What Is CUI? Controlled Unclassified Information Explained

What Is CUI? Controlled Unclassified Information Explained

Ask a room of defense contractors to define Controlled Unclassified Information (CUI) and you'll get confident answers that contradict each other.

That matters because CUI is the main trigger that moves many defense contractors from basic safeguarding into the more demanding Cybersecurity Maturity Model Certification (CMMC) and NIST 800-171 requirements.

Misjudging it is expensive in both directions. Treat CUI casually and you're risking contracts, legal exposure, and national security data. Treat ordinary information as CUI and you're paying to protect things that never needed it.

This guide explains what CUI actually is, the types and categories it comes in, how to recognize its markings, and what handling it obligates your organization to do.

TL;DR

  • CUI is unclassified information the government creates or possesses, or that contractors handle on its behalf, that law, regulation, or government-wide policy requires to be safeguarded. It's protected, but it involves no clearances.
  • It comes in two types. CUI Basic follows the standard baseline from 32 CFR Part 2002, while CUI Specified carries stricter handling rules set by the underlying law itself.
  • The CUI Registry at the National Archives catalogs every category, with Controlled Technical Information, export controlled data, and PII among the most common in defense work.
  • For contractors, CUI is the compliance trigger. Handling it activates DFARS 7012, the 110 controls of NIST 800-171, and CMMC Level 2 verification, and the obligation flows down to every subcontractor.
  • MotherBear gives contractors and consultants one place to keep CUI protection provable, connecting control status, evidence, the SSP, and affirmations for every contract and client.

What Is CUI?

Controlled Unclassified Information is information that:

  • The federal government creates or possesses
  • An entity creates or handles on the government's behalf

CUI requires safeguarding or dissemination controls pursuant to applicable law, regulation, or government-wide policy.

This federal information sits in a deliberate middle ground: not classified, but not cleared for public release either. Protection takes two forms, safeguarding requirements that control how the information is stored and secured, and dissemination controls that limit who it can be shared with.

The defining boundary is what CUI is not. It isn't classified under Executive Order 13526 or the Atomic Energy Act, so it involves no clearances or SECRET stamps.

It isn't just anything a company would rather keep quiet. Information only qualifies as CUI when a specific authority requires or permits agencies to control it.

The CUI program exists because the government once had no consistent way to handle this middle tier.

Agencies invented their own labels, such as For Official Use Only (FOUO) and Sensitive But Unclassified (SBU), each with different rules, making information sharing between agencies and contractors chaotic.

Executive Order 13556 fixed that in 2010 by creating a single, standardized program for the entire executive branch.

The National Archives and Records Administration (NARA) serves as the program's Executive Agent, the Information Security Oversight Office (ISOO) handles policy and oversight, and the implementing rule, 32 CFR Part 2002, spells out how agencies must designate, mark, safeguard, and eventually decontrol CUI, along with self-inspection and oversight duties.

For defense work specifically, the Department of Defense (DoD) runs its own implementation under DoD policies, with specific guidance for defense work.

CUI Basic vs CUI Specified: The Two CUI Types

Every piece of CUI falls into one of two types, and the difference comes down to how much detail the underlying law provides.

CUI Basic is the default. It applies when the authorizing law, regulation, or policy says information must be protected but doesn't spell out how.

In that case, the standard baseline from 32 CFR Part 2002 governs the handling: uniform safeguarding rules that apply the same way regardless of category.

CUI Specified applies when the authorizing law goes further and prescribes specific handling controls of its own. Export-controlled technical data is the classic example, since export regulations dictate exactly who may access the information and under what conditions.

For CUI-specified cases, those stricter requirements take precedence, and the Basic baseline applies only where the authority remains silent.

For contractors, the practical takeaway is simple: never assume all CUI is handled the same way. The marking tells you which type you're holding, and the Specified marking means an extra layer of specific requirements imported from the underlying law.

CUI Categories: What Counts as CUI

The CUI Registry, maintained by the National Archives, is the government-wide catalog of everything that can qualify as CUI.

It organizes information into groups such as defense, export control, privacy, financial, law enforcement, intelligence, procurement, and proprietary business information, with specific CUI categories underneath each one.

The Department of Defense maintains its own DoD CUI Registry, which narrows the list to the categories relevant to defense work.

For contractors, a handful of categories account for most real-world encounters:

  • Controlled Technical Information (CTI): Technical data with a military or space application, such as engineering drawings, specifications, manuals, and research data. This is the category most defense manufacturers handle daily without thinking of it as CUI.
  • Export controlled information: Material subject to export regulations, which overlaps heavily with CTI and carries the strictest handling rules.
  • Personally identifiable information (PII): Sensitive data that identifies individuals, including personnel records tied to government work.
  • Proprietary business information: A company's own sensitive material can become CUI when the government possesses it under a government contract, which surprises many contractors. For instance, your pricing data in a government system may be someone's CUI to protect.
  • Procurement and acquisition information: Source selection data, bid information, and similar contracting material.

Two cautions keep this list from misleading you. First, the category alone doesn't make information CUI; the same engineering drawing can be public in one context and CUI in another, depending on whether it meets the specific criteria an authority sets for protection under the contract.

Second, only the government designates CUI. Contractors don't get to declare their own information CUI, and they equally can't declare received information exempt. When a document's status is unclear, the answer comes from the contracting officer, not a judgment call.

CUI Markings and How to Read Them

Markings are how CUI documents announce themselves, alerting recipients that special handling may be required. Knowing how to read them is the fastest way to spot protected information arriving in your environment.

The core marking is the banner line, usually mirrored in the footer for DoD documents, reading “CUI” or “CONTROLLED.”

That single word is the minimum, and on many documents it's all you'll see. From there, markings can add precision in layers:

  • Category markings identify what kind of CUI you're holding, using abbreviations from the registries. A document marked CUI//SP-CTI, for example, contains Controlled Technical Information, with the "SP" signaling it's CUI Specified.
  • Dissemination controls exist to prevent unauthorized individuals from reaching the information. Markings like NOFORN (no foreign nationals) or FEDCON (federal employees and contractors only) appear after the category, narrowing the default rule that anyone who wants to access CUI needs a lawful government purpose.
  • Distribution statements appear on DoD technical documents specifically, stating in plain language who may receive the document and why, and where requests for it should be routed.

A designation indicator on the first page identifies which agency designated the CUI, and portion markings, when used, flag which specific paragraphs contain it.

Two practical habits follow from all this. First, treat markings as the start of your obligation, not the whole of it. A document with a bare CUI banner still requires full safeguarding even though the marking is minimal.

Second, unmarked doesn't always mean uncontrolled. Agencies occasionally fail to mark CUI properly, and information you generate under a contract, like a report derived from marked technical data, can be CUI from the moment it's created.

When the contract mentions CUI and the document's status seems ambiguous, ask before you share.

CUI Requirements: Who Must Protect It

The obligation to protect CUI travels with the information itself. Inside the government, agencies follow 32 CFR Part 2002.

The moment CUI leaves federal systems and lands on a contractor's own systems, a parallel set of federal requirements takes over, and this is where most readers of this guide live.

For DoD contractors, the chain works like this. The contract carries the Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012, which obligates the contractor to safeguard the CUI it handles.

The security requirements themselves come from NIST 800-171, the standard written specifically for protecting Controlled Unclassified Information on nonfederal systems, with its 110 security controls and the System Security Plan (SSP) documenting how they're met.

Since 2025, CMMC is the verification layer that proves the implementation actually happened, with CUI handling placing contractors at Level 2 or above.

The presence of CUI is the single fact that determines a contractor's compliance tier. A company handling only Federal Contract Information (FCI) faces 15 basic controls and a self-assessment. The first document of CUI raises that to 110 controls and, for most contracts, a third-party assessment.

The obligation doesn't dilute as information moves downstream, either. A prime that shares CUI with a subcontractor passes the safeguarding requirements along with it, all the way down the supply chain.

Whoever holds the information holds the duty to ensure compliance, whether they're a hundred-person manufacturer or a two-person engineering shop.

How to Identify CUI in Your Environment

Knowing the definition is one thing. Figuring out whether the files on your servers qualify is the work that actually matters, and it follows a repeatable sequence.

1. Start With the Contracts

Review each agreement for DFARS 252.204-7012 and any CUI-related clauses or attachments. Contracts that involve CUI generally say so, and the contract is also where the government should specify what CUI you'll receive or create.

If a clause is present but the specifics are vague, that's a question for the contracting officer, not an assumption to make internally.

2. Follow the Markings

Search incoming documents, drawings, and data deliverables for banner lines, category markings, and distribution statements.

Map where marked material lands, such as email inboxes, shared drives, engineering systems, backups. Electronic CUI spreads wherever files get copied, and every landing spot joins your compliance scope.

3. Look for What You Create

CUI isn't only what arrives marked. Reports, drawings, and analysis your team produces under the contract can qualify from the moment of creation if they're derived from or constitute controlled information.

This is the step organizations most often miss, and it's why identifying CUI is a process rather than a one-time search.

4. When in Doubt, Ask, and Don’t Self-Designate

Only the government designates CUI. If a document's status is genuinely unclear, route the question to the contracting officer and document the answer.

Guessing in either direction costs money: under-protecting risks unauthorized disclosure and contract consequences, while over-protecting inflates your compliance scope for nothing.

The stakes of this exercise are concrete. Where CUI lives defines your CMMC assessment boundary, so a tight, deliberate CUI footprint means fewer in-scope systems, less evidence, and a cheaper path to certification.

Keep CUI Compliance Evidence Organized With MotherBear

Understanding CUI is step one. The ongoing work of managing CUI is knowing where it lives, which controls protect it, and whether you could prove both to an assessor tomorrow.

MotherBear is CMMC compliance software that gives defense contractors and their consultants a central place to build and store everything: control status, evidence, the SSP, and annual affirmations, all connected to the CUI protection obligations your contracts actually carry.

The whole point of the CUI program is preventing sensitive information from reaching the wrong hands. The daily reality is keeping the proof of that protection organized.

Book a demo and see how MotherBear handles the second part, so your team can focus on the first.

FAQs About What Is CUI

What is considered to be CUI?

Information is considered CUI when a law, regulation, or government-wide policy requires it to be safeguarded or its sharing controlled, and it isn't classified. It covers information the government creates or possesses, plus information contractors create or handle on the government's behalf. The CUI Registry at the National Archives lists every qualifying category.

What is CUI cyber awareness?

CUI cyber awareness refers to the mandatory training DoD personnel and many contractor employees complete on recognizing, marking, safeguarding, and reporting CUI. The DoD's mandatory CUI course and the annual Cyber Awareness Challenge both cover it, and contractors handling CUI are often required to provide equivalent training to their own staff.

What is an example of CUI?

The most common example in defense work is Controlled Technical Information. CTI includes engineering drawings, specifications, or test data with a military or space application. Other everyday examples include export-controlled technical data, personnel records containing personally identifiable information, and a contractor's proprietary business information held in government systems.

Need to Handle CUI?

Schedule a demo of MotherBear to see how we help you maintain your compliance