Controlled Unclassified Information (CUI)

What CUI is, and what it isn't

Controlled Unclassified Information (CUI) is information that the federal government creates or possesses (or that an entity creates or possesses for or on behalf of the government) that is not classified — but that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. The CUI Program was established by Executive Order 13556 and is administered by the National Archives and Records Administration (NARA) through the CUI Registry.

CUI is not classified. Classified information (Confidential, Secret, Top Secret) is governed by a separate executive order and a different protection regime. CUI is also not "For Official Use Only" or "Sensitive But Unclassified" — those legacy markings are being phased out and replaced by CUI markings.

Why CUI matters for contractors

If your contract involves the government creating, possessing, or transmitting CUI to you — or having you create CUI on its behalf — your information systems and processes are subject to specific safeguarding requirements. The most consequential places this shows up:

• DFARS 252.204-7012 for defense contracts — requires implementation of NIST SP 800-171 controls when CUI is involved
• FAR 52.204-21 for federal contract information (a broader category that overlaps with CUI)
• CMMC certification — the DoD framework that verifies NIST 800-171 implementation
• Agency-specific clauses — civilian agencies are gradually implementing CUI rules through agency-specific contract terms and the forthcoming FAR CUI rule

CUI Basic vs. CUI Specified

The CUI Registry organizes CUI into two protection levels:

• CUI Basic. Categories where the underlying law or regulation does not specify particular safeguarding or dissemination controls. The standard set of CUI controls from NARA applies.
• CUI Specified. Categories where the underlying authority does specify particular controls — for example, certain export-controlled categories or law enforcement information. CUI Specified categories include additional handling requirements beyond the baseline.

A given contract may involve multiple CUI categories, some Basic and some Specified. The contract documentation should identify which categories are in play; in practice, this is often unclear and requires the contractor to ask.

Common CUI categories you'll encounter

The complete registry is maintained at the NARA CUI Registry. Always consult the current registry — categories and decisions about Basic vs. Specified status evolve.

Marking requirements

CUI must be marked when produced or when received from the government. Standard markings:

• Banner marking at the top and bottom of each page or screen — at minimum "CUI" with the relevant category abbreviations.
• Portion marking within documents when required by the category — applied to individual paragraphs, headings, or sections.
• Dissemination controls when the category requires them — limiting who may receive the document.
• Designation indicator — the agency or office that designated the information as CUI, with a date.

For email and electronic files, the marking goes in the subject line, document header, and filename when feasible. The NARA marking handbook contains the authoritative format requirements.

Handling and safeguarding

Baseline CUI handling rules cover both physical and electronic information:

• Access control. Limit access to those with a lawful government purpose. CUI is not classified — there is no "clearance" requirement — but the recipient must have a need to access the information for an authorized purpose.
• Storage. Electronic CUI on systems that meet the protection level the category requires. Paper CUI in locked spaces when unattended.
• Transmission. Encrypted in transit using FIPS-validated cryptography. Email containing CUI requires encryption (S/MIME, TLS, or equivalent). Fax and voice transmission have specific rules.
• Reproduction. Permitted for authorized purposes; copies inherit the markings and handling obligations.
• Destruction. Methods that render the information unrecoverable — shredding for paper, cryptographic erasure or physical destruction for media.
• Decontrol. CUI may be decontrolled by the originating agency when the underlying need no longer applies. Decontrol is an affirmative act, not automatic with time.

The NIST SP 800-171 connection

NIST Special Publication 800-171 contains 110 controls (in the current revision) that contractors implement to protect CUI on non-federal systems. The control families cover access control, audit, configuration management, identification and authentication, incident response, maintenance, media protection, personnel security, physical protection, risk assessment, security assessment, system and communications protection, and system and information integrity.

For defense contracts, the implementation is mandatory under DFARS 252.204-7012, and the level of independent verification follows the CMMC framework. For civilian contracts, implementation is increasingly required by specific contract clauses, with a government-wide FAR CUI rule under development.

NIST SP 800-172 contains enhanced security requirements for systems handling CUI when there is an advanced persistent threat. Most contractors handling CUI face 800-171 obligations; 800-172 applies to a narrower set of higher-risk programs.

Incident reporting

When a cyber incident affects CUI on a contractor system, reporting obligations attach:

• DFARS 252.204-7012. Cyber incidents affecting covered defense information must be reported to the DoD within 72 hours of discovery through the DIBNet portal. The clause also requires preservation of affected system images for at least 90 days.
• Civilian agency clauses. Many civilian contracts incorporate parallel reporting obligations through agency-specific clauses.
• Subcontractor flow-down. Both prime and subcontractors at all tiers are subject to reporting; primes must include the flow-down in subcontracts.

Reporting an incident is not an admission of breach in the legal sense. Failing to report when reporting was required is a separate, more serious compliance problem.

Where CUI overlaps with other compliance regimes

• CMMC certification verifies NIST 800-171 implementation for CUI on DoD work
• Section 889 covers separate equipment-supply-chain prohibitions but interacts with CUI when covered equipment is used to handle CUI
• FAR/DFARS incorporates CUI obligations through specific clauses, particularly in defense work
• ITAR and EAR cover separate export-control regimes that overlap heavily with the Export Controlled CUI category

Common mistakes

• Treating CUI as classified. The two are governed by different rules. Applying classified-information handling to CUI is unnecessary; applying CUI handling to classified is insufficient.
• Ignoring legacy "FOUO" or "SBU" markings. Information bearing those legacy markings may still be CUI under the new program. Re-marking obligations exist when the legacy information is incorporated into new documents.
• Email without encryption. Sending CUI by ordinary email is the single most common handling violation. Use the encryption methods your contract specifies.
• Subcontractor flow-down gaps. CUI obligations apply at all tiers; subs handling CUI must meet the same controls and report incidents the same way.
• Co-mingling CUI with non-CUI on the same system. Allowed, but the entire system must then meet CUI control requirements. Many contractors find it cleaner to segregate CUI environments.
• Not asking what CUI categories apply. If the contract says "CUI applies" without specifying categories, ask the contracting officer. Specified categories carry additional rules.

Related pages

• CMMC certification
• FAR/DFARS compliance
• Section 889 compliance
• DFARS business systems
• Defense contracting
• IT government contracts