What Is Controlled Unclassified Information (CUI)?

Controlled Unclassified Information (CUI) is unclassified federal information that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is not classified — there are no "Secret" or "Top Secret" markings — but it is sensitive enough that the government requires specific protections wherever it lives.

The CUI Program is governed by 32 CFR Part 2002, administered by the National Archives (NARA), and replaces a patchwork of agency-specific labels like FOUO, SBU, and LES.

For the Defense Industrial Base (DIB), CUI is the trigger for almost every modern cybersecurity compliance requirement:

• DFARS 252.204-7012 requires contractors that process, store, or transmit Covered Defense Information (a category of CUI) to implement NIST SP 800-171 and report cyber incidents within 72 hours.
• NIST SP 800-171 Rev. 2 defines 110 security requirements across 14 families — access control, audit, configuration management, incident response, and more.
• CMMC 2.0 codifies and assesses those NIST 800-171 requirements. Level 2 (Advanced) applies to most contractors that handle CUI and requires a third-party C3PAO assessment for prioritized programs.
• DFARS 252.204-7019 / 7020 / 7021 require an SPRS score, a government assessment right, and CMMC certification at the level specified in the contract.

Translation: if CUI flows into your environment and you cannot demonstrate compliant handling, you can lose contract eligibility, fail an audit, or face False Claims Act exposure.

CUI categories are published in the NARA CUI Registry. Common examples include:

• Controlled Technical Information (CTI) — engineering drawings, specifications, source code for defense systems
• Export-Controlled Information — ITAR and EAR technical data
• Critical Infrastructure Information
• Procurement and acquisition data
• Personally Identifiable Information (PII) tied to federal programs
• Protected Health Information (PHI) handled on behalf of federal agencies
• Law enforcement sensitive information

Properly marked CUI carries a banner marking at the top of each page and a designation indicator identifying the originator. The basic banner is CUI; categories and limited-dissemination controls are appended, for example CUI//SP-CTI//NOFORN.

If you create derivative documents from CUI source material, the derivative inherits the source's controls and must be marked accordingly. When in doubt, mark up — and ask the contracting officer.

• Access control: limit access to authorized personnel with a lawful government purpose. Multifactor authentication is required for network and privileged access.
• Storage: store CUI in environments that meet NIST 800-171 controls. Cloud services handling CUI must meet FedRAMP Moderate (or equivalent) and provide DFARS 7012 (c)–(g) flow-down.
• Transmission: encrypt CUI in transit using FIPS 140-validated cryptography. No personal email, no consumer file-sharing, no unencrypted USB.
• Encryption at rest: FIPS-validated encryption on workstations, servers, and mobile devices that store CUI.
• Incident reporting: report cyber incidents affecting CUI to DoD via dibnet.dod.mil within 72 hours.
• Destruction: destroy CUI using NSA/CSS-approved methods — cross-cut shredding for paper, sanitization per NIST 800-88 for digital media.

• Treating CUI like ordinary business data and storing it in commercial M365 or Google Workspace tenants that aren't GCC High / GCC.
• Self-attesting NIST 800-171 compliance without a real System Security Plan (SSP) or POA&M.
• Failing to flow DFARS 7012 down to subcontractors who also touch CUI.
• Inflated SPRS scores that don't survive a government or C3PAO assessment.
• No clear inventory of where CUI actually lives in the environment.

1. Identify and inventory the CUI you receive, create, store, and transmit.
2. Draw a clear CUI boundary — the systems, networks, and people in scope.
3. Stand up an authorized enclave (often Microsoft 365 GCC High or an equivalent FedRAMP Moderate environment).
4. Implement the 110 NIST 800-171 controls; document them in an SSP with a POA&M for gaps.
5. Submit an honest SPRS score and remediate.
6. Prepare for a CMMC Level 2 assessment by a C3PAO.