated dissemination controls. Examples include CUI//SP-EXPT for Specified CUI in the Export Control category, or CUI//SP-PRVCY for Specified CUI in the Privacy category.
Limited Dissemination Controls
Limited dissemination controls communicate restrictions on how widely the information may be shared. Common controls include NOFORN, which restricts dissemination to United States persons, and FED ONLY, which restricts dissemination to federal employees and contractors performing under federal agreements. Limited dissemination controls appear in the banner marking after the category designators.
Designation Indicator Block
The designation indicator block identifies the originating agency, the office of primary responsibility for the information, the date the information was designated as CUI, and contact information for questions about the designation. The block appears once per document, typically on the first page.
The absence of CUI markings on a document does not necessarily mean the document is not CUI. Federal agencies are responsible for marking CUI when it is created or first received, but markings are sometimes omitted in error, particularly during the transition from legacy markings such as For Official Use Only. Recipients who suspect an unmarked document contains CUI are responsible for protecting it accordingly and clarifying the designation with the originating agency.
CUI Compared to Federal Contract Information and Classified Information
The federal government distinguishes among several tiers of information sensitivity. The three most relevant for contractors performing federal work are Federal Contract Information, CUI, and classified information. The categories are not interchangeable and are governed by different authorities with different protection standards.
The protection requirements escalate substantially across the three tiers. FCI represents the lowest tier, with fifteen basic safeguarding requirements that most organizations with reasonable cybersecurity hygiene already substantially meet. CUI represents the middle tier, with one hundred ten security requirements that require deliberate implementation. Classified information represents the highest tier, requiring personnel with active security clearances, accredited facilities, and substantially elevated technical controls.
A given piece of information generally fits one category. CUI is not classified, and classified information is not CUI. The categories are mutually exclusive and the markings are different. Confusion among the categories is one of the most common errors organizations make when first encountering federal information protection requirements.
Who Handles CUI
CUI is handled by federal agencies that originate or process it, and by non-federal organizations that receive it through contracts, grants, or information sharing agreements. The non-federal organizations that handle CUI fall into several recognizable categories.
Defense contractors and subcontractors handle CUI under contracts that include the Department of Defense Federal Acquisition Regulation Supplement clause DFARS 252.204-7012, "Safeguarding Covered Defense Information and Cyber Incident Reporting." This clause requires contractors to implement the protections established by NIST SP 800-171 and to report cyber incidents involving covered defense information within 72 hours. The clause flows down to subcontractors at all tiers when those subcontractors will receive or generate covered defense information.
Federal civilian agency contractors handle CUI under contracts that include analogous clauses. The Federal Acquisition Regulation includes FAR 52.204-21 for FCI and is being supplemented with additional CUI-specific clauses through ongoing rulemaking. Different agencies have implemented different interim approaches, but the protection standard for non-federal organizations is converging on NIST SP 800-171 across the executive branch.
Research universities handle CUI under federal grants and cooperative agreements involving controlled research, particularly in defense, energy, and intelligence-adjacent fields. Universities that receive controlled technical information must protect it under NIST SP 800-171 in the same manner as defense contractors.
State, local, tribal, and territorial governments handle CUI under information sharing agreements with federal agencies. Common examples include critical infrastructure information shared by the Cybersecurity and Infrastructure Security Agency, law enforcement sensitive information shared by federal investigative agencies, and emergency management information shared by the Federal Emergency Management Agency.
How CUI Must Be Protected
Federal agencies protect CUI under 32 CFR Part 2002 and agency-specific implementation guidance. The protection requirements for non-federal organizations are different and depend on the organization's relationship with the federal agency.
Non-federal organizations that handle CUI under contracts with federal agencies typically must implement the security requirements established in NIST Special Publication 800-171, "Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations." NIST SP 800-171 Revision 2 establishes 110 security requirements organized across 14 control families. The control families address the operational and technical aspects of an information protection program, including the following.
- Access Control: limiting system access to authorized users, processes, and devices
- Awareness and Training: ensuring personnel are aware of security risks and trained in their responsibilities
- Audit and Accountability: creating, protecting, and reviewing system audit records
- Configuration Management: establishing and maintaining baseline configurations of organizational systems
- Identification and Authentication: identifying users and authenticating their identities
- Incident Response: establishing operational incident handling capabilities
- Maintenance: performing maintenance on organizational systems
- Media Protection: protecting system media containing CUI
- Personnel Security: screening individuals before authorizing access
- Physical Protection: limiting physical access to organizational systems and operating environments
- Risk Assessment: assessing organizational operational risk
- Security Assessment: assessing security controls and developing plans of action
- System and Communications Protection: monitoring, controlling, and protecting communications
- System and Information Integrity: identifying, reporting, and correcting system flaws
The 110 security requirements are documented by the contractor in a System Security Plan, which describes the organization's information system, the implementation of each security requirement, and any controls that are not fully implemented. Controls that are not fully implemented are tracked in a companion Plan of Action and Milestones with target completion dates. The relationship between the System Security Plan and the Plan of Action and Milestones is examined in detail at our CMMC SSP Template reference.
The Relationship Between CUI and CMMC
The Cybersecurity Maturity Model Certification, known as CMMC, is the Department of Defense framework for verifying that defense contractors implement the protections required for CUI on non-federal information systems. CMMC was created to address a recognized limitation in the prior compliance regime: under DFARS 252.204-7012, contractors self-attested to compliance with NIST SP 800-171 and submitted summary scores to the Supplier Performance Risk System, but no third party verified that the self-attestations were accurate. Department of Defense reviews and Department of Justice False Claims Act enforcement actions repeatedly identified gaps between contractor self-attestations and operational reality.
The CMMC framework addresses this gap by requiring third-party assessment of NIST SP 800-171 compliance for contractors that handle CUI on Department of Defense contracts. The assessment is conducted by a CMMC Third Party Assessment Organization authorized by The Cyber AB, the official accreditation body for the CMMC ecosystem. Contractors that complete a successful CMMC Level 2 assessment receive certification that lasts three years before requiring re-assessment.
The relationship between CUI and CMMC is direct. CMMC Level 2 corresponds to the 110 security requirements of NIST SP 800-171. Contractors that handle CUI on Department of Defense contracts must achieve CMMC Level 2 certification, with the certification phase-in proceeding through 2028 under the CMMC Final Rule published in 32 CFR Part 170. Contractors that handle only FCI but no CUI need only achieve CMMC Level 1, which corresponds to the fifteen basic safeguarding requirements of FAR 52.204-21. The triggering question for which level applies is whether the contractor handles CUI.
Common Misconceptions About CUI
The CUI program is sufficiently complex that several misconceptions are common among organizations encountering it for the first time. Recognizing these misconceptions helps avoid compliance errors that surface during contract execution or assessment.
CUI Is the Same as Classified
CUI is not classified. CUI is sensitive unclassified information. The two categories are governed by different authorities, marked with different standards, and protected with different requirements. Conflating them produces errors in both directions: applying classified handling requirements to CUI is wasteful, and applying CUI handling requirements to classified information is a serious security violation.
Only Defense Contractors Handle CUI
The CUI program applies across the entire executive branch, not just the Department of Defense. Federal civilian agencies generate and handle CUI in categories ranging from law enforcement sensitive information to taxpayer information to procurement source selection material. Contractors performing work for civilian agencies regularly encounter CUI even when their work has no defense connection.
Unmarked Documents Are Not CUI
The absence of markings does not establish that information is not CUI. Federal agencies are responsible for marking CUI when it is created or first received, but markings are occasionally omitted in error. Organizations that receive documents which appear to contain information meeting CUI criteria should treat the information as CUI pending clarification with the originating agency.
For Official Use Only Is Still a Valid Marking
For Official Use Only, abbreviated FOUO, was retired as a marking when the CUI program was implemented. Documents originally marked FOUO that remain in active use should be reviewed and remarked as CUI under the appropriate category, or determined not to require CUI protection. Some legacy FOUO documents continue to circulate, but new documents should not be marked FOUO.
All CUI Requires the Same Level of Protection
Basic CUI receives standard protections under NIST SP 800-171 for non-federal organizations. Specified CUI is governed by underlying laws or policies that may impose additional requirements above the NIST SP 800-171 baseline. Organizations handling Specified CUI must identify the additional requirements that apply to each category they handle and implement them accordingly.
How to Tell If Your Organization Handles CUI
Organizations new to federal contracting often need to determine whether they handle CUI. Several practical indicators help answer the question.
The first indicator is the presence of DFARS 252.204-7012 in any current or recent Department of Defense contract. This clause flows down to subcontractors at all tiers when those subcontractors will receive or generate covered defense information. An organization that has executed a contract or subcontract containing this clause almost certainly handles CUI.
The second indicator is the receipt of documents bearing CUI markings, or documents marked with legacy designations such as For Official Use Only that have not been formally remarked. The presence of these markings is direct evidence that CUI has been received.
The third indicator is the nature of the work performed. Defense engineering and manufacturing work typically involves controlled technical information, which is a CUI category. Federal information technology work involving sensitive systems frequently generates or processes CUI. Research conducted under federal grants in defense, energy, or intelligence-adjacent fields commonly involves CUI.
The fourth indicator is the contracting officer's representation. When in doubt, the contractor may ask the contracting officer to confirm whether the contract involves CUI and, if so, which categories. This communication should be in writing for the contractor's records.
Organizations that conclude they handle CUI face decisions about how to implement the required protections. Some organizations have mature security programs already aligned to NIST SP 800-171 and need only modest gap remediation. Others have programs aligned to other frameworks such as ISO 27001 or the NIST Cybersecurity Framework and need to map their existing controls to the NIST SP 800-171 requirements. Others have minimal existing infrastructure and face a multi-quarter implementation effort. The conversation about which path fits is the starting point for any organization's CUI compliance program.
Questions People Ask About CUI
What is CUI?
CUI is Controlled Unclassified Information. It is information the federal government creates or possesses, or that an entity creates or possesses on behalf of the federal government, that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. The CUI program was established by Executive Order 13556 in November 2010 and is codified at 32 CFR Part 2002. The National Archives and Records Administration, through its Information Security Oversight Office, serves as the executive agent for the program.
What does CUI stand for?
CUI stands for Controlled Unclassified Information. It is the formal designation for sensitive information that does not meet the threshold for classification but still requires safeguarding or dissemination controls under federal law, regulation, or government-wide policy. The CUI category replaced more than 100 different agency-specific markings that previously existed for sensitive unclassified information.
What is the difference between CUI and classified information?
Classified information is information determined under Executive Order 13526 to require protection against unauthorized disclosure for reasons of national security, designated at the Confidential, Secret, or Top Secret level. Classified information must be handled by personnel holding appropriate security clearances and stored in accredited facilities. CUI is information that requires safeguarding under federal law or policy but does not meet the threshold for classification. CUI does not require a security clearance to access, can be processed on properly configured non-federal information systems, and is not subject to the physical security requirements that apply to classified materials.
What is the difference between CUI and FCI?
Federal Contract Information (FCI) is information not intended for public release that is provided by or generated for the government under a contract. FCI is protected under FAR 52.204-21, which establishes 15 basic safeguarding requirements. CUI is a broader category established by Executive Order 13556 and codified at 32 CFR Part 2002. CUI requires more extensive protections than FCI when handled by non-federal organizations, including the 110 security requirements established by NIST SP 800-171. CUI represents the higher protection tier.
Who decides what information is CUI?
The federal agency that originates the information determines whether it qualifies as CUI under one of the categories listed in the CUI Registry maintained by the National Archives and Records Administration. The originating agency identifies the law, regulation, or government-wide policy that authorizes the CUI designation, applies the appropriate marking, and communicates the designation to recipients including contractors. Once an agency designates information as CUI, all subsequent recipients including contractors and subcontractors must protect the information according to the applicable category requirements.
How is CUI marked?
CUI is marked with a banner marking at the top of each page that begins with the designation CUI followed by category designators if applicable. The marking appears on every page of a document and on the cover. Additional marking elements may include limited dissemination controls such as NOFORN or FED ONLY, and a designation indicator block identifying the originating agency, the office of primary responsibility, and contact information. Specified CUI categories may require additional marking elements as defined by the underlying law or policy.
What are the requirements for protecting CUI?
Federal agencies protect CUI under 32 CFR Part 2002 and agency-specific implementation guidance. Non-federal organizations that handle CUI under contracts with federal agencies must implement the 110 security requirements established by NIST SP 800-171, organized across 14 control families covering access control, awareness and training, audit and accountability, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.
Does my company handle CUI?
An organization handles CUI if it receives, processes, stores, or transmits information that has been designated as CUI by a federal agency. The most common indicators are the presence of the DFARS 252.204-7012 clause in a contract, the receipt of documents bearing CUI markings, contract requirements involving controlled technical information, technical data subject to export controls, or personally identifiable information originated by a federal agency. Organizations uncertain whether they handle CUI should review contracts for relevant clauses, examine markings on received documents, and consult the contracting officer or qualified legal counsel.
What is the relationship between CUI and CMMC?
The Cybersecurity Maturity Model Certification (CMMC) is the Department of Defense framework for verifying that defense contractors implement the protections required for CUI on non-federal information systems. CMMC Level 2 corresponds to the 110 security requirements of NIST SP 800-171 and requires third-party assessment by an authorized C3PAO. CMMC was established to address the limitations of self-attestation under DFARS 252.204-7012 by requiring independent verification of compliance for contractors that handle CUI in support of Department of Defense contracts.
Schedule a Discovery Call
A 30-minute conversation about your contracts, the CUI you handle, and the path to NIST SP 800-171 compliance. Appropriate for defense contractors and federal civilian contractors evaluating their CUI handling obligations. No obligation and no preparation required.
Schedule a Call →The Official CUI Registry
The complete list of approved CUI categories with the underlying law, regulation, or government-wide policy that authorizes each designation. Maintained by the National Archives and Records Administration as the official record of the program.
Open the Registry →The CMMC Decision, Second Edition
The complete guide for defense contractor executives navigating CMMC Level 2 and the CUI protection requirements that drive it. Covers the regulatory framework, the implementation pathway, and the strategic decisions contractors face.
Free Download →