Controlled Unclassified Information (CUI): Essential DOD Training and Government-Wide Policies

Controlled Unclassified Information is the in-between category: not classified, but too sensitive to leave unprotected, and mishandling it can cost a defense contractor its contracts. CUI standardizes how the government and its contractors mark, handle, and protect sensitive information, and for DoD work it now ties directly to CMMC certification. Here is what qualifies, how to identify and mark it, the two handling levels, and what it takes to protect it.

Quick answer: CUI is unclassified federal information that law or policy requires you to safeguard. It was created by Executive Order 13556, is run by NARA, and is cataloged in the CUI Registry across roughly 20 categories. It comes in two levels, Basic and Specified. Contractors protect it under NIST SP 800-171 (110 controls), and the DoD verifies that through CMMC. Get it wrong and you face termination, debarment, or worse.

What CUI is, and why it exists

CUI is information the government, or someone acting for it, creates or holds that requires safeguarding or dissemination controls under law, regulation, or government-wide policy. It is not classified, and it is not anything lawfully public, it sits between those. The framework exists because agencies used to label sensitive information inconsistently, "For Official Use Only," "Sensitive But Unclassified," and dozens of agency-specific terms, which created gaps. Executive Order 13556, issued in 2010, replaced that patchwork with one program run by the National Archives and Records Administration (NARA) through its Information Security Oversight Office (ISOO), codified in 32 CFR Part 2002. For contractors, this is not optional: contracts involving CUI carry safeguarding, training, and certification requirements, and failing them can end in termination and lost future work.

Two handling levels, one authoritative Registry

Everything starts with the CUI Registry, the authoritative, public list NARA maintains. It organizes CUI into roughly 20 categories, Controlled Technical Information, Export Control, Privacy, Proprietary Business Information, Law Enforcement, and more, each citing the law behind it and the handling it requires. When you are unsure whether something is CUI, the Registry is where you check; DoD contractors also have the DoD CUI Registry for military-specific guidance.

Within that, CUI comes in two levels. Basic is the default, handled under the uniform 32 CFR Part 2002 controls, access restrictions, marking, transmission, and it covers most of what you will touch. Specified is the subset where the governing law requires something extra, like encryption or tighter dissemination limits, often for export-controlled or certain technical information. The level decides how you store and transmit the information, so identifying which applies is the first real step, and getting it right matters as much to your standing as a strong proposal does to winning the work.

Marking CUI

Marking is how everyone who touches the information knows it needs protection. At minimum, a document with CUI shows "CUI" or "CONTROLLED" at the top and bottom of each page. Specified information adds the category, like "CUI//SP-PRVCY" for privacy-related Specified CUI, and you may need dissemination controls like "FEDCON" from the Registry. Portion markings, "(CUI)" at the start of a paragraph, flag which parts of a larger document are sensitive, the same way classified documents work. Marking carries into the digital world too: "CUI" in email subject lines, the status in file metadata, clear labels on USB drives and other media, and the same treatment for any derivative document built from CUI sources. NARA's CUI program publishes the detailed marking guidance.

The controls: 800-171, 800-53, and CMMC

Protecting CUI in your systems takes technical and administrative safeguards, and which standard applies depends on who runs the system. Federal systems follow NIST SP 800-53. Nonfederal organizations, which means contractors handling CUI for the government, follow NIST SP 800-171: 110 requirements across 14 control families covering access control, awareness and training, audit and accountability, incident response, and more.

For DoD work, CMMC sits on top. It verifies, through third-party assessment, that you actually implemented the 800-171 controls, with the required level scaled to how sensitive and how much CUI is involved. The practical consequence is hard: a firm that cannot demonstrate CMMC compliance cannot compete for DoD contracts that involve CUI. Understanding how all this fits the procurement cycle helps you prepare before a requirement lands. The official NIST CUI resources cover the technical implementation.

The categories that matter most

A few categories drive most of the work. Controlled Technical Information (CTI) is technical data with a military or space application subject to access and distribution controls under 10 U.S.C. 130e, and it gets robust protection because disclosure could hand adversaries insight into U.S. capabilities. Privacy-related CUI covers personally identifiable information under the Privacy Act, from personnel to medical to financial records, mostly Basic, sometimes Specified. And Export Control information under ITAR or EAR often qualifies as CUI and has to be kept from foreign nationals, since violations carry penalties up to criminal prosecution. Knowing which categories you hold tells you which controls apply, so factor it in as you evaluate opportunities.

Training, and the cost of getting it wrong

None of the controls work without training. Everyone who creates, accesses, or handles CUI needs the basics, what it is, how to identify it in the Registry, how to mark it, how to safeguard it, plus role-specific training for system administrators, contracting officers, and managers. The DoD and other agencies generally require an annual refresher, and you document who completed what and when, both to prove compliance in an audit and to find your gaps. The strongest programs mix online courses, instructor-led sessions, job aids, and reminders to keep it front of mind.

The reason to take it seriously is the downside. For a contractor, a violation can mean termination, suspension or debarment, and penalties, since DFARS includes specific CUI clauses and non-compliance is a material breach. Depending on the category, a disclosure can also violate the Privacy Act or export-control law, with civil or criminal liability, and cyber insurance may not cover the loss if the required safeguards were not in place. Then there is reputation: agencies compare notes, and a firm known for poor CUI handling struggles to win new work no matter how good it is technically. Pursuing federal work and protecting CUI go together, the way a strong RFP response and a clean compliance record both signal a reliable partner.

How OryonIQ helps

CUI and CMMC requirements change, and the cost of missing one is a lost contract. Ask Oryon, OryonIQ's built-in AI assistant, answers CUI, CMMC, and clause questions in plain language and cites its sources, and the Insights module flags the policy and regulatory changes that affect your eligibility before they catch you out. Talk to our team about building a compliant program and a federal pipeline.

Frequently asked questions

What is Controlled Unclassified Information (CUI)?

Unclassified federal information that law, regulation, or government-wide policy requires you to safeguard or control how you share. It is not classified, but it carries real legal handling obligations, and it is cataloged in the CUI Registry maintained by NARA.

What is the difference between CUI Basic and CUI Specified?

CUI Basic uses the uniform baseline controls in 32 CFR Part 2002. CUI Specified is the subset where the governing law or regulation requires additional or different handling, such as encryption or tighter dissemination limits.

What controls protect CUI on a contractor's systems?

Nonfederal systems handling CUI must implement NIST SP 800-171, which sets 110 requirements across 14 control families. For DoD contracts, CMMC then verifies that implementation through a third-party assessment.

What happens if a contractor mishandles CUI?

Consequences can include contract termination, suspension or debarment, and financial penalties, since DFARS treats non-compliance as a material breach. Depending on the category, a disclosure can also bring civil or criminal liability and serious reputational damage.