Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is a category of unclassified information within the U.S. federal government that requires safeguarding or dissemination controls pursuant to law, regulation, or government-wide policy, as defined by Executive Order 13556 and implemented through 32 CFR Part 2002. CUI replaces the patchwork of agency-specific markings such as For Official Use Only (FOUO), Sensitive But Unclassified (SBU), and Law Enforcement Sensitive (LES) with a standardized system managed by the National Archives and Records Administration (NARA). For Department of Defense (DoD) contractors, CUI handling requirements are specified in DFARS clause 252.204-7012, which mandates implementation of the 110 security requirements in NIST SP 800-171 and requires cyber incident reporting within 72 hours to the DoD Cyber Crime Center (DC3). CUI is organized into 20 categories and 125 subcategories in the CUI Registry, spanning areas such as Critical Infrastructure, Export Control, Intelligence, Legal, and Privacy. Proper CUI management requires organizations to identify CUI through data classification programs, apply correct CUI markings including banner lines and portion markings per DoD Instruction 5200.48, establish controlled environments that restrict access to authorized personnel, implement encryption for data at rest (FIPS 140-2 validated) and in transit, and maintain audit logging of all CUI access and transfers. Organizations that handle CUI must establish a CUI boundary — the logical or physical perimeter within which CUI is processed, stored, or transmitted — which directly impacts the scope and cost of CMMC Level 2 assessments. Minimizing the CUI boundary through data segmentation and enclave architectures is a critical cost-optimization strategy, as every system touching CUI must meet all 110 NIST 800-171 controls.