Controlled Unclassified Information (CUI)

CUI is government information that is to be protected from public disclosure

Established by Executive Order 13556, the Controlled Unclassified Information (CUI) program standardizes the way the entire Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.  The Department of Defense (DOD) is an agency within the Executive branch of the U.S. government. 

Critical unclassified information is being exfiltrated from Defense contractor networks by malicious cyber actors who seek to damage our national security.  Safeguarding CUI is the impetus behind the Cybersecurity Maturity Model Certification (CMMC) and the DFARS Clause 52.204-7012.  Proper safeguarding of CUI begins with identifying CUI in your network.  Identification of CUI begins with understanding the types of CUI your company receives or generates on behalf of the DOD.  

The DOD CUI Registry "mirrors" the National Archives CUI Registry, with the exception of the 20 additional types of CUI inside of the Operational Security (OPSEC) category and a GEOINT category within the Intelligence index.  This site provides the additional OPSEC categories as well as the entire DOD CUI Registry.  

Why is protecting CUI important?

The loss of confidentiality, integrity, or availability of sensitive unclassified information could be expected to have a serious adverse effect on national security. Loss of aggregated CUI is one of the most significant risks to national security, directly affecting the lethality of our warfighters.

What does the CUI program change? 

In May 2018, the designated senior agency official for DOD CUI – the Under Secretary of Defense for Intelligence – designated Defense Counterintelligence and Security Agency (DCSA) with DoD enterprise management of CUI. 


The CUI program standardizes the way more than 100 federal agencies mark and handle sensitive unclassified information. The CUI program replaces existing agency markings like For Official Use Only (FOUO), Sensitive But Unclassified (SBU), Official Use Only (OUO), and others. 

What is CUI?

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

Source: 32 CFR § 2002.4

What is the DOD CUI program?

Department of Defense Instruction (DODI) 5200.48 Controlled Unclassified Information establishes the DOD CUI Program and establishes policy, assigned responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012. 

DoDI 5200.48 implements the DOD CUI program as required by EO 13556.

DoDI 5200.48

Free CUI Handbook

Click the button below to download our free CUI Handbook.  This CUI handbook aggregates CUI guidance from the National Archives and Records Administration (NARA) as the Executive Agent of the CUI program, the Information Security Oversight Office (ISOO) as the designated CUI oversight office, as well as from 32 CFR which establishes CUI laws and from and the DoD Instruction 5200.48, which establishes the DoD CUI Program. The guidance in this handbook is relevant and updated as of May 2020. When guidance from the ISOO, 32 CFR, and DOD are different this guide provides the strictest requirement to facilitate the widest compliance.

Download

Where can I find additional CUI resources?

National Archives CUI Registry

The CUI Registry is the Government-wide online repository for Federal-level guidance regarding CUI policy and practice. However, agency personnel and contractors should first consult their agency's CUI implementing policies and program management for guidance.

NARA CUI Registry

Executive Order 13556

This order establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies-known as CUI.

Executive Order

32 Code of Federal Regulations Part 2002

This describes the executive branch’s Controlled Unclassified Information (CUI) Program and establishes policy for designating, handling, and decontrolling information that qualifies as CUI. 

32 CFR

DFARS 252.204-7012  

Defense Federal Acquisition Regulation Supplement (DFARS) Safeguarding Covered Defense Information and Cyber Incident Reporting. 

DFARS

Want to learn more about CUI? We can help!

Contact Us