Compliance & Regulations
What is Controlled Unclassified Information?
CUI (Controlled Unclassified Information) is unclassified federal government information that requires safeguarding and dissemination controls per applicable laws, regulations, and government-wide policies under the CUI Program established by Executive Order 13556.
CUI (Controlled Unclassified Information) is unclassified federal government information that requires safeguarding and dissemination controls per applicable laws, regulations, and government-wide policies under the CUI Program established by Executive Order 13556. CUI is information that, while not classified under national security classification systems, must still be protected through designated handling, marking, storage, and transmission procedures. The CUI Program, administered by the National Archives and Records Administration (NARA), applies to all federal agencies and federal contractors handling CUI, with requirements implemented through the Federal Acquisition Regulation (FAR), Defense Federal Acquisition Regulation Supplement (DFARS), and standards like NIST SP 800-171. As of January 2025, proposed FAR regulations extend CUI handling requirements to all federal contractors.
How does CUI work?
CUI establishes standardized government-wide protections for sensitive unclassified information through categories, marking, and handling requirements.
CUI is defined as unclassified information created or possessed by the U.S. Government OR information created or possessed by an entity for or on behalf of the U.S. Government for which a law, regulation, or government-wide policy requires or permits an agency to apply safeguarding or dissemination controls. CUI is NOT classified national security information (per Executive Order 13526), Atomic Energy Act restricted data, publicly releasable information, or uncontrolled unclassified information.
Two broad categories structure CUI protections. CUI Basic is information requiring standardized or default safeguarding and handling procedures per 32 CFR Part 2002, subject to standard CUI marking, storage, transmission, and destruction requirements with no additional agency-specific handling requirements beyond baseline. CUI Specified is information for which specific laws, regulations, or government policies mandate additional handling requirements, may require special marking, Limited Dissemination Controls, or agency-specific procedures, and is more restrictive than CUI Basic.
The CUI Registry maintained by NARA contains 125 CUI categories organized into 20 index groupings including privacy information (PII, health information, financial information), law enforcement information (investigation records, confidential informant information), export control information, proprietary business information, critical infrastructure information, defense technical data, research and development information, and others per 32 CFR Part 2002.
Marking requirements ensure CUI identification. Banner marking must appear at top and bottom of every page containing CUI with minimum format "CUI" designation indicator. For CUI Specified, the full category name or abbreviation must be included using format "CUI//[CATEGORY]" or "CUI//[CATEGORY]//[Limited Dissemination Controls]". Examples include "CUI" (Basic with no specific category), "CUI//PRIVACY", "CUI//EXPORT CONTROL", and "CUI//CRITICAL INFRASTRUCTURE//FCI" (Federal Contract Information). Paragraph markings are recommended with individual paragraphs containing CUI marked "//(CUI)" or specific category. Documents must include CUI designation in headers and footers with filenames reflecting CUI status if practicable and electronic metadata indicating CUI status.
Handling requirements vary by information type and format. Physical handling requires CUI be maintained in controlled environments preventing unauthorized access, secured in locked desks, file cabinets, or equivalent secure storage at end-of-day, continuous security monitoring required during business hours, and access limited to personnel with legitimate need-to-know. Electronic handling requires CUI storage on authorized systems with access controls, encryption of data at rest and in transit per NIST SP 800-171 requirements, secure communications systems for electronic transmission, validated encryption standards (minimum AES-128 or equivalent), and transmission only over approved secure channels.
Transmission requirements protect CUI during transfer. Physical transmission requires marked CUI be transmitted securely using encryption, secure courier, or registered mail with tracking documentation. Electronic transmission requires approved secure email systems, encrypted file transfer services, validated encryption protocols, and password-protected transmission with authentication.
Storage requirements establish baseline protections. Physical storage includes secured facilities with access controls, locked storage containers for sensitive categories, facility security controls per NIST SP 800-171, and personnel screening and access authorization. Electronic storage requires authorized information systems with access controls, encryption of data at rest, system hardening per NIST SP 800-171, audit logging and monitoring of access, backup systems with equivalent security controls, and secure deletion procedures (overwrite, degaussing, destruction).
Destruction requirements ensure complete elimination. Physical media destruction uses shredding of documents containing CUI, destruction ensuring no reconstruction possible, documented destruction procedures and evidence, and for sensitive categories, incineration or equivalent. Electronic media destruction uses secure deletion with validated overwrite procedures, minimum 1-pass overwrite (3-pass or degaussing for sensitive categories), degaussing or destruction of storage media, and documented procedures and destruction certificates.
Contractor requirements mandate compliance for organizations handling government information. The proposed FAR CUI Rule published January 15, 2025 applies to all federal contractors (not just Defense Industrial Base), requires contracts containing CUI to include specific CUI clauses, and mandates contractors implement safeguarding and marking per NARA requirements. DFARS CUI requirements specific to defense contractors include DFARS 252.204-7012 requiring implementation of NIST SP 800-171 controls, mandatory reporting of cybersecurity incidents involving CUI within 72 hours, compliance with CUI marking, storage, transmission, and destruction requirements, and business associate and subcontractor oversight.
NIST SP 800-171 establishes security requirements for contractors with 14 security control families containing 110+ security requirements applying to nonfederal systems processing, storing, or transmitting CUI. Organizations must assess compliance and maintain System Security Plans. CMMC (Cybersecurity Maturity Model Certification) is often used to demonstrate compliance.
How does CUI differ from classified information?
Feature | CUI | Classified Information |
|---|---|---|
Classification level | Unclassified but requiring safeguarding | National security classified (Confidential, Secret, Top Secret) |
Legal basis | Law, regulation, or government policy | Executive Order 13526 |
Authority | Designated by agencies per CUI Program | Classified by Original Classification Authorities |
Marking | "CUI//[CATEGORY]" | "SECRET", "TOP SECRET", etc. |
Handling | Less restrictive; standard safeguarding procedures | Highly restrictive; classified storage and handling |
Training | CUI awareness training (available to all personnel) | Security clearance required |
Access | Need-to-know basis; no clearance required | Security clearance + need-to-know required |
Penalties | Operational impacts; contract suspension | Criminal liability possible |
Storage | Locked cabinets or secure systems | Classified storage facilities (SCIF) |
Transmission | Encrypted or secure courier | Classified transmission systems |
Destruction | Secure overwrite or physical destruction | Destruction per classified material procedures |
Ideal for | Government information requiring protection but not classification | National security information requiring classification |
Neither is universally better. CUI protects sensitive unclassified information through reasonable safeguards suitable for non-national-security information requiring protection. Classified information receives strict national security protections appropriate for information requiring classification. The key distinction is sensitivity level; CUI addresses information requiring protection but not meeting classification thresholds. Federal contractors must comply with whichever standard applies to information they handle.
Why does CUI matter?
Federal contractors and agencies implement CUI requirements for three primary drivers, each with significant implementation complexity.
Federal contract requirements create mandatory compliance. Federal contractors handling CUI must comply with CUI requirements or risk contract suspension, termination, or non-award of future contracts. The proposed FAR CUI Rule (January 15, 2025) extends requirements from defense contractors to all federal contractors, expanding compliance obligations to estimated 10,000+ contractors previously not subject to explicit CUI requirements. However, final rule timeline remains uncertain; the rule is in comment period until May 17, 2025 with final implementation date unknown, creating planning challenges for contractors unsure when full compliance is required.
NIST SP 800-171 implementation protects government information. Contractors must implement 110+ security requirements across 14 control families including access control, encryption, incident response, and audit logging. These technical controls reduce breach risk for federal information. CMMC assessments validate compliance, providing government assurance of contractor security. However, implementation costs burden small contractors; achieving NIST 800-171 compliance requires encryption systems, access control infrastructure, monitoring tools, and security expertise. Estimated compliance costs of $50,000-$500,000+ create barriers for small businesses above exemption thresholds.
Incident reporting requirements enhance accountability. DFARS mandates contractors report cybersecurity incidents involving CUI within 72 hours, enabling rapid government response to compromises. Reporting creates transparency and drives contractor investment in detection capabilities. However, the 72-hour timeline creates operational pressure; contractors must rapidly detect incidents, assess CUI impact, and report findings. Organizations with immature incident response capabilities struggle to meet deadlines, risking compliance violations.
What are the limitations of CUI?
CUI requirements create implementation, interpretation, and enforcement challenges.
CUI definition ambiguity creates classification uncertainty. What constitutes information for which "law, regulation, or Government-wide policy requires" protection lacks precise definition. Organizations must determine whether specific information qualifies as CUI without clear bright-line tests. The 125 categories across 20 index groups create complexity; contractors struggle to determine which categories apply to information they handle. Inconsistent agency interpretation compounds confusion.
Qualified Individual and reasonable security standards lack specificity. NIST SP 800-171 requires "appropriate" security controls and contractors must designate individuals implementing security programs, but qualification standards are not precisely defined. What constitutes adequate encryption, sufficient access controls, or reasonable testing varies by organizational context. Contractors interpret requirements without detailed regulatory guidance, risking inadequacy determinations during government assessments.
Category complexity and Limited Dissemination Controls create handling variability. 125 categories organized into 20 index groups create significant complexity for contractors determining applicable categories and protections. Agency-specific Limited Dissemination Controls vary across federal government, creating inconsistency in handling requirements. Contractors working with multiple agencies face different LDC interpretations and requirements, increasing operational complexity.
Service provider oversight responsibilities remain vague. Contractors must oversee subcontractors and service providers handling CUI, but specific oversight standards are unclear. How frequently must contractors reassess vendors? What evidence demonstrates adequate due diligence? Organizations implement varying approaches from basic contract reviews to comprehensive vendor assessments without clear expectations.
Breach notification threshold determination requires accurate data inventory. Determining whether incidents require notification depends on whether CUI was involved and how many individuals were affected. Contractors with incomplete data inventories or inadequate access auditing struggle to assess impact. Undercounting risks notification failures; overcounting may trigger unnecessary reporting creating administrative burden.
FAR Rule uncertainties create planning challenges. The proposed FAR CUI Rule (January 15, 2025) is still in comment period with final implementation date uncertain. Compliance deadlines unknown; contractors don't know when they must achieve full compliance. Scope clarification pending; final rule may clarify or expand CUI applicability beyond proposal. Retroactive application unclear; whether requirements apply to existing contracts or only new contracts is unspecified.
FAQs
What is the difference between CUI and classified information?
CUI is unclassified government information requiring safeguarding per law or regulation, marked "CUI//[category]" with handling procedures less restrictive than classified but more controlled than standard unclassified information. Classified information is national security information requiring classification under Executive Order 13526, marked "Secret," "Top Secret," etc. with highly restrictive handling, storage, transmission, and access procedures requiring security clearances. CUI is administered by NARA through the CUI Program; Classified information is administered by various agencies per classification standards. The key distinction is sensitivity: CUI addresses sensitive unclassified information while Classified addresses national security information. CUI requires safeguarding but not clearances; Classified requires clearances plus need-to-know.
Does CUI apply to my organization?
If you have a federal government contract or subcontract that may involve CUI, you must comply with CUI requirements. As of the proposed 2025 FAR rule, ALL federal contractors handling CUI must comply. Previously, primarily DoD contractors were subject to DFARS requirements. Check contract terms for CUI clauses; contracts specifically state if CUI is involved. If unsure, contact your contracting officer or compliance team. Federal agencies must comply; private organizations only if handling CUI on behalf of the government. Organizations without federal contracts or not handling government information are not subject to CUI requirements.
How should organizations mark CUI documents?
CUI Basic marking: Place "CUI" at top and bottom of every page containing CUI. CUI Specified marking: Place "CUI//[CATEGORY]" at top and bottom (for example, "CUI//PRIVACY" for privacy information or "CUI//EXPORT CONTROL" for export-controlled information). If Limited Dissemination Controls apply: Add "CUI//[CATEGORY]//[LDC]" (for example, "CUI//PRIVACY//FCI" for Federal Contract Information with privacy concerns). If classified information also present: Include both markings (for example, "CUI//CONTROLLED TECHNICAL DATA//UNCLASSIFIED" if document contains both CUI and unclassified portions). Electronic documents should include CUI metadata and filenames should reflect CUI status where practicable. Paragraph markings using "//(CUI)" or "//(CUI//[CATEGORY])" are recommended for portions containing CUI within mixed documents.
What are the NIST SP 800-171 requirements contractors must meet?
NIST SP 800-171 Revision 3 (current as of 2024) requires 14 security control families: access control restricting system access to authorized users, awareness and training ensuring personnel understand security responsibilities, audit and accountability maintaining logs and monitoring, configuration management controlling system changes, identification and authentication verifying user identities, incident response detecting and responding to security events, maintenance ensuring secure system maintenance, media protection controlling and protecting storage media, personnel security screening and training personnel, physical protection securing facilities and systems, planning documenting security plans and procedures, risk assessment identifying and evaluating risks, system and communications protection protecting data and communications, and system and information integrity ensuring system integrity and protection from malware. Contractors must document compliance in System Security Plans, implement all applicable controls, and demonstrate compliance through CMMC assessments or contractor self-assessments depending on contract requirements.
How should organizations handle CUI when transmitting to other contractors or agencies?
CUI must be transmitted over approved secure channels with encryption using minimum AES-128 for data at rest and TLS 1.2 minimum for data in transit. Use secure email systems approved by your agency, government-approved file transfer services, or encrypted courier services. Mark CUI with appropriate category and Limited Dissemination Controls if applicable before transmission. Ensure recipient is authorized to receive the information and has legitimate need-to-know. Verify recipient's CUI handling procedures are compliant before transmitting. Document transmission and maintain audit records including date, recipient, information transmitted, and transmission method. For physical transmission, use encrypted storage media, registered mail with tracking, or secure courier services. Obtain transmission receipt confirmation where possible.
