CUI (Controlled Unclassified Information) is information that the U.S. government creates or possesses that requires safeguarding or dissemination controls pursuant to applicable law, regulation, or government-wide policy, but is not classified under Executive Order 13526 or the Atomic Energy Act. For organizations in the defense industrial base (DIB), understanding what constitutes CUI is the foundation of CMMC 2.0 compliance and maintaining eligibility for Department of Defense (DoD) contracts. Unlike classified national security information, CUI exists across dozens of categories—from export-controlled technical data to privacy records—and failure to properly identify, mark, and protect it can result in contract loss, suspension, and financial penalties.
\nThis guide provides U.S. organizations with a complete, authoritative explanation of CUI: its legal basis, the 125+ categories, marking requirements, the relationship to NIST SP 800-171 and CMMC 2.0, and an actionable framework for operationalizing CUI protection in your environment.
\nKey Takeaways:
\n- \n
- CUI is unclassified information that the government creates or possesses and must be safeguarded or controlled—it is not classified national security information. \n
- There are over 125 specific CUI categories organized under 20 group headings in the CUI Registry (32 CFR Part 2002). \n
- DoD contractors must protect CUI per NIST SP 800-171 (110 security requirements) and will be assessed under CMMC 2.0 at Levels 2 and 3. \n
- CUI must be visibly marked with the CUI designation indicator and applicable control markings; controlled technical information (CTI) and export-controlled (EC) markings are separate subtypes. \n
- Noncompliance can mean contract loss, False Claims Act liability, and suspension from future federal awards. \n
What Is CUI? The Legal Definition and Statutory Basis
\nThe term Controlled Unclassified Information (CUI) was formally established by Executive Order 13556 (November 4, 2010), which directed the National Archives and Records Administration (NARA) to create a government-wide framework for handling information that requires safeguarding but is not classified. The implementing regulations are codified at 32 CFR Part 2002, issued by the CUI Executive Agent (NARA).
\nCUI is defined in 32 CFR § 2002.4(h) as \"information that the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls.\" Key distinctions include:
\n- \n
- CUI is not classified. Classification under EO 13526 addresses national security information (Confidential, Secret, Top Secret). CUI covers everything from contractor proprietary information to export-controlled technical data to personally identifiable information (PII) held by federal agencies. \n
- CUI is created by operation of law or policy. A federal statute, regulation, or government-wide policy must impose a safeguarding or dissemination requirement. If no such authority exists, the information is not CUI. \n
- CUI includes information created for the government. When a contractor or grantee creates information in performance of a federal contract, and that information would have been CUI if the government had created it, the contractor must treat it as CUI. \n
The CUI Registry (maintained by NARA at archives.gov/cui/registry) identifies over 125 specific categories under approximately 20 group headings. Each category references its authorizing law, regulation, or policy—for example, the International Traffic in Arms Regulation (ITAR) at 22 CFR Parts 120–130, the Export Administration Regulations (EAR) at 15 CFR Parts 730–774, and the Privacy Act of 1974 at 5 U.S.C. § 552a.
\n\n\n\nCUI Categories: What Types of Information Are Covered?
\nThe CUI Registry classifies information into two broad categories: CUI Basic and CUI Specified. CUI Specified refers to categories where an authorizing law, regulation, or policy imposes specific handling controls beyond the baseline CUI requirements. CUI Basic covers categories where no such specific controls exist.
\nMajor CUI groups include, but are not limited to:
\n- \n
- Critical Infrastructure (CI): Information about systems and assets vital to national security, economic security, or public health, including those subject to the Cybersecurity and Infrastructure Security Agency (CISA) directives. \n
- Defense (DD): Controlled Technical Information (CTI)—including technical data, computer software, and detailed drawings—subject to DFARS 252.204-7012 and 252.204-7019. This is the most common CUI category for DoD contractors. \n
- Export Control (EC): Information subject to ITAR (22 CFR 120–130), EAR (15 CFR 730–774), or the Department of Energy's export control regulations (10 CFR 810). \n
- Financial (FI): Information about federally insured financial institutions, financial transactions with federal agencies, and data subject to the Gramm-Leach-Bliley Act (GLBA) and FTC Safeguards Rule (16 CFR Part 314). \n
- General Procurement & Acquisition (GP): Sensitive procurement information not otherwise classified, including source selection information (FAR 3.104) and contractor bid or proposal information. \n
- Intelligence (IN): Non-classified intelligence-related information created by or for the Intelligence Community. \n
- Law Enforcement (LE): Law enforcement sensitive (LES) information, including criminal investigations, intelligence, and protected victim/witness data. \n
- Legal (LG): Attorney-client privileged information, attorney work product, and grand jury material (18 U.S.C. §§ 3321, 3322). \n
- North Atlantic Treaty Organization (NATO): Unclassified NATO information requiring protection under NATO security procedures. \n
- Patent (PAT): Patent application information (35 U.S.C. § 205). \n
- Privacy (PV): Personally Identifiable Information (PII) as defined by OMB Memorandum M-17-12, including Social Security numbers, driver's license numbers, medical records, and financial account information. \n
- Proprietary Business Information (PB): Trade secrets, confidential commercial or financial information submitted to the government (e.g., under FOIA Exemption 4, 5 U.S.C. § 552(b)(4)). \n
- Tax (TX): Federal tax return information (26 U.S.C. § 6103). \n
- Transportation (TR): Transportation Security Administration (TSA) sensitive security information (SSI) under 49 CFR Parts 1520 and 1540. \n
A complete list is maintained in the CUI Registry Category List. Organizations must identify which categories apply to their contract deliverables and government-provided information.
\n\n\n\nCUI Marking Requirements: How to Properly Identify CUI
\n32 CFR § 2002.20 requires all CUI to be marked with specific designation indicators and, where applicable, distribution limitation statements. The marks allow recipients to immediately identify the information's status and apply appropriate controls. Key marking elements include:
\n- \n
- CUI Designation Indicator: The phrase \"CONTROLLED UNCLASSIFIED INFORMATION\" must appear at the top and bottom of each page containing CUI. On electronic documents, the designation appears in the header and footer. \n
- Category Marking: The specific CUI category acronym (e.g., \"CTI\" for Controlled Technical Information, \"PII\" for Personally Identifiable Information, \"EC\" for Export Control) must be included. If two or more categories apply, list all that are applicable. \n
- Limited Dissemination Controls (LDC): Additional controls restricting further distribution, such as \"FED ONLY\" (federal employees only), \"CON\" (contractors only), \"NOFORN\" (not releasable to foreign nationals), and \"EXPORT CONTROL\" (ECCN- or ITAR-controlled). \n
- Distribution Statement: For DoD technical data, DFARS 252.204-7017 requires use of specific distribution statements (A, B, C, D, E, F, G, H, X) defined in DoD Instruction 5230.24. \n
Example of a properly marked CUI document page header:
\nCONTROLLED UNCLASSIFIED INFORMATION
\nCTI//FEDCON//EXPORT CONTROL
\nDistribution Statement C: Distribution authorized to U.S. Government agencies and their contractors (Administrative/Operational Use) (Month, Year). Other requests for this document shall be referred to [Cognizant DoD Office].
Failure to mark CUI correctly can lead to inadvertent disclosure and a finding of noncompliance during CMMC assessment. For unmarked CUI discovered after creation, 32 CFR § 2002.22 requires that it be marked retroactively as soon as the error is discovered.
\n\n\n\nCUI Protection: The NIST SP 800-171 Framework
\nDoD contractors and subcontractors that process, store, or transmit CUI on their internal information systems must comply with NIST Special Publication 800-171, Rev. 2, \"Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations.\" This framework specifies 110 security requirements organized into 14 families:
\n- \n
- Access Control (AC): 22 requirements, including least privilege, separation of duties, and session lock (AC-1 through AC-22). \n
- Awareness and Training (AT): 3 requirements for CUI training (AT-1 through AT-3). \n
- Audit and Accountability (AU): 9 requirements covering logging, audit record retention, and correlation (AU-1 through AU-9). \n
- Configuration Management (CM): 9 requirements for baseline configurations, change control, and software inventory (CM-1 through CM-9). \n
- Identification and Authentication (IA): 11 requirements, including MFA for network access and device authentication (IA-1 through IA-11). \n
- Incident Response (IR): 3 requirements for incident handling and reporting (IR-1 through IR-3). \n
- Maintenance (MA): 6 requirements for controlled maintenance and media sanitization (MA-1 through MA-6). \n
- Media Protection (MP): 8 requirements for media marking, transport, and disposal (MP-1 through MP-8). \n
- Personnel Security (PS): 2 requirements for personnel screening and termination (PS-1, PS-2). \n
- Physical Protection (PE): 6 requirements for facility access controls and monitoring (PE-1 through PE-6). \n
- Risk Assessment (RA): 3 requirements for periodic risk assessments and vulnerability scanning (RA-1 through RA-3). \n
- Security Assessment (CA): 9 requirements for continuous monitoring, plan of action & milestones (POA&M), and system authorization (CA-1 through CA-9). \n
- System and Communications Protection (SC): 16 requirements for encryption in transit and at rest, boundary protection, and network segmentation (SC-1 through SC-16). \n
- System and Information Integrity (SI): 9 requirements for malware protection, spam filtering, and system monitoring (SI-1 through SI-9). \n
DFARS clause 252.204-7012 (Safeguarding Covered Defense Information and Cyber Incident Reporting) requires contractors to implement NIST SP 800-171 at the time of contract award and to report cyber incidents involving CUI to DoD within 72 hours. Noncompliance can result in a withholding of payment (up to 10% per invoice) and referral to the DoD Office of Inspector General.
\nFor organizations seeking a structured approach to meeting all 110 controls, CyberSilo's Compliance Standards Automation platform provides automated control mapping, evidence collection, and POA&M tracking that aligns directly with NIST SP 800-171 and CMMC 2.0 requirements.
\n\n\n\nReady to Operationalize CUI Protection?
\nCyberSilo's compliance automation platform maps every NIST SP 800-171 requirement to your existing security stack, identifies control gaps, and produces the audit-readiness evidence your CMMC assessor will need. Schedule a compliance assessment today.
\n\nCUI and CMMC 2.0: What Level Applies to Your Contracts?
\nThe Cybersecurity Maturity Model Certification (CMMC) 2.0 is the DoD's unified standard for assessing contractor cybersecurity maturity. It replaces the original five-level model with three levels, each tied directly to the type of information handled:
\n- \n
- CMMC Level 1 (Foundational): Applies to contractors handling Federal Contract Information (FCI) only—not CUI. Requires 15 basic security practices across 6 families. Self-assessment only; no third-party certification required. \n
- CMMC Level 2 (Advanced): Applies to contractors handling CUI. Requires full NIST SP 800-171 compliance (110 controls). Most Level 2 assessments will be triennial self-assessments with annual affirmation, but a subset of critical contracts will require third-party certification by a CMMC Third-Party Assessment Organization (C3PAO). \n
- CMMC Level 3 (Expert): Applies to contractors handling CUI that supports the most sensitive DoD programs. Requires NIST SP 800-171 compliance plus a subset of NIST SP 800-172 controls (enhanced security requirements). Assessments are conducted by the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC). \n
The CMMC 2.0 final rule (32 CFR Part 170) was published in October 2023, with phased implementation beginning in 2025. Key deadlines:
\n- \n
- March 2025: DoD begins including CMMC Level 2 (self-assessment) and Level 3 (DIBCAC assessment) requirements in new solicitations. \n
- June 2025: CMMC Level 2 (third-party certification) requirements begin for programs identified as critical by the Under Secretary of Defense for Acquisition and Sustainment (USD(A&S)). \n
- 2026–2028: All existing contracts will be modified to include CMMC requirements at time of option exercise or extension. \n
Organizations must achieve certification for each applicable asset (Enclave, Enterprise, or Cloud) before contract award. CyberSilo's CMMC compliance services provide pre-assessment gap analysis, evidence automation, and C3PAO coordination to ensure your organization is assessment-ready.
\n\n\n\nCUI Encryption Requirements: Protecting Data in Transit and at Rest
\nNIST SP 800-171 (Requirements SC-8 and SC-13) mandates cryptographic protection for CUI transmitted over any network—including internal LAN segments—unless the network is physically isolated and dedicated to CUI processing. Key specifics:
\n- \n
- Data in Transit: All CUI transferred over an open or wireless network must use FIPS 140-2/140-3 validated encryption. TLS 1.2 or higher is the standard for web interfaces; IPsec is acceptable for site-to-site VPNs. SSH (version 2) is required for remote administration of CUI systems. \n
- Data at Rest: CUI stored on mobile devices, laptops, removable media, and backup media must be encrypted using FIPS 140-2/140-3 validated methods. Full-disk encryption (e.g., AES-256 with BitLocker or FileVault) is the minimum standard for endpoints. For databases and cloud storage, column-level or file-level encryption is preferred. \n
- Key Management: SC-12 requires automated key generation, distribution, storage, and rotation. Keys must be protected at a higher classification level than the data they encrypt. Hardware Security Modules (HSMs) compliant with FIPS 140-2 Level 3 are required for critical key stores. \n
For organizations moving CUI to the cloud, FedRAMP Moderate or High authorized cloud service providers (CSPs) must be used, and a System Security Plan (SSP) documenting the encryption architecture must be maintained. ThreatHawk SIEM provides continuous monitoring of encryption compliance across your hybrid infrastructure, alerting on any FIPS-validated encryption failures or misconfigurations in real time.
\n\n\n\nCUI Cyber Incident Response: The 72-Hour Reporting Clock
\nDFARS 252.204-7012(b)(1) mandates that DoD contractors report cyber incidents involving CUI to the DoD Cyber Crime Center (DC3) within 72 hours of the incident's discovery. \"Discovery\" is defined as the time when the contractor first knows or reasonably believes that a cyber incident may have involved CUI—this is not limited to confirmed exfiltration. Required reporting elements include:
\n- \n
- A description of the incident, including the type of CUI involved and the estimated number of records affected. \n
- The date and time of the incident and how it was discovered. \n
- The impact assessment, including whether CUI was accessed, exfiltrated, or encrypted. \n
- Actions taken to contain, eradicate, and recover from the incident. \n
- Point of contact information for the contractor's incident response team. \n
The contractor must also preserve all affected systems and logs for 90 days (or longer if requested by DoD) and provide DoD with access to the affected systems for forensic analysis. Failure to comply with the 72-hour reporting requirement can result in a suspension of contract payments, a finding of False Claims Act liability, and referral to the DoD IG for suspension or debarment proceedings (32 CFR § 2002.30).
\nCyberSilo's incident response services provide 24/7/365 on-call support for CUI-related cybersecurity events, including forensic data collection, DoD reporting coordination, and CMMC-compliant remediation planning.
\n\n\n\nNeed a CUI Incident Response Plan?
\nCyberSilo helps DoD contractors build and test CUI-specific incident response plans that meet DFARS 252.204-7012, NIST SP 800-171, and CMMC 2.0 requirements. Our analysts will develop your playbook, conduct tabletop exercises, and ensure your team can meet the 72-hour reporting deadline.
\n\nCUI vs. Classified Information: Understanding the Boundary
\nOne of the most common points of confusion among contractors is the boundary between CUI and classified information. Classified information is defined under Executive Order 13526 (Classified National Security Information) and requires protection at three levels: Confidential, Secret, and Top Secret. Classified information involves a formal classification authority, an original classification authority (OCA), and specific damage to national security as the basis for classification.
\nCUI is never classified. It may be:
\n- \n
- Information that is unclassified but still sensitive (e.g., PII, unclassified export-controlled technical data). \n
- Information that has been declassified but retains dissemination controls. \n
- Information that is originally unclassified but subject to safeguarding requirements under non-classification authorities (statutes, regulations, government-wide policies). \n
The key distinction: classified information is about national security damage; CUI is about regulatory, legal, or policy-based protection. For example, a technical drawing of a missile guidance system that is originally classified as Secret is classified; the same drawing after declassification may become CUI under the Export Control (EC) category if it remains subject to ITAR or EAR.
\nAnother important distinction: No CUI category covers \"company confidential\" information unless the information specifically meets the criteria for CUI Basic or CUI Specified. A contractor's internal trade secrets that are not part of a government contract deliverable are not CUI and do not require NIST SP 800-171 protection—but they may still be subject to other contractual confidentiality obligations.
\n\n\n\nFrequently Asked Questions About CUI
\n\nWhat is the most common CUI category for DoD contractors?
\nThe most common category is Controlled Technical Information (CTI), which covers technical data, computer software, and detailed drawings developed under DoD contracts. CTI is specifically defined in DFARS 252.204-7000 and is the primary CUI category that triggers NIST SP 800-171 compliance under DFARS 252.204-7012.
\n\nWho can access CUI without a security clearance?
\nUnlike classified information, CUI does not require a security clearance for access. However, access must be limited to individuals with a lawful government purpose and a need-to-know. Contractors are responsible for verifying that personnel have completed CUI training (NIST SP 800-171 Requirement AT-2) and are covered by a Non-Disclosure Agreement (NDA) or equivalent contractual obligation before granting access.
\n\nCan CUI be stored in the cloud?
\nYes, but only in a cloud service that meets FedRAMP Moderate or High authorization, or in a contractor-owned system that implements all 110 NIST SP 800-171 controls. The cloud service provider must be listed in the FedRAMP Marketplace at the Moderate or High baseline. The contractor must maintain a System Security Plan (SSP) that documents the cloud architecture, encryption configuration, and continuous monitoring plan.
\n\nWhat happens if I accidentally disclose CUI?
\nUnintentional disclosure of CUI does not automatically result in penalty, but it triggers mandatory notification requirements. Under 32 CFR § 2002.30 and DFARS 252.204-7012(b)(3), the contractor must report the unauthorized disclosure to the contracting officer and the DoD CUI Program Manager within 5 business days. The DoD will determine whether the disclosure constitutes a breach requiring remediation, referral to law enforcement, or a suspension/debarment action. Swift, transparent reporting and remediation mitigate risk.
\n\nHow do I mark an email containing CUI?
\nEmails containing CUI must have the designation indicator \"CONTROLLED UNCLASSIFIED INFORMATION\" in the subject line and at the top and bottom of the email body. If the email contains attachments, each attachment must also be marked. For email with mixed content (CUI and non-CUI), the entire email is considered CUI and must be protected accordingly. Never send CUI via unencrypted email; use TLS 1.2+ encryption or an approved secure file transfer solution.
\n\nDoes CUI apply to subcontractors?
\nYes. Prime contractors must flow down CUI protection requirements to all subcontractors that will access, process, or store CUI. The flow-down must include DFARS 252.204-7012 and CMMC requirements at the appropriate level. The prime contractor remains responsible for subcontractor compliance and must ensure that subcontractors are included in the prime's CMMC assessment scope for shared CUI systems.
\n\nWhat is the difference between FCI and CUI?
\nFederal Contract Information (FCI) is information not intended for public release that is provided by or generated for the government under a contract. FCI does not require safeguarding under a specific law or policy beyond the contract terms. CUI requires protection under one or more specific legal or regulatory authorities. In practice, FCI is a subset of government information that does not meet the CUI threshold, while CUI always has a specific statutory or regulatory basis for its protection.
\n\nHow long must CUI be retained?
\nCUI retention periods are governed by the contract's records retention requirements and the National Archives and Records Administration (NARA) General Records Schedules (GRS). For DoD contracts, the default retention period is 3 years after final payment, unless the contract or the CUI category specifies a longer period (e.g., 6 years for export control records under ITAR 22 CFR § 122.5). Destruction of CUI must be permanent and verifiable, using approved media sanitization methods (NIST SP 800-88 Rev. 1).
\n\nCan CUI be removed from the cloud to avoid CMMC?
\nNo. Even if CUI is removed from a contractor's system, the obligation to protect it under NIST SP 800-171 and DFARS 252.204-7012 continues for any system that processed, stored, or transmitted CUI during the contract period. The compliance obligation is tied to the system, not just the current data. Attempting to \"delete\" CUI after discovery of an assessment is a separate violation and may be investigated as a false certification.
\n\nWho enforces CUI violations?
\nEnforcement of CUI protection falls under multiple federal agencies depending on the context: the DoD for CUI under DFARS clauses and CMMC (via contracting officers and DC3), the Department of Justice for criminal violations (e.g., unauthorized disclosure of export-controlled information under 18 U.S.C. § 1831 and § 1832), and the Federal Trade Commission for PII-related CUI under the FTC Safeguards Rule. Contractors found to have knowingly failed to protect CUI face False Claims Act liability, suspension, debarment, and potential criminal referral.
\n\n\n\nYou Asked the Questions — Now Get the Answers in Practice
\nCUI protection is not a one-time checkbox; it's an ongoing operational requirement that affects every contract you bid on. CyberSilo's compliance automation and continuous monitoring solutions ensure your documentation, evidence, and control posture are always assessment-ready.
\n\nOur Conclusion & Recommendation
\n\nCUI is not an abstract regulatory concept—it is a concrete, daily operational requirement for any organization in the defense industrial base. With the phased rollout of CMMC 2.0 beginning in 2025, the time to operationalize CUI protection, marking, and incident response is now. The 110 controls of NIST SP 800-171, the 72-hour incident reporting requirement, and the mandatory mark-and-safeguard regime under 32 CFR Part 2002 form a rigorous but fully achievable framework for protecting the information that keeps our warfighters safe and our contracts current.
\nCyberSilo recommends that every organization handling CUI take three immediate steps: (1) conduct a comprehensive CUI inventory and category mapping, (2) perform a NIST SP 800-171 gap assessment against all 110 controls, and (3) implement an automated compliance monitoring solution that provides continuous evidence collection and real-time reporting. Our Compliance Standards Automation platform is purpose-built for this mission—it maps your existing security tools to the CUI control baseline, identifies gaps, and produces the artifacts your CMMC assessor or DC3 investigator will require. Contact our team today for a confidential compliance assessment.
\nGet Your CMMC Compliance Assessment
\nCyberSilo is ready to help you achieve and sustain CMMC 2.0 certification. Our compliance architects will evaluate your current security posture, map it to the CUI control baseline, and develop a gap closure plan that fits your budget and timeline.
\n\n©Cybersilo 2026 - All Rights Reserved
