Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to applicable law, regulation, or government-wide policy, but is not classified under Executive Order 13526 or the Atomic Energy Act. CUI is sensitive but unclassified information that must be protected from unauthorized access or disclosure.

What Is Controlled Unclassified Information (CUI)?

CUI is sensitive but unclassified information that must be protected from unauthorized access or disclosure.

The modern CUI framework was established under Executive Order 13556 and is managed by the National Archives and Records Administration (NARA). For defense contractors, safeguarding requirements are further defined under DFARS 252.204-7012 and NIST Special Publication 800-171.

Key Characteristics of CUI

CUI categories include Controlled Technical Information (CTI), export-controlled information, privacy information, law enforcement sensitive data, and proprietary business information — each with specific safeguarding requirements.

Unclassified but Controlled

CUI is not classified national security information, but it still requires protection and structured handling.

Marking Requirements

Documents containing CUI must be properly marked to indicate control requirements.

Safeguarding Controls

Protection measures include access restrictions, encryption, physical security controls, and network security protections.

Dissemination Restrictions

CUI cannot be shared without authorization, even within government or contractor environments.

Regulatory Framework

CUI compliance obligations for contractors are governed by:

Executive Order 13556, which established the CUI program

Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, requiring safeguarding and incident reporting

NIST Special Publication 800-171, defining security requirements for protecting CUI in non-federal systems

Cybersecurity Maturity Model Certification (CMMC) framework for verified compliance

Why CUI Matters for Contractors

Contractors handling federal contracts frequently receive or generate CUI. Failure to properly safeguard CUI can result in:

Contract termination

Payment withholds

Mandatory incident reporting

Loss of future contracting eligibility

For example, a defense contractor that receives engineering drawings for a military component must recognize that although the drawings are not classified, they are designated as Controlled Technical Information, must be stored in secure systems compliant with NIST 800-171 controls, and cannot be shared without authorization. Improper disclosure could compromise national security or competitive integrity.

Defense contractors must also report cyber incidents affecting CUI under DFARS requirements.

Common Misconceptions About CUI

CUI is the same as classified information.

CUI is unclassified but still requires structured protection measures.

CUI only applies to defense contractors.

Many civilian agencies also designate and handle CUI.

Encryption alone satisfies CUI compliance.

Full compliance requires administrative, physical, and technical safeguards working together.

Frequently Asked Questions

How do I know if I am handling CUI?

CUI designation is typically specified in contract clauses, statements of work, and data markings on documents.

What security standard applies to contractors handling CUI?

For most defense contracts involving CUI, compliance with NIST SP 800-171 is required.

Does CUI require a security clearance?

No. CUI is unclassified, but access must be restricted to authorized individuals.