What is CUI? Definition, Examples, and How to Manage It

Updated on: Dec 10, 2025 10 Minute Read

CUI stands for controlled unclassified information
The definition of controlled unclassified information and how its management is changing

CUI stands for Controlled Unclassified Information. CUI is a category of sensitive but unclassified government information that must be protected to reduce security risk and help safeguard national security. In the past it went by aliases like “official use only,” “law enforcement sensitive,” and “sensitive but unclassified,” which only added to the confusion.

So, what exactly is it, and why should your company care? Hint alert — obtaining a government contract could depend on how your organization addresses CUI, so for many, it’s a topic worthy of discussion.

CUI didn’t have much of an established identity before 2010. It went by any number of aliases and took a back seat to the more glamorous classified category. However, should CUI fall into the wrong hands, something as serious as national security could be at risk. This article will explore CUI — what it is, why it’s so important, how CUI management is changing, and the most critical action your company can take to manage CUI today properly.

Classified information vs. CUI: What’s the difference

classified information vs controlled unclassified information
What is the difference between classified information and controlled unclassified information?

Classified information is highly restricted and thus gets all the attention — and the highest level of government protection with access on a “need to know” basis. Matt Monroe, a 20-year U.S. Air Force veteran and current operations manager at Omnistruct, explains the breakdown, “There are four classified information categories in the military based on the severity of damage that the information’s release would cause. The three most sensitive — confidential, secret, and top-secret — could cause damage to exceptionally grave damage should the information be released and end up in the wrong hands.”

CUI is a different category of sensitive data which also requires secure handling. It isn’t classified, but the government feels this type of information must be controlled and not disseminated as its release could threaten national security. Fewer controls govern CUI and can pose an easier path for malicious invaders as access requires only a “lawful government purpose” rather than the much stricter “need to know” requirement for classified information. Safeguarding CUI is taken seriously but not historically viewed with the same urgency as classified. 

What is CUI?

CUI is government created or owned information
CUI is defined as any government created or owned information that requires safeguarding

CUI is government-created or government-owned information that requires safeguarding or dissemination controls consistent with applicable laws, regulations, and government-wide policies. CUI is an information classification for data that isn’t classified but still sensitive. It’s also not corporate intellectual property, unless that IP is created for or included in requirements related to a government contract.

Up until 2010, CUI wasn’t even CUI — it appeared under an assortment of previously mentioned names, like “for official use only” and “sensitive but unclassified.” More troubling was that no standardized guidelines existed for assessing CUI—one company could label information extremely sensitive while another could treat it as less sensitive.

In November of 2010, the Obama Administration passed Executive Order 13556, which created 10 categories for non-classified information needing control and protection due to potential vulnerability and security risk. The goal of the CUI program is to create a uniform, government-wide system for classifying, safeguarding, and sharing CUI. The Final Rule was passed in 2016 by the National Archives Records Administration to provide implementation direction for Executive Order 13556 and to support a standardized methodology for assessing CUI.

Types of CUI: Basic vs. specified

There are two main types of CUI: CUI Basic and CUI Specified.

  • CUI Basic uses the standard set of safeguarding and dissemination controls and is typically handled at a “moderate” confidentiality level under the Federal Information Systems Modernization Act (FISMA), with information marked “CUI” or “controlled.”
  • CUI Specified requires more restrictive handling and specific dissemination controls defined by the designating agency.

Additional examples of CUI

Examples of CUI include PII, SPII, PBI/CBI, UCII, and SBU
PII, SPII, PBI/CBI, UCII, and SBU are all examples

CUI is a general term that captures various markings used to identify information that isn’t classified but is still sensitive and must be protected. Examples of CUI categories include:

  • Personally Identifiable Information (PII)
  • Sensitive Personally Identifiable Information (SPII)
  • Proprietary Business Information (PBI) or currently known within EPA as Confidential Business Information (CBI)
  • Unclassified Controlled Technical Information (UCTI)
  • Sensitive but Unclassified (SBU)

SPII definition: In this context, SPII (Sensitive Personally Identifiable Information) refers to especially sensitive personal data (for example, certain types of PII) that needs extra protection and is treated as CUI.

Basic requirements

For those interested in working with the government, specifically the Department of Defense (DoD), DoD Instruction 5200.48 presents a set of basic requirements in contractor relationships. 

CUI documents must be clearly marked, handled at least at a “moderate” confidentiality level, and stored in systems that meet DoD or equivalent security requirements. They also need to be disposed of according to approved disposition authorities when no longer needed.

If your company wants to contract with the DoD, keep the following in mind:

  • When providing info to contractors, the DoD must inform the contractor of any CUI and mark it accordingly.
  • The DoD must articulate this fact in all contracts and legal documents when providing CUI.
  • DoD contracts require contractors to monitor and report classifications to a DoD representative.
  • CUI will be classified at a “moderate” confidentiality level and follow DoDI 8500.01 and 8510.01 in all DoD systems. Non-DoD systems must provide adequate security for CUI with requirements incorporated into all contracts and legal documents, and non-DoD entities must follow DoDI 8582.01 guidelines.
  • DoD representatives and contractors will submit all unclassified DoD info for review and approval based on the Department of Defense Instruction 5230.09.
  • All records must follow the approved mandatory disposition authorities whenever the DoD provides to or generates CUI by anyone other than the DoD.

Who is responsible for applying CUI markings and controls?

Under DoD guidance, the DoD is responsible for identifying and marking CUI when it provides information to contractors and must spell this out in contracts and legal documents. Contractors are then responsible for monitoring, reporting, and protecting that CUI in their own systems according to the contract terms and applicable DoD instructions.

Common mistakes with identifying CUI 

commonly made mistakes when identifying cui
Over-classification, focus on format, and lack of context are all commonly made mistakes
  • Over-classification: Businesses might mistakenly classify all government-related information as CUI, like budgets, leading to unnecessary restrictions and inefficiencies.
  • Focus on format over content: Assuming that only certain formats (e.g., reports) contain CUI, while overlooking sensitive information in emails or presentations.
  • Lack of context: Not considering the context in which information is used or created. Publicly available information might become CUI when combined with other sensitive data.

How is CUI management changing?

CUI management is changing under the cybersecurity maturity model certification (CMMC)
How the Cybersecurity Maturity Model Certification (CMMC) is making an impact

The importance of CUI management today is evident — especially in government-related industries. In May 2018, the senior official in charge of CUI at the time (Under Secretary of Defense for Intelligence) designated the Defense Counterintelligence Security Agency (DCSA) with DoD enterprise management of CUI. The moves’ objectives were to help foster department-wide prioritization of CUI, universal assessment standards, a shared CUI data library, and CUI management training.

The Cybersecurity Maturity Model Certification (CMMC) impacts how companies must manage CUI today. Gone are the days of casual “self-attestation” for CUI compliance verification. The CMMC requires all contractors to pass rigorous third-party audits proving adherence to the new regulations. 

Meeting these regulations requires a significant commitment from contractors, and many of the smaller players won’t have the resources needed to meet the new DoD requirements.

One thing is for sure — all organizations will be more aware of CUI, where it is, and what measures are necessary to ensure safety and compliance.

What can your organization do to help manage CUI and stay compliant with CMMC?

how to manage cui while staying compliant with CMMC
Data classification is a key piece of managing this information while staying compliant with CMMC

What can your organization do to help manage CUI and stay compliant with CMMC? According to Monroe, two words sum it up — data classification. He emphasizes the importance of knowing what CUI is in your systems and its location. Matt feels it’s never too soon to begin classifying your data with the benefits undoubtedly worth the effort.

“Better off starting the process now, creating a classification structure and adhering to it, rather than waiting until you’re forced. As much of a drag as going through and doing data classification can be, the effort is worth it when you can deliver the proof and avoid the headaches.”

Data classification undoubtedly provides the cornerstone for any successful information security management system today. Secure and compliant organizations take time to understand their data profiles and base classifications on their specific criteria and privacy requirements. They set clear, definable goals for their classification policy, guided by solid internal ownership. Finally, they understand the importance of keeping policies simple, using automation when possible to streamline the classification process, and continually monitoring their policies to keep pace with changing environments.

Steps for securing CUI

The 5 levels of CMMC
CMMC defines five maturity levels which serve as a guideline for organizations

How can your organization best secure CUI? Start by examining the Cybersecurity Maturity Model Certification (CMMC), which addresses the security requirements for all DoD industry partners. This model is designed as a guideline to ensure adequate security processes and practices to protect CUI within the networks of all DoD contractors. 

The CMMC contains maturity levels ranging from “basic cybersecurity hygiene” to “advanced progressive,” providing users with a hierarchy of security options for CUI. Below are the five levels of the CMMC, which offer an excellent beginning guideline for protecting your CUI.

  • Level 1 suggests performing basic cyber hygiene practices, such as installing anti-virus software and regularly changing passwords, to safeguard Federal Contract Information (FCI).
  • Level 2 describes an “intermediate level of cyber hygiene” that begins implementing NIST SP 800-171 requirements to secure CUI.
  • Level 3 raises the bar to “good cyber hygiene,” which includes implementing all NIST SP 800-171 security requirements with additional standards under a company-wide management plan.
  • Level 4 establishes processes and techniques for addressing “advanced persistent threats” (APT) that bring more sophisticated expertise and resources.
  • Level 5 standardizes and optimizes the processes and techniques for handling APTs and establishes a process for reviewing and measuring the effectiveness of security practices.

Remember that the first three levels of the CMMC encompass the 110 security requirements specified in NIST SP 800-171. The CMMC then goes further with each level, adding processes and practices to those specified in lower levels. It also mirrors the NIST SP 800-171 in that it assesses a company’s implementation of cybersecurity practices and institutionalization of cybersecurity processes. To better understand how to design and operationalize effective cybersecurity controls for CUI protection, explore our dedicated NIST SP 800-171 guide.

Elevating CUI management: secure your federal contracts with confidence

how to effectively manage CUI

Despite a history of playing second fiddle to the more glamorous classified ranking, CUI is still critical government information that must be controlled and protected, especially for compliance-conscious companies looking to secure federal contracts.

Legislation has finally caught up with CUI, providing standardized guidelines for assessment and uniform, transparent systems like those outlined in the CUI Program to safeguard and disseminate this information. In addition, CMMC regulations have finally tightened the reins, providing the regulatory controls to ensure this unclassified yet potentially sensitive data is handled safely today.

Request a demo of Hyperproof today and unlock the potential to manage CUI effectively, securing your federal contracts with confidence and ease.

See Hyperproof in Action

Request Demo
Related Resources

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader