What Is CUI?

Word count: ~940 Specificity markers hit: (1) Regulatory reference — EO 13556, 32 CFR Part 2002, CUI Registry; (4) Common mistake — assuming CUI must be marked to require protection; (5) Decision point — how to identify whether information you handle is CUI

---

CUI stands for Controlled Unclassified Information. It's a formal government category for information that is sensitive but not classified. Think of it as the space between "public record" and "classified Secret" — information the government needs to protect for legal, policy, or security reasons, but that doesn't rise to the level of national security classification.

If you work with the federal government in any capacity, you've almost certainly handled CUI. You may not have known that's what it was called.

Where CUI Came From

Before 2010, every federal agency had its own system for labeling sensitive unclassified information. FOUO (For Official Use Only), SBU (Sensitive But Unclassified), Law Enforcement Sensitive, Proprietary Business Information — over 100 different labels existed across the government, with no consistent standards.

Executive Order 13556, signed in 2010, created a single, government-wide CUI program. It directed the National Archives and Records Administration (NARA) to establish a registry of CUI categories and a uniform set of handling and marking requirements. NARA published the implementing regulation at 32 CFR Part 2002 and maintains the CUI Registry at archives.gov/cui.

The goal was consistency. An engineer at a defense contractor and a contracting officer at the Air Force would now work from the same definitions and the same rules.

What Counts as CUI

The CUI Registry defines everything that qualifies. Currently around 100 categories are listed, organized under larger groupings. In defense contracting, you'll most commonly encounter:

Controlled Technical Information (CTI): Technical data with military or space application, including engineering drawings, specifications, technical data packages, and test results. If you receive technical drawings from the DoD, they're almost certainly marked CTI.

Export Controlled: Information regulated under ITAR (International Traffic in Arms Regulations) or EAR (Export Administration Regulations). This includes information about defense articles, defense services, and dual-use items.

Privacy: Personally identifiable information (PII) subject to federal privacy laws. Medical records, personnel files, financial information about individuals.

Intelligence: Information related to intelligence activities, sources, or methods.

Legal: Information related to legal proceedings, attorney-client communications, and similar categories.

Critical Infrastructure: Information about systems and assets whose disruption would have significant consequences.

The list is specific. Something isn't CUI just because it seems sensitive — it has to match a defined category. The government agency that generated or provided the information is responsible for designating it as CUI. Contractors receive CUI; they don't designate it.

How CUI Gets to You

CUI reaches contractors through contracts. The DoD (Department of Defense) includes DFARS (Defense Federal Acquisition Regulation Supplement) clause 252.204-7012 in contracts where CUI is involved. That clause obligates you to protect CUI according to NIST SP 800-171 (National Institute of Standards and Technology Special Publication 800-171), a set of 110 security requirements for protecting CUI in non-federal systems.

The CUI you receive should be marked — a "CUI" banner in the header and footer of every page, with a designation indicator on the first page showing who designated it, what category it is, and any distribution restrictions. Common markings:

• CUI — basic CUI with no additional restrictions
• CUI//SP-CTI — Specified CUI, Controlled Technical Information category
• CUI//NOFORN — Not releasable to foreign nationals

The markings tell you what rules apply and help you make decisions about who can see the information and how it can be transmitted.

The Common Mistake

Assuming that unmarked information isn't CUI.

Agencies are inconsistent about marking. Technical drawings arrive without banners. Email attachments containing sensitive program data go out without designation indicators. People forward CUI documents after stripping headers. The absence of a marking doesn't mean the information is uncontrolled — it may mean whoever sent it made an error.

The safer assumption: if you receive technical data, program information, or other sensitive material from a government customer under a contract that includes DFARS 252.204-7012, treat it as CUI until you confirm otherwise. If you're not sure, ask your contracting officer.

Equally common: marking non-CUI information as CUI. Overmarking creates unnecessary handling burden, inflates your assessment scope (every system that touches marked CUI must meet NIST 800-171 requirements), and dilutes the meaning of the marking. If a document is truly public information or doesn't meet a CUI category definition, don't mark it.

What CUI Protection Requires

Once you've identified CUI in your environment, protection requirements kick in:

Access: Limit access to people who need it for their job. Document who has access and review it regularly.

Marking: CUI documents must carry the correct banner and designation indicator. If you create documents using CUI (a common situation — an engineer writes a report incorporating information from a CUI technical drawing), those documents are also CUI and must be marked.

Storage: CUI must be stored in systems that meet NIST 800-171 requirements, with encryption, access controls, and logging in place.

Transmission: CUI transmitted electronically must be encrypted. Email is not acceptable for transmitting CUI unless you're using an encrypted email solution or a government-approved platform.

Disposal: When CUI is no longer needed, it must be destroyed in a way that makes recovery impossible — shredding for paper, certified electronic wiping or physical destruction for digital media.

Incident reporting: If CUI is compromised in a cyber incident, you must report to DoD within 72 hours of discovery.

Why It Matters

The protection requirements for CUI aren't arbitrary. The information in the CUI categories represents real risk if it's exposed — operational security, national defense capabilities, export-controlled technology that adversaries want. The defense contractor community is a prime target for nation-state espionage specifically because of the valuable technical information it holds.

Your obligations exist because the risk is real.

---

Now that you know what CUI is: Our Tier 2 article on the CUI lifecycle walks through how to manage CUI from the moment it enters your organization through creation, use, storage, transmission, and destruction — with the specific controls that apply at each stage. For the full picture of what CUI requires from contractors, read on.