Controlled Unclassified Information (CUI): The Essential Guide to CUI Training, Compliance, and Protecting Sensitive Federal Data

Understanding controlled unclassified information is no longer optional for government contractors and federal employees — it is a core compliance requirement that directly affects contract eligibility, security posture, and legal standing. CUI sits in a critical middle ground: it is not classified, but it is far too sensitive to treat as ordinary public information. This guide to controlled unclassified information breaks down exactly what CUI is, how the CUI program works, what your obligations are under federal law, and how to build the processes needed to protect CUI across your organization. Whether you are navigating CUI training requirements for the first time or auditing an existing compliance program, this article delivers the clarity and practical guidance you need.

What Is Controlled Unclassified Information and Why Does It Matter?

Controlled unclassified information is any unclassified information that requires safeguarding or dissemination controls pursuant to applicable law, federal regulation, or government-wide policy. The term was created to replace a patchwork of inconsistent agency-level labels — such as "For Official Use Only," "Sensitive But Unclassified," and dozens of others — that had created confusion, inefficiency, and security gaps across the federal government. By standardizing under a single CUI framework, the federal government established a consistent, enforceable approach to managing information that requires safeguarding.

The stakes around CUI are high. Mishandling CUI data can result in contract termination, civil liability, and criminal prosecution depending on the category involved. For defense contractors in particular, DoD CUI requirements — especially those tied to controlled technical information and other sensitive categories — are directly linked to CMMC certification and contract award eligibility. Federal agencies that generate, share, or receive CUI are responsible for ensuring that every person and system in the handling chain meets applicable CUI requirements.

The CUI program was established under Executive Order 13556, signed in 2010, which directed the National Archives and Records Administration to serve as the CUI executive agent responsible for overseeing implementation across the executive branch. This created a unified federal CUI program with standardized CUI regulations, a centralized CUI registry, and clear agency obligations. Understanding this legal foundation is essential for any organization seeking CUI compliance.

What Are the CUI Categories and How Are They Organized?

The CUI registry is the authoritative, publicly available source for all approved CUI categories and subcategories, the laws and regulations that govern each, and the associated handling requirements. Maintained by the National Archives and Records Administration, the registry defines every recognized category of CUI — from nuclear information and export control data to proprietary business information and confidential business information. Organizations must consult the registry to determine whether specific information they create or receive qualifies as CUI and, if so, which category applies.

CUI is divided into two primary tiers: CUI basic and CUI specified. CUI basic is the default tier that applies when the authorizing law, regulation, or policy does not impose specific handling requirements beyond the baseline CUI standards. CUI specified, by contrast, applies when the governing authority explicitly prescribes additional or different safeguarding or dissemination controls beyond the baseline. For example, information covered under certain export control regulations or controlled technical information with military applications may fall under CUI specified due to the heightened sensitivity involved.

Understanding CUI categories and subcategories is not just an academic exercise — it directly determines how your organization must label, store, transmit, and dispose of specific information. A document containing CUI from a CUI specified category will carry different marking and handling obligations than one falling under CUI basic. Misclassifying CUI data — treating CUI specified material as CUI basic, for example — is a compliance failure that auditors and contracting officers are specifically trained to identify.

How Did the Federal CUI Program Come to Exist?

Before the CUI program was established, federal agencies used more than 100 different designation labels for sensitive unclassified information that requires protection. This inconsistency made interagency collaboration difficult and created significant vulnerabilities: information handled carefully within one agency might be treated carelessly after being shared with another that used different internal policies. The lack of standardization also made it nearly impossible to hold individuals accountable, since there was no universal definition of what information requiring safeguarding actually meant.

Executive Order 13556 addressed this by directing the creation of a program for managing CUI across the executive branch — specifically, managing CUI across the executive branch agencies that handle CUI and all organizations doing business with them. The order tasked the National Archives and Records Administration with developing the implementing regulations, which were eventually codified at 32 CFR Part 2002. This regulation establishes a program for managing CUI with clear definitions, marking standards, safeguarding requirements, and incident reporting obligations applicable to all federal agencies and their contractors.

The result is the federal CUI program we operate under today: a tiered, category-based framework governed by the CUI registry, administered by the CUI senior agency official within each agency, and overseen at the government-wide level by the information security oversight office within NARA. For contractors, this means that CUI regulations are not informal guidance — they carry the full weight of federal law and contract clause enforcement.

What Types of Information Are Considered CUI?

Many types of sensitive data can be considered CUI depending on the laws and regulations that govern them. Common examples include: controlled technical information with information with military or space applications, proprietary information submitted by vendors during procurement, export control-restricted technical data, nuclear information, confidential business information shared during federal contracting processes, national security information that does not rise to the level of classified, and proprietary business information provided to government agencies in regulatory filings. If a governing law or regulation requires that specific information and information systems used to process it receive protection, it is almost certainly considered CUI.

DoD mandatory controlled unclassified information — sometimes called DoD CUI — encompasses a specific subset of these categories that appear most frequently in defense contracting. Controlled technical information, for example, is a well-known CUI subcategory that covers technical data and other project information with direct military or space application. When a contractor receives a defense contract that includes CUI of this type, they must immediately implement the full suite of CUI security controls required under DFARS 252.204-7012 and applicable CUI requirements.

Information that is considered CUI is not always obviously labeled as such when it is first created or received. Contractors and employees must be trained to recognize information requiring safeguarding based on its content and origin — not just its marking. For instance, unmarketed technical specifications shared informally by a program officer may still qualify as CUI if the underlying information classified under a relevant authority meets the threshold for CUI designation. This is why CUI training is so important: it develops the judgment needed to identify CUI in context.

How Should You Mark CUI Documents and Systems?

Marking CUI correctly is one of the most visible and enforceable aspects of the CUI program. All documents, files, and materials marked as CUI must include a CUI designation indicator — typically the word "CUI" — in the header, footer, or prominent location on the first page. For CUI specified materials, the specific subcategory designation must also appear (e.g., "CUI//SP-CTI" for controlled technical information). The CUI registry provides the approved category and subcategory abbreviations that must be used in markings.

Marking CUI extends beyond paper documents. Information systems that process, store, or transmit CUI must be configured to apply appropriate markings to electronic files, email, and digital records. Federal information systems processing CUI must also meet the security requirements of NIST SP 800-171, which specifies 110 security controls covering access control, incident response, media protection, and more. CUI systems that are not properly configured to enforce these controls create both technical vulnerabilities and legal exposure for the organizations operating them.

One common marking error is applying CUI designations too broadly — labeling government information that does not actually meet the CUI threshold. Over-marking creates classification fatigue and can obscure genuinely sensitive material. The goal of the CUI program is precision: marked as CUI should mean specifically and accurately identified as information that requires protection under a defined legal authority, not a catch-all for anything a contractor or employee would prefer to keep private.

What Are the Core Requirements for Safeguarding CUI?

Safeguarding CUI requires a combination of physical, administrative, and technical controls calibrated to the sensitivity of the material. At a minimum, organizations must implement CUI security controls that restrict access to CUI to individuals with a legitimate need to know, store CUI in controlled environments or approved information system infrastructure, and prevent unauthorized disclosure, destruction, or removal. For CUI basic, the baseline controls defined in NIST SP 800-171 apply. For CUI specified, additional controls mandated by the governing authority must also be implemented.

Controls for CUI must address the full lifecycle of the information. This means organizations must have documented policies that require CUI controls at every stage — creation, receipt, storage, transmission, and destruction of CUI. Disposing of CUI must be done in a manner that renders the information unrecoverable: for paper documents, this typically means cross-cut shredding; for electronic media, it means certified wiping or physical destruction. The CUI must be rendered irretrievable — partial destruction does not satisfy CUI compliance requirements.

Protect CUI from unauthorized access requires both technical controls and behavioral awareness. Technically, organizations should implement multi-factor authentication, encryption at rest and in transit, role-based access controls, and audit logging for all CUI access events. Behaviorally, employees must understand that they cannot access or observe CUI without proper authorization — even incidentally. For example, if an employee who lacks appropriate authorization can overhear conversations discussing CUI or view a monitor displaying CUI data, that represents a safeguarding failure that must be remediated.

What Is the Difference Between CUI Basic and CUI Specified?

CUI basic and CUI specified represent the two tiers of the CUI framework, and the distinction is critical for compliance planning. CUI basic is governed by the uniform set of baseline controls established in 32 CFR Part 2002 and NIST SP 800-171. It applies whenever a law, regulation, or government-wide policy requires safeguarding or dissemination controls but does not prescribe specific handling beyond the baseline. The vast majority of CUI that federal contractors encounter falls into the CUI basic tier.

CUI specified, by contrast, applies when the authorizing law or regulation explicitly prescribes handling requirements that differ from or go beyond the CUI basic baseline. These additional requirements might mandate specific information security procedures, stricter access limitations, enhanced destruction of CUI methods, or more restrictive disseminating CUI protocols. Categories commonly associated with CUI specified include certain export control classifications, nuclear information, and controlled technical information with technical information with military application that falls under specific statutory authority.

The practical implication is that organizations handle CUI differently depending on which tier applies. A contractor managing CUI basic materials may be primarily focused on implementing NIST SP 800-171 controls. A contractor managing CUI specified materials must layer additional, category-specific requirements on top of that baseline. Failure to identify whether your CUI is CUI basic or CUI specified is a foundational compliance gap — consulting the CUI registry and your agency's CUI policy is the starting point for getting this right.

What CUI Training Is Required and Who Must Complete It?

CUI training is a mandatory requirement for all personnel who create, receive, handle, or transmit CUI. Under the CUI program, mandatory controlled unclassified information training requirements apply to all executive branch agencies and — through contract clauses — to their contractors and subcontractors. Specifically, any individual who works on contracts involving CUI — including those who may only incidentally encounter it — must complete training before they are granted CUI access.

CUI must complete training that covers: what CUI is and how it differs from classified information, how to identify the CUI categories relevant to their work, how to marking CUI correctly, how to handle CUI in both physical and digital environments, how to protect CUI from unauthorized disclosure, and how to report potential misuse of CUI or suspected security incidents. DoD mandatory controlled unclassified information training programs, such as those available through the Defense Counterintelligence and Security Agency (DCSA), provide standardized curricula that satisfy these requirements.

Agency CUI offices and CUI senior agency officials are responsible for ensuring that CUI training is delivered, tracked, and refreshed at appropriate intervals. For contractors, this responsibility flows through the contract: CUI is expected to be handled by trained personnel at all times, and the contracting officer may request training records as part of a compliance review. Organizations that wish to review official training resources can access them through the NARA CUI program training portal and the DCSA training library.

How Do You Implement CUI Compliance Across Your Organization?

To implement CUI compliance effectively, organizations must begin with a comprehensive inventory of the CUI they create, receive, store, and transmit. This means reviewing all active contracts for CUI clauses, identifying the CUI categories involved, and mapping the flow of CUI data through your systems and workflows. Without this foundational visibility, it is impossible to ensure CUI is being protected consistently across the enterprise. Many organizations discover during this process that CUI remains unprotected in shared drives, personal email threads, or unsecured collaboration tools.

Once inventory is complete, organizations should develop a CUI policy document that defines roles, responsibilities, and procedures for managing CUI throughout its lifecycle. This policy should designate a CUI senior agency official equivalent (for contractors, this is typically a compliance officer or security manager), define procedures for receive CUI, handle CUI and all organizations in the supply chain, disseminating CUI, and disposing of CUI. The policy should also establish a reporting mechanism for misuse of CUI incidents and define the corrective action process when violations occur.

CUI compliance is not a one-time project — it is an ongoing program. CUI in accordance with 32 CFR Part 2002 requires regular audits, refreshed CUI training, updated information system configurations as technology evolves, and periodic reviews of the CUI registry to catch new or updated categories. Organizations preparing for CMMC assessments should treat their CUI compliance program as a foundational element of their broader cybersecurity posture — because assessors will examine CUI security controls, marking CUI practices, and safeguarding CUI procedures in detail. Learn more about how FAR and DFARS compliance intersects with your CUI obligations.

Where Can You Find Authoritative CUI Resources and Program Guidance?

The single most important resource for any organization navigating the CUI program is the official CUI Registry, maintained by the National Archives and Records Administration. The registry lists every authorized CUI category and subcategory, the legal authority behind each, and the specific handling requirements that apply. Bookmark it — it is the definitive reference for ensure CUI handling decisions are made on accurate, current information.

For federal information systems and technical implementation guidance, NIST SP 800-171 is the governing standard. It defines the 110 security requirements that contractors must implement to protect CUI in non-federal systems and organizations. The NIST Computer Security Resource Center provides the full text of SP 800-171 along with supplementary guidance, assessment methodologies, and related publications. These resources are essential for organizations building or auditing their CUI systems and information security infrastructure.

For program-level guidance, information security oversight resources from NARA and the Office of the Director of National Intelligence provide policy context that helps organizations understand how federal CUI requirements interact with broader national security information frameworks. For defense contractors specifically, the DoD CUI program page offers DoD-specific implementation guidance, DoD CUI marking tools, and dod mandatory controlled unclassified information training resources. Pairing these external resources with OryonIQ's intelligence on agency contracting requirements helps contractors stay ahead of evolving CUI requirements. Also explore our related resources on simplified acquisition procedures and our in-depth breakdown of Other Transaction Authorities for additional federal contracting context.

Key Takeaways: What to Remember About CUI

• Controlled unclassified information is any unclassified federal data that requires protection under law, regulation, or government-wide policy — it is not classified, but it carries serious legal handling obligations.
• The CUI program was established by Executive Order 13556 and is administered by the National Archives and Records Administration as the CUI executive agent.
• CUI basic applies the uniform baseline controls from NIST SP 800-171; CUI specified adds category-specific requirements mandated by the governing legal authority.
• The CUI Registry is the authoritative source for all CUI categories and subcategories, governing authorities, and handling requirements.
• Marking CUI correctly — using approved designations from the registry — is a mandatory, enforceable requirement for all documents and information systems processing CUI.
• Safeguarding CUI requires physical, administrative, and technical controls covering the full lifecycle: creation, storage, transmission, and destruction of CUI.
• CUI training is mandatory for all personnel with access to CUI and must be completed before an individual is permitted to handle CUI.
• CUI compliance is a continuous program — not a one-time effort — requiring regular audits, refreshed training, and ongoing registry monitoring.
• NIST SP 800-171 defines the 110 technical and administrative controls required to protect CUI in contractor-operated systems.