Controlled Unclassified Information (CUI)

What categories of CUI exist?

The CUI Registry lists 20+ categories spanning all federal agencies. Defense-relevant categories include: Critical Infrastructure (Critical Energy Infrastructure Information), Defense (Naval Nuclear Propulsion, Unclassified Controlled Nuclear Information), Export Control (ITAR information not classified), Privacy (PII, Personnel Records), Procurement and Acquisition (Source Selection), and Technical Data. The Registry is maintained at archives.gov/cui.

How is CUI marked?

CUI documents must be marked with: a banner marking at the top identifying 'CONTROLLED UNCLASSIFIED INFORMATION' or 'CUI'; category markings if applicable (e.g., 'CUI//SP-PRVCY' for Privacy CUI); and dissemination controls if applicable. The DoD provides specific marking guidance through its CUI Program implementation policies.

What is the difference between CUI and classified information?

Classified information (Confidential, Secret, Top Secret) requires security clearances, secure facilities, and is governed by Executive Orders. CUI is unclassified but still requires controlled handling per specific laws and regulations. CUI does not require security clearances and can be processed in non-classified environments meeting NIST 800-171 standards. The DoD has both classified networks (SIPR, JWICS) and CUI-enabled unclassified networks.

Who decides what is CUI?

The federal agency that originated the information determines its CUI status. The CUI Registry sets the framework, but agencies apply categorization. Contractors should not unilaterally classify information as CUI or non-CUI — when in doubt, request clarification from the contracting officer or agency CUI representative.