What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is the government’s single, standardized label for sensitive data that is not classified but still requires protection. Before the CUI program, agencies used more than 100 different markings like For Official Use Only (FOUO) or Sensitive But Unclassified (SBU). CUI replaced that patchwork with one consistent framework that applies across the entire federal government.

For defense contractors, CUI is the category of data that triggers NIST 800-171 and CMMC Level 2 obligations. Understanding what it is, how it is marked, and how it must be protected is the foundation of every compliance program in the defense industrial base.

How CUI fits in the information security hierarchy

Classified national security information sits at the top: Top Secret, Secret, and Confidential. Disclosure of classified information could cause serious, severe, or exceptionally grave damage to national security.

CUI sits on the tier directly below. It is not secret, but its release is restricted by law, regulation, or government-wide policy because disclosure could still harm national interests, compromise privacy, or interfere with government operations. The data is ordinary in appearance: technical drawings, contract details, personally identifiable information, law enforcement records. But a compromise could give an adversary a meaningful advantage.

CUI vs classified information

Aspect	Controlled Unclassified Information	Classified National Security Information
Damage potential	Harm to national interests, not “grave damage”	Serious, severe, or exceptionally grave damage
Legal basis	Laws, regulations, or government-wide policies	Executive Order 13526
Designation authority	Any authorized holder	Original Classification Authority (OCA)
Protection standard	Uniform standard (NIST 800-171 for contractors)	Structured, risk-based system with stricter controls
Examples	Technical drawings, PII, law enforcement data	Military plans, intelligence sources, weapons systems

Both categories require protection, but the legal basis, designation authority, and protection standards are different in kind, not degree.

Why the CUI program exists

The CUI framework was established in 2010 by Executive Order 13556. The order was a response to real-world security failures, most notably a 2009 data breach at the National Archives and Records Administration (NARA) that exposed personal records of military veterans. The incident made clear that inconsistent handling rules across agencies were producing exploitable gaps.

The executive order named NARA as the Executive Agent responsible for implementing the CUI framework across the federal government. Regardless of which agency creates the data, whether it is the Department of Defense, the Department of Energy, or any other, the rules for protecting that data are the same.

The core principle is consequence-based: CUI is not defined by what the information looks like, but by the damage its unauthorized disclosure could cause. If losing the data could jeopardize a mission, violate privacy, or give an adversary an advantage, it likely qualifies.

For defense contractors, compliance is not optional. If a contract involves handling CUI, the contractor is legally and contractually obligated to implement specific cybersecurity controls to protect it.

CUI Basic vs CUI Specified

Once information is identified as CUI, the next question is what level of protection applies. The answer depends on whether the data is CUI Basic or CUI Specified.

CUI Basic is the default. It applies to sensitive information that requires protection but is not governed by a specific law or policy dictating how to protect it. CUI Basic uses a uniform set of baseline controls that apply to all CUI in this category.

CUI Specified applies when a specific law, regulation, or government-wide policy mandates stricter controls. In those cases, the specific rules override the CUI Basic baseline.

Technical data related to defense articles is a clear example of CUI Specified. It is governed by the International Traffic in Arms Regulations (ITAR), which has its own access and distribution rules. CUI Basic establishes a floor; CUI Specified adds requirements on top of it.

The CUI Registry

The official catalog of CUI categories is the CUI Registry, maintained by NARA. The Registry is the authoritative source for every CUI category, its designation as Basic or Specified, and the specific handling rules that apply. It is a searchable, actively maintained database, and it is where every defense contractor should go to translate contractual obligations into concrete security requirements.

If a contract mentions CUI without specifying the category, the Registry is where to find the answer.

What CUI looks like in daily operations

CUI is rarely labeled with an obvious warning stamp. More often, it is ordinary-looking information woven into everyday work. The test is not what the file is, but what the consequences of disclosure would be.

Engineering and manufacturing. A CAD file for a new drone part typically falls under Export Controlled CUI. Disclosure could let a competitor or foreign adversary replicate a piece of military technology.
Human resources and administration. A project staffing roster qualifies as Privacy CUI because it contains names and roles. An adversary could use that information for social engineering or targeted pressure against individuals working on sensitive programs.
Facilities and operations. A building security plan that details guard schedules, camera placements, and access control systems is Critical Infrastructure CUI. Disclosure provides a roadmap for physical intrusion.

Encrypting CUI does not change its status. The data is still subject to every CUI handling rule that applied before encryption. This is covered in more detail in encrypted CUI is still CUI.

Marking, handling, storing, destroying

Protecting CUI is a lifecycle process. Four activities define how CUI is treated from creation to destruction, and each maps directly to controls in NIST SP 800-171.

Marking

Marking is the first line of defense. Every CUI document or message must be clearly labeled so anyone who sees it knows the handling rules apply.

Digital files: a CUI banner at the top and bottom of the document.
Email: a CUI indication in the subject line.
Physical documents: a stamp on the cover and every page with the correct CUI designation.

Handling and dissemination

The guiding principle for access is “lawful government purpose,” which for a contractor translates to a strict need-to-know basis. Employment alone does not grant access; the employee’s specific role must require it.

Secure physical spaces: CUI cannot be left on an unattended desk or displayed where uncleared personnel can see it.
Control conversations: no discussion of CUI-related details in public spaces, including coffee shops, airport lounges, or restaurants.
Secure transmission: CUI shared with authorized colleagues must move through encrypted channels.

Storing

CUI not in active use must remain in a controlled environment that prevents unauthorized access.

Physical storage: locked file cabinets, safes, or access-controlled secure rooms.
Digital storage: encrypted servers, access-controlled cloud platforms that meet federal requirements, and FIPS-validated storage drives.

Destroying

When CUI is no longer needed, it must be rendered unreadable and unrecoverable. Deletion from a file system or disposal in a standard recycling bin is not sufficient.

Paper: cross-cut shredding.
Digital media: cryptographic erasure or physical destruction of the drive.

How CUI connects to NIST 800-171 and CMMC

Defense contractors that handle CUI for the Department of Defense are contractually obligated to protect it according to the controls in NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.”

NIST 800-171 organizes requirements into 14 control families totaling 110 controls. Each family translates abstract principles into specific technical and policy-based requirements.

Access Control enforces the need-to-know principle through user permissions, account management, and system access logs. For the operational side of this, see auditing Active Directory for CMMC and NIST 800-171.
Incident Response establishes the playbook for detecting, analyzing, containing, and reporting security breaches within required timelines.
System and Information Integrity covers defenses against malware and unauthorized changes, including antivirus, system monitoring, and file integrity checks.

CMMC Level 2 is the verification layer on top of NIST 800-171. An accredited CMMC Third-Party Assessment Organization (C3PAO) audits the contractor’s systems against the same 110 controls. A passing assessment results in CMMC Level 2 certification, which is required for DoD contracts that involve CUI.

CMMC does not introduce new security requirements. It is the mechanism that replaces self-attestation with independent verification. To achieve CMMC Level 2, a contractor must first implement NIST 800-171, and the prerequisite for NIST is a clear understanding of where CUI lives in the organization. For the specific controls a C3PAO will examine, see what your C3PAO will ask about email.

A practical CUI compliance roadmap

The full requirements list is long, but the work breaks into four phases.

1. Document before you build

Compliance starts with documentation, not with new software. Two documents are foundational:

System Security Plan (SSP). A detailed description of how the organization meets each NIST 800-171 control.
Plan of Action and Milestones (POA&M). A formal register of controls that are not yet met, remediation plans, and target completion dates.

These are typically the first two documents an auditor requests.

2. Implement technical controls

With the policy framework in place, the next step is to build the environment where CUI is stored and processed. This means strict access controls that enforce need-to-know, strong encryption for data at rest and in transit, and logging sufficient for incident response.

The complexity multiplies when these controls are stitched together across separate applications for email, file storage, and collaboration. A unified compliance-first platform consolidates them into one pre-configured environment.

3. Train the people who touch CUI

Technology alone does not protect CUI. Every person who may encounter CUI in their role needs specific, practical training: how to mark documents, how to recognize a phishing attempt, and what to do in the first minutes after a suspected breach. Generic security awareness is not sufficient.

4. Maintain an incident response playbook

Security incidents are inevitable. A written playbook defines the steps from detection through containment, analysis, and reporting. DFARS 252.204-7012 requires cyber incident reporting to the DoD within 72 hours, which means the playbook must be rehearsed, not just written. See DFARS 72-hour cyber incident reporting for what is required.

Common questions about CUI compliance

Is all government contract information CUI?

No. Information is not CUI simply because it originated with the government. For data to be CUI, a specific law, regulation, or government-wide policy must require its protection. The definitive source is the contract itself. Contract clauses like DFARS 252.204-7012 explicitly identify CUI obligations. When in doubt, review the statement of work and contract documents rather than assuming.

Can standard commercial cloud storage be used for CUI?

Generally no. Commercial cloud services like basic Dropbox or Google Drive accounts are not built to meet NIST 800-171 controls. Protecting CUI requires a platform that was built for federal compliance: FIPS-validated encryption, provable data residency, and controls that meet the strict requirements for how data is handled, stored, and transmitted. For a detailed look at one specific commercial tool, see how safe Google Drive is for CUI.

What is the most common CUI mistake?

Underestimating where CUI exists in the organization. Many contractors assume it lives only on a central file server. In practice, CUI tends to spread into employee mailboxes, laptops, and backup systems. A thorough data discovery exercise that maps every location where CUI resides is a prerequisite for any meaningful compliance effort. Skipping it leaves gaps that compound through every subsequent control.

Is CMMC required for companies that do not handle CUI?

CMMC requirements depend on the information involved. Companies that only handle Federal Contract Information (FCI) and never receive or create CUI typically need only CMMC Level 1. CMMC Level 2 applies specifically to organizations that must protect CUI, and the requirements are substantially more rigorous because the data is more sensitive.