Controlled Unclassified Information

Controlled Unclassified Information (CUI) refers to sensitive information that requires safeguarding or dissemination controls according to law, regulation, or government-wide policy, but is not classified under Executive Order 13526 or the Atomic Energy Act. CUI includes information that, while not secret, could still cause harm if improperly released, accessed, or disclosed.

The CUI program was established by the National Archives and Records Administration (NARA) under Executive Order 13556 to create a unified approach to handling unclassified information that needs protection across federal agencies and their contractors. It replaces inconsistent agency-specific labels like "For Official Use Only (FOUO)", "Sensitive But Unclassified (SBU)", and others with a standardized framework.

CUI is commonly found in federal contracts, military documents, research data, legal proceedings, and cybersecurity operations.

How Does CUI Work?

CUI is categorized and marked according to NARA’s CUI Registry, which defines the types of information covered and the required protection methods. Examples include:

• Legal privileged data

• Export control information

• Financial and procurement data

• Law enforcement sensitive information

• Critical infrastructure and defense-related data

Organizations that handle CUI must implement proper access control, marking, storage, transmission, and destruction procedures.

The Department of Defense (DoD) also requires defense contractors to comply with NIST SP 800-171, which outlines cybersecurity standards for protecting CUI in non-federal systems.

Structure of CUI Handling Systems

A typical system for handling CUI includes the following components:

• Access Controls: Only authorized personnel may access CUI based on need-to-know and role-based policies.

• CUI Markings: Documents and digital files must be labeled clearly with the appropriate CUI designator and category.

• Secure Storage: Physical CUI must be stored in locked containers or controlled environments; digital CUI must be encrypted.

• Transmission Controls: CUI must be transmitted using approved secure methods such as encrypted email or file transfer.

• Audit and Accountability: Systems must log access and changes to CUI to detect and respond to unauthorized activity.

• Training and Compliance: Personnel must be trained on CUI policies and handling procedures, especially when working under federal contracts.

Examples of CUI Categories

• Proprietary Business Information

• Critical Infrastructure Information

• Export Control (ITAR, EAR)

• Privacy (PII, PHI)

• Financial or Budget Information

• Legal Proceedings or Law Enforcement Sensitive Data