Controlled Unclassified Information, commonly called CUI, refers to sensitive government information that isn’t classified but still requires protection. This type of information is widely used across federal agencies, defense contractors, cybersecurity organizations, research institutions, universities, manufacturers, and service providers working with the U.S. Government.
Many organizations struggle with basic questions:
- What exactly counts as CUI?
- How do you mark or label CUI?
- What are the protection requirements?
- Who is responsible for safeguarding it?
- What does NIST SP 800-171 actually require?
- How do CMMC Level 2 and DFARS rules relate to CUI?
- How do you pass a government audit or increase your SPRS score?
This guide breaks everything down in clear, simple language so anyone—from beginners to contractors—can understand CUI completely.
What Is Controlled Unclassified Information (CUI)?
Controlled Unclassified Information (CUI) is sensitive information created or held by the federal government that requires safeguarding, control, or dissemination restrictions—but does not meet the standards for classified information.
It includes things like:
- Technical drawings
- Military equipment data
- Legal documents
- Health information
- Export-controlled data
- Contract details
- Financial reports
- Research findings
- Infrastructure information
- Personnel data
The purpose of CUI is simple:
Protect sensitive data while still allowing it to be shared when necessary.
CUI Meaning — Simple Definition & Explanation
The simplest definition of CUI:
➡ CUI is information that must be protected but isn’t classified.
It sits between:
- FCI (basic contractor info)
- Classified national security info
Examples:
- Unreleased product test results
- Government financial forecasts
- Maps of critical infrastructure
- For-official-use-only documents
- Export-controlled blueprints
If the government says the data needs protection → it becomes CUI.
Different Types of CUI — CUI Basic vs CUI Specified
CUI is divided into two major types:
1. CUI Basic
- Default category
- Only requires safeguarding
- No extra regulatory requirements
- Controlled by NIST SP 800-171
Example:
Unpublished research funded by the Department of Energy.
2. CUI Specified
- Has extra protections defined by law, regulation, or policy
- May require stricter distribution, storage, or reporting rules
Examples:
- ITAR-controlled data
- HIPAA health information
- Export-controlled data
- Law enforcement sensitive data
CUI Categories & Real-Life Examples
CUI falls into more than 20+ categories, including:
- Critical Infrastructure – water system maps, energy grid data
- Export Control – ITAR, EAR technical data
- Financial – budgets, financial audits
- Intelligence – threat assessments
- Legal – court documents, compliance reports
- Defense – military equipment designs
- Privacy Information (PII) – names, SSNs, addresses
- Proprietary Business Info – trade secrets
- Blueprints for military drones
- Federal employee medical records
- Airport security vulnerabilities
- Research funded by DoD
- Engineering drawings marked “For Official Use Only (FOUO)”
CUI Marking, Labeling & Distribution Rules
Marking CUI correctly ensures everyone knows how to handle it.
Required markings:
- CUI header/footer
- Category marking
- Limited dissemination controls (if applicable)
- Portion markings (optional but recommended)
Example label:
[CUI // EXPORT CONTROLLED]
Distribution rules:
- Share only with authorized individuals
- Encrypt before sending
- No public posting
- No social media sharing
- No unapproved cloud storage
CUI Handling Requirements — Do’s, Don’ts & Examples
Do’s
- Use government-approved systems
- Encrypt when storing or transmitting
- Use MFA and access controls
- Lock rooms and cabinets
- Use secure email
Don’ts
- Don’t upload to unapproved platforms
- Don’t share outside your organization
- Don’t leave printouts unattended
- Don’t store on USB drives without encryption
Examples of good handling
- Using Microsoft GCC High
- Logging access to CUI
- Shredding documents after use
How to Store & Transmit CUI Securely
Secure Storage
- Encrypted hard drives
- Locked rooms
- Secure cloud (FedRAMP Moderate or High)
- Access control systems
Secure Transmission
- Encrypted email
- Secure file transfer systems
- Government portals
- VPN tunnels
- Messaging protected by TLS
Who Is Responsible for Protecting CUI?
Everyone involved in handling CUI has responsibility:
- Federal agencies
- Defense contractors
- Subcontractors
- IT teams
- Cloud service providers
- Employees with access
The ultimate responsibility lies with the organization handling CUI.
CUI Training — What It Covers & Who Needs It
Training covers:
- What CUI is
- How to identify it
- Marking and labeling
- Approved storage methods
- Secure transmission
- Common mistakes
- Reporting requirements
- Cybersecurity threats
Who needs training?
➡ Anyone who sees, stores, processes, or handles CUI.
NIST SP 800-171 Explained — Why It Matters for CUI
NIST SP 800-171 is the core cybersecurity standard for protecting CUI.
It includes:
- 110 security controls
- 14 control families
- Requirements for access, auditing, encryption, logging, training, and more
All defense contractors must comply before handling CUI.
CUI NIST 800-171 Requirements (Full Breakdown)
The 14 families include:
- Access Control
- Awareness & Training
- Audit & Accountability
- Configuration Management
- Identification & Authentication
- Incident Response
- Maintenance
- Media Protection
- Personnel Security
- Physical Protection
- Risk Assessment
- Security Assessment
- System & Communication Protection
- System & Information Integrity
These ensure CUI is protected in all environments.
CUI Basic Compliance Steps — The 6-Step Process
- Identify all CUI data
- Map your information systems
- Implement required NIST 800-171 controls
- Conduct a self-assessment
- Create POA&M documents
- Upload score into SPRS
CUI Self-Assessment & How to Calculate SPRS Score
SPRS score ranges from -203 to +110.
You score yourself based on 110 controls.
- Fully implemented → full points
- Partial → half points
- Not implemented → zero
This score must be updated in the government’s SPRS portal.
How to Submit Your CUI Score to SPRS (Step-by-Step)
- Create a SAM.gov account
- Access the SPRS portal
- Enter assessment details
- Upload your NIST score
- Add POA&M expected completion dates
- Submit and confirm
CMMC Level 2 & Its Relationship With CUI
CMMC Level 2 is required for organizations that store CUI.
It requires:
- 110 controls
- Third-party (C3PAO) audit
- Continuous security monitoring
CUI Documentation & Security Controls Checklist
Includes:
- SSP (System Security Plan)
- POA&M
- Incident response plan
- Access logs
- Training records
- Encryption standards
CUI vs Classified Information — What’s the Difference?
| CUI | Classified Info |
|---|---|
| Sensitive but not secret | National security secrets |
| Managed by NARA | Managed by DoD / Intelligence agencies |
| Controlled but not top secret | Confidential, Secret, Top Secret |
Penalties for Mishandling Controlled Unclassified Information
Penalties include:
- Loss of contracts
- Fines
- Mandatory audits
- Termination of personnel
- Criminal charges (for certain categories)
- Suspension or debarment
Who Enforces CUI? (DoD, NARA, DFARS Explained)
- NARA manages the CUI Program
- DoD enforces CUI protections for defense contractors
- DFARS 252.204-7012 makes compliance mandatory
CUI in Defense Contracting — What Contractors Must Know
Contractors must:
- Implement NIST 800-171
- Maintain proper CUI storage
- Train staff
- Limit access
- Use government-approved cloud environments
CUI Lifecycle — From Creation to Disposal
- Creation
- Marking
- Storage
- Transmission
- Use
- Sharing
- Archiving
- Disposal (shredding/deleting securely)
FCI vs CUI — Simple Breakdown for Beginners
| FCI | CUI |
|---|---|
| Basic contract info | Sensitive government data |
| Not highly protected | Strict security controls |
| Applies to all contractors | Applies only if CUI is present |
Conclusion
Controlled Unclassified Information is a critical asset of the U.S. government and must be protected with strict security measures. Whether you are a federal employee, contractor, subcontractor, or private company working with federal data, compliance with CUI rules ensures security, legal protection, and operational reliability.
Understanding types of CUI, marking rules, storage requirements, transmission procedures, penalties, lifecycle phases, and compliance obligations is essential for maintaining a secure and trustworthy environment.
🔥 FAQ Section
Q1: Is CUI classified?
No, CUI is sensitive but not classified.
Q2: Who determines if information is CUI?
Federal agencies and government program offices determine it.
Q3: Does every contractor handle CUI?
No—only those working with sensitive government data.
Q4: What is the difference between CUI and FCI?
FCI is basic contractor info; CUI is sensitive and controlled.
Q5: Can CUI be stored on a normal laptop?
Only if encrypted and compliant with NIST SP 800-171.
Q6: Who audits CUI compliance?
DoD, DCMA, third-party auditors, and C3PAOs.
Q7: What happens if someone mishandles CUI?
Penalties include contract loss, fines, or criminal action.
Q8: Does CMMC Level 2 require an audit?
Yes, for all contractors handling CUI.
