What Is CUI? Controlled Unclassified Information Explained for Defense Contractors

In our work with defense contractors, we find that the single biggest source of confusion in CMMC compliance is not the controls themselves — it is determining what data actually qualifies as Controlled Unclassified Information. Getting this wrong means you either over-scope your environment and spend more than necessary, or you under-scope and fail your assessment.

Controlled Unclassified Information, commonly known as CUI, is a category of sensitive government information that sits between fully public data and classified national security information. If your organization is a defense contractor, subcontractor, or any entity that handles information on behalf of the federal government, understanding CUI is foundational to every compliance decision you will make — from scoping your CMMC certification environment to implementing the 110 controls in NIST SP 800-171.

This guide explains what CUI is, where the designation comes from, how it differs from classified information and Federal Contract Information (FCI), and which CUI categories are most relevant to defense contractors.

The Origin of CUI: Why It Was Created

Before the CUI program existed, federal agencies used a patchwork of over 100 different markings to identify sensitive but unclassified information. The Department of Defense used "For Official Use Only" (FOUO). The Department of Homeland Security used "Sensitive But Unclassified" (SBU). Law enforcement agencies applied "Law Enforcement Sensitive" (LES). The State Department had "Sensitive But Unclassified — Noforn." Other agencies invented their own labels, sometimes with overlapping or contradictory handling requirements.

This fragmented system created real problems. A contractor working across multiple agencies might receive documents with three different sensitivity markings, each with different — and sometimes conflicting — handling rules. Information sharing between agencies was hampered because one agency's marking had no clear equivalent at another. There was no consistent baseline for what "protect this information" actually meant in practice.

In 2010, President Obama signed Executive Order 13556, establishing the CUI program to replace this patchwork with a single, government-wide framework. The National Archives and Records Administration (NARA) was designated as the Executive Agent responsible for managing the program, maintaining the CUI Registry, and issuing implementing directives. The implementing regulation, 32 CFR Part 2002, was finalized in 2016 and provides the authoritative rules for designating, safeguarding, and disseminating CUI.

What the CUI Program Replaced

Legacy Marking	Agency	CUI Equivalent
For Official Use Only (FOUO)	Department of Defense	CUI Basic or CUI Specified (depends on category)
Sensitive But Unclassified (SBU)	Department of State	CUI Basic or CUI Specified
Law Enforcement Sensitive (LES)	DOJ / FBI / DHS	CUI Specified (Law Enforcement category)
Official Use Only (OUO)	Department of Energy	CUI Basic or CUI Specified
Sensitive Security Information (SSI)	TSA / DOT	CUI Specified

The standardization effort was significant. Agencies had to map their existing markings to CUI categories, retrain personnel, and update systems. For contractors, the transition meant that regardless of which agency you work with, the rules for handling sensitive unclassified information are now consistent and predictable.

How CUI Is Formally Defined

The official definition from 32 CFR Part 2002 states that CUI is information the government creates or possesses, or that an entity creates or possesses for or on behalf of the government, that a law, regulation, or government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.

There are two critical elements in this definition that contractors often overlook:

1. "Creates or possesses for or on behalf of the government" — This means that CUI is not limited to information the government hands you. If your engineers create a technical drawing under a DoD contract, and that drawing contains export-controlled technical data, your organization created CUI. The information does not need to originate from the government to be CUI.

2. "A law, regulation, or government-wide policy" — CUI designation is not arbitrary. There must be an authoritative basis — a specific statute, regulation, or government-wide policy — that requires or permits safeguarding. If no such authority exists, the information should not be marked as CUI.

CUI Basic vs. CUI Specified

The CUI program divides all CUI into two subsets based on the handling requirements:

CUI Basic is the default designation. It applies to CUI where the authorizing law, regulation, or policy does not set out specific handling or dissemination controls beyond those established by the CUI Executive Agent in 32 CFR Part 2002. In practice, CUI Basic must be safeguarded using the controls in NIST SP 800-171 when processed, stored, or transmitted on contractor information systems. The vast majority of CUI that defense contractors encounter falls into the CUI Basic category.

CUI Specified applies when the authorizing authority — the specific law, regulation, or policy that established the category — prescribes specific handling requirements that go beyond or differ from the standard CUI Basic controls. For example, certain categories of CUI related to intelligence activities or nuclear information have additional restrictions on who can access the information, how it must be stored, or how it can be transmitted. When you encounter CUI Specified, you must follow both the baseline CUI requirements and the additional requirements from the specific authorizing authority.

For most defense contractors, the practical implication is straightforward: implement the 110 controls from NIST SP 800-171 Rev 2 (which maps to CMMC Level 2), and you have the baseline covered. If you handle CUI Specified categories, review the specific authorizing authority for additional requirements.

How CUI Differs from Classified Information

One of the most common misconceptions we encounter is contractors treating CUI as if it were classified information, or — more dangerously — treating it as if it required no special protection at all. CUI occupies a distinct middle ground.

Characteristic	Classified Information	CUI	Public Information
Governing Authority	Executive Order 13526	Executive Order 13556 / 32 CFR Part 2002	No restrictions
Clearance Required	Yes (Confidential, Secret, or Top Secret)	No	No
Marking Required	Yes (classification level + caveats)	Yes (CUI banner + category)	No
Safeguarding Standard	NIST SP 800-53 High baseline (or equivalent)	NIST SP 800-171 (moderate confidentiality)	None
Penalty for Mishandling	Criminal prosecution possible	Contract termination, civil penalties, False Claims Act liability	None
Storage Requirements	GSA-approved containers, SCIFs for SCI	Controlled environment per NIST 800-171	None
Transmission	Encrypted to NSA-approved standards	FIPS-validated encryption	No requirement

The key takeaway: CUI does not require security clearances, SCIFs, or NSA-approved cryptographic modules. But it absolutely requires a defined set of security controls, and the Department of Defense is now verifying those controls through the CMMC program.

CUI Categories Relevant to Defense Contractors

The CUI Registry, maintained by NARA at archives.gov/cui, organizes CUI into 20 categories and over 120 subcategories. Not all of these are relevant to defense contractors. In our experience, the following categories account for the overwhelming majority of CUI that flows through the defense industrial base.

Critical Infrastructure

This category covers information related to the nation's critical infrastructure systems, including vulnerability assessments, security plans, and infrastructure protection data. Defense contractors who provide services or technology to critical infrastructure sectors — energy, transportation, communications, defense industrial base itself — frequently encounter this CUI category.

Subcategories include Critical Infrastructure Information (CII) as designated under the Critical Infrastructure Information Act of 2002, and critical energy infrastructure information covered under FERC regulations.

Export Control

Export-controlled technical data is one of the most common CUI categories in the defense industrial base. This includes:

• International Traffic in Arms Regulations (ITAR) — Technical data related to defense articles on the United States Munitions List. This is CUI Specified because ITAR imposes specific dissemination controls (no foreign persons access without authorization).
• Export Administration Regulations (EAR) — Technical data related to dual-use items on the Commerce Control List. Depending on the specific Export Control Classification Number (ECCN), this may be CUI Basic or CUI Specified.

What we tell clients: if you manufacture, design, or provide engineering services for defense systems, your technical data is almost certainly export-controlled and qualifies as CUI. The ITAR subset is particularly significant because it carries additional dissemination restrictions that go beyond standard CUI Basic handling.

Privacy

Personally identifiable information (PII) and other privacy-related data collected or maintained on behalf of the government is CUI. This includes employee records, benefits information, health data, and any personal information that federal privacy statutes require you to protect. The Privacy Act of 1974 and various sector-specific laws (HIPAA, etc.) serve as the authorizing authorities.

Defense contractors who manage personnel systems, health programs, or benefits administration for government agencies will handle Privacy CUI regularly.

Procurement and Acquisition

This category covers sensitive procurement and acquisition information including source selection information, bid and proposal data, and contractor proprietary information submitted during the procurement process. This is relevant to virtually every defense contractor because the proposals you submit, the pricing data you provide, and the performance information the government collects about your contracts can all qualify as CUI.

Subcategories include:

• Source Selection Information — Bid prices, evaluation criteria, rankings, and other information related to source selection decisions
• Proprietary Business Information — Trade secrets, commercial or financial information, and other proprietary data submitted to the government
• Small Business Research and Technology — Information related to SBIR/STTR programs

Other Categories to Watch

Several additional categories frequently appear in defense contractor environments:

• Patent — Invention secrecy information and patent applications related to defense
• Tax — Federal tax information when contractors process tax data on behalf of the IRS
• Transportation — Sensitive transportation-related information including security measures
• Intelligence — Certain unclassified intelligence information that does not meet the threshold for classification but requires controlled handling

How to Identify CUI in Your Environment

Identifying where CUI exists in your organization is the first step in scoping your CMMC environment. In our experience, the biggest mistakes come from either assuming all contract-related data is CUI (over-scoping) or assuming only documents explicitly marked "CUI" qualify (under-scoping).

Step 1: Review Your Contracts

Start with the contract itself. Look for the DFARS clause 252.204-7012, which requires you to safeguard CUI. The contract, Statement of Work (SOW), or DD Form 254 should identify what categories of CUI the contractor will handle. If the contract references ITAR data, technical drawings, or performance specifications, those are strong indicators of CUI.

Step 2: Map Data Flows

Trace how information moves through your organization. Where does government-furnished information enter your systems? Where do your employees create deliverables under the contract? What systems process, store, or transmit this data? This mapping exercise defines the boundaries of your CUI environment — the scope your CMMC assessment will cover.

Step 3: Check the CUI Registry

When you are unsure whether specific information qualifies as CUI, consult the NARA CUI Registry. Each category listing identifies the authorizing authority (the law or regulation), whether the category is Basic or Specified, and any specific handling requirements.

Step 4: When in Doubt, Ask the Contracting Officer

If your contract does not clearly identify CUI or you are unsure about a specific data type, engage your Contracting Officer (CO) or Contracting Officer's Representative (COR). The government is responsible for identifying CUI, and contractors should not be guessing. Document these conversations — they may be relevant during your CMMC assessment.

CUI Marking Requirements

Proper CUI marking is both a requirement and a practical necessity. Documents containing CUI must include:

• Banner marking at the top of the document: CUI or CONTROLLED (for CUI Basic), or CUI//SP- followed by the specified category abbreviation (for CUI Specified)
• Category marking identifying which CUI category applies (e.g., CUI//SP-EXPT for export-controlled data under a specified authority)
• Dissemination controls when applicable, included after the category (e.g., CUI//SP-EXPT/NOFORN)
• Designation indicator identifying the designating agency

For email, the CUI banner marking should appear in the subject line. For electronic media, the marking should be applied to the file name or metadata where the body cannot be marked directly.

What we tell clients: marking CUI correctly matters for your CMMC assessment. Assessors will look at how you identify, label, and track CUI within your environment. Inconsistent or absent markings suggest that your organization does not have adequate awareness and procedures — a finding that can impact multiple control families.

CUI and the CMMC Framework

CUI is the primary trigger for CMMC Level 2 and Level 3 requirements. The relationship is direct:

• Handling only FCI (no CUI) — CMMC Level 1 (17 controls, self-assessment)
• Handling CUI — CMMC Level 2 (110 NIST 800-171 controls, self-assessment or C3PAO assessment depending on contract)
• Handling critical/high-value CUI — CMMC Level 3 (NIST 800-171 + select NIST 800-172 controls, government-led assessment)

The scope of your CMMC assessment is determined by where CUI lives in your environment. Every system that processes, stores, or transmits CUI — and every system that provides security protection for those systems — falls within scope. This is why accurate CUI identification is so critical: it defines how large and complex your compliance effort will be.

Organizations that minimize their CUI boundary through architectural decisions — such as using a dedicated enclave or leveraging a FedRAMP-authorized cloud service — can significantly reduce the cost and complexity of CMMC compliance.

Common Mistakes with CUI

After working with dozens of defense contractors on CUI identification and scoping, these are the mistakes we see most frequently:

1. Treating all contract information as CUI — Not everything on a government contract is CUI. General administrative information, publicly available specifications, and routine correspondence typically do not qualify. Over-scoping inflates your compliance costs.

2. Ignoring CUI you create — Many contractors assume CUI must come from the government. If your engineers generate technical data, test results, or analysis under a DoD contract, that data may be CUI from the moment of creation.

3. Failing to track CUI across systems — CUI migrates. An engineer downloads a technical drawing to a laptop, emails it to a colleague, saves a copy on a personal drive. Each of these locations becomes part of your CUI environment.

4. Not training employees — CUI awareness training is a requirement under NIST 800-171 (control family: Awareness and Training). Employees who do not know what CUI is cannot be expected to handle it properly.

5. Confusing CUI with classified — Applying classified-level controls to CUI wastes resources. Treating CUI as casually as public information creates risk. The controls in NIST 800-171 represent the appropriate baseline.

Next Steps for Defense Contractors

If you are beginning your compliance journey, understanding CUI is the foundation. From here, we recommend:

• Map your CUI environment — Identify every system, network, and location where CUI is processed, stored, or transmitted
• Review the CMMC requirements that apply to your target level
• Understand the NIST 800-171 controls that protect CUI
• Distinguish CUI from FCI — the distinction determines your required CMMC level
• Engage with your contracting officers to clarify which CUI categories appear in your contracts

CUI is not going away. As the CMMC program matures and the Department of Defense enforces compliance through contract requirements, every organization in the defense supply chain must have a clear, documented understanding of what CUI they handle and how they protect it. Starting that work now is the single best investment you can make in your organization's ability to compete for DoD contracts.