Skip to content
All posts

Controlled Unclassified Information

CUI? What is it and why you should treat it differently? We're going to help explain what controlled Unclassified Information is, help you identify what is considered CUI, and some solutions you can use to protect your CUI.


What is Controlled Unclassified Information (CUI)?

CUI is a category of non-classified information that the U.S. federal Government creates or possesses, or that a non-federal entity (Defense Industrial Base (DIB) or other Federal contractor organizations) receives, possesses, or creates on behalf of the U.S. government. CUI is content that is not classified but is sensitive and requires safeguarding or dissemination controls pursuant to and consistent with applicable laws, regulations, and government-wide policies but is not classified. It can be anything from proprietary information, personal information, or any information that is considered critical to national security.

If your organization works with or has contracts with a federal agency like the Department of Defense (DoD), Department of Energy (DoE), or even the US Department of Agriculture (USDA). You may have CUI that needs to be protected!


What is CUI Video from 123CMMC with Dana Mantilla


Common Examples of CUI Categories

You can find the complete list of CUI definitions found in the NARA CUI registry. Here are a few common examples of data your organization must protect under DFARS/CMMC as a federal DOD, DIB or Federal contractor:

  • Controlled Technical Information (CTI): Technical information with military or space applications that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information would meet the criteria, if disseminated, for distribution statements B through F using the criteria set forth in DoD Instruction 5230.24 and found in the DoD-provided guidance for CUI Markings for Unclassified Documents.
  • ITAR Data: Export controlled data that The International Traffic in Arms Regulation (ITAR) deems as defense-related articles and services on the United States Munitions List (USML). The USML is a list of articles, services, and related technology designated as defense and space-related by the United States federal government.
  • Personally Identifiable Information (PII): data that is transmitted, stored, or processed on behalf of the government as part of the delivery of a contract that data is government-owned. For example, if PII is included in a contract that processes benefits, this would be considered CUI. 

How to Identify CUI

For the more experienced DoD contractors and DIB suppliers identifying and protecting CUI should be a normal part of their security practices. But of those companies that may just be getting into government contracting, it might be overwhelming and not so clear-cut to identify. Here are some questions to ask to help identify CUI:

  • Is the data created by the government and provided to you with the contract?
  • Will the data be used to deliver your contractual responsibilities to the government?
  • Can the data type be identified within the sub-categories listed on the NARA CUI Registry

Marking CUI

See the government archive handbook on Marking CUI here: Marking Controlled Unclassified (

CUI & CMMC 2.0

The DoD will be working to finalize the rulemaking process, effectively putting the DFARS clause 252.204-7021 into the rotation of contract clauses that can be applied to DoD contracts. As a result, contracting officers and prime contracts will be able to attach this clause to the contract's flow-down Cybersecurity Maturity Model Certification (CMMC) requirements in their supply chains.

How to Protect CUI

  • Implement NIST SP 800-171 if you have not already done so.
  • Prepare for third-party (C3PAO) or government-led assessments.
  • Reach out to us! We are able to help you identify CUI and provide consulting for CMMC 2.0 compliance.