Controlled Unclassified Information (CUI): The Essential Guide to CUI Training, Compliance, and Protecting Sensitive Federal Data

Controlled Unclassified Information is the federal data that is not classified but still legally has to be protected, and for a contractor, handling it wrong can end a contract. CUI affects your eligibility, your security posture, and your legal standing, and the obligations are concrete: identify it, protect it under a defined set of controls, train your people, and run it as an ongoing program. This guide explains what CUI is and, more to the point, how to build the processes to protect it.

Quick answer: CUI is unclassified information that law or policy requires you to safeguard, established by Executive Order 13556, run by NARA, and cataloged in the CUI Registry. It comes in two tiers, Basic and Specified. Protecting it on a contractor system means implementing NIST SP 800-171's 110 controls across the information's full lifecycle, training everyone with access, and running compliance as a continuous program, not a one-time project.

What CUI is

CUI is unclassified information that law, federal regulation, or government-wide policy requires you to safeguard or control how you share. It exists to replace the old patchwork of agency labels, "For Official Use Only," "Sensitive But Unclassified," and dozens more, that left gaps across the government. Executive Order 13556, signed in 2010, created one framework, named the National Archives and Records Administration (NARA) the executive agent, and codified the rules in 32 CFR Part 2002.

The stakes are real: mishandling CUI can mean contract termination, civil liability, or criminal prosecution depending on the category, and for defense contractors, the DoD CUI tied to controlled technical information feeds straight into CMMC and award eligibility. For a deeper look at identifying and marking CUI and the training requirements, see our companion guide to CUI training and government-wide policies.

The two tiers, and the Registry

The authoritative source for what is CUI is the CUI Registry NARA maintains, which lists every approved category and subcategory, the law behind each, and the handling it requires, from nuclear information and export-control data to proprietary and confidential business information. When you are unsure whether something qualifies, you check the Registry.

CUI comes in two tiers. Basic is the default, used when the governing law requires safeguarding but does not prescribe handling beyond the baseline, and it covers most of what a contractor touches. Specified applies when the authority requires extra or different controls, tighter access, specific destruction methods, more restrictive dissemination, and it often covers export-controlled or certain technical information. The tier is not academic: it decides how you label, store, transmit, and dispose of the information, and treating Specified material as Basic is exactly the misclassification auditors are trained to catch. The way to avoid it is to check the Registry and your agency's CUI policy before you build anything.

The controls, across the information's whole life

Safeguarding CUI takes physical, administrative, and technical controls, scaled to the sensitivity. At minimum you restrict access to people with a genuine need to know, store CUI in controlled environments or approved systems, and prevent unauthorized disclosure, destruction, or removal. CUI Basic follows the NIST SP 800-171 baseline, 110 controls covering access, incident response, media protection, and more; CUI Specified layers on whatever the governing authority adds.

The key is that the controls cover the whole lifecycle, creating, receiving, storing, transmitting, and destroying. Disposal in particular has to leave the information unrecoverable: cross-cut shredding for paper, certified wiping or physical destruction for electronic media, since partial destruction does not meet the standard. And protection is both technical and behavioral. Technically: multi-factor authentication, encryption at rest and in transit, role-based access, and audit logging of every access event. Behaviorally: people have to understand they cannot even observe CUI without authorization, so if an unauthorized employee can overhear a conversation about it or read it off a monitor, that is a failure you fix. A system not configured to enforce these controls is both a vulnerability and a legal exposure for whoever runs it.

Training: who needs it, and when

None of the controls hold without training, and it is mandatory for everyone who creates, receives, handles, or transmits CUI, including people who only run into it occasionally, before they get access. Good training covers what CUI is and how it differs from classified information, how to identify the relevant categories, how to mark it, how to handle it physically and digitally, and how to report a suspected incident. DoD programs from the Defense Counterintelligence and Security Agency (DCSA) offer standardized curricula, and official resources live at the NARA CUI training portal and the DCSA training library. For contractors the obligation flows through the contract, and a contracting officer can ask for your training records during a review.

Rolling out a compliance program

Treat CUI as a program, not a project, and start with an inventory. Review your active contracts for CUI clauses, identify the categories involved, and map how the data actually moves through your systems and workflows. Most organizations discover at this step that CUI is sitting unprotected in shared drives, personal email, or unsecured collaboration tools, which is exactly the visibility problem the inventory solves.

With the inventory done, write a CUI policy that defines roles, responsibilities, and procedures across the lifecycle. Name a senior-agency-official equivalent, usually a compliance officer or security manager, spell out how you receive, handle, share, and dispose of CUI, including across your supply chain, and build in a way to report misuse and a corrective-action process. Then keep it running: meeting 32 CFR Part 2002 means regular audits, refreshed training, system configurations that keep pace with technology, and periodic checks of the Registry for new or changed categories. If you are preparing for a CMMC assessment, treat CUI compliance as the foundation of your security posture, because assessors examine your controls, marking, and safeguarding closely, and it is worth understanding how FAR and DFARS compliance intersects with your CUI obligations.

How OryonIQ helps

The authoritative references are worth bookmarking: NARA's CUI Registry for categories and handling, NIST SP 800-171 and the NIST Computer Security Resource Center for the technical controls, the Office of the Director of National Intelligence for the national security context, and the DoD CUI program page for defense specifics. OryonIQ sits alongside them: Ask Oryon answers CUI, CMMC, and clause questions in plain language and cites its sources, and the Insights module flags the policy changes that affect your obligations before they catch you out. For more context, see our breakdowns of simplified acquisition procedures and Other Transaction Authorities.

Frequently asked questions

What is Controlled Unclassified Information?

Unclassified federal information that law, regulation, or government-wide policy requires you to safeguard or control how you share. It is not classified, but it carries real legal handling obligations, and it is cataloged in the CUI Registry maintained by NARA under Executive Order 13556.

How do you protect CUI on a contractor system?

Implement the 110 controls in NIST SP 800-171 across the information's full lifecycle, restricting access to those with a need to know, encrypting it at rest and in transit, logging access, and destroying it so it is unrecoverable. CUI Specified adds whatever the governing authority requires.

Who needs CUI training?

Everyone who creates, receives, handles, or transmits CUI, including people who only encounter it occasionally, and they have to complete it before getting access. For contractors, the requirement flows through the contract clauses.

How do you start a CUI compliance program?

Begin with an inventory of the CUI you create, receive, store, and transmit, and how it moves through your systems. Then write a CUI policy defining roles and lifecycle procedures, and run it continuously with audits, refreshed training, and Registry monitoring.