Controlled Unclassified Information (CUI)

CUI is government information that is to be protected from public disclosure

Established by Executive Order 13556 in 2010, the Controlled Unclassified Information (CUI) program standardizes the way the entire Executive branch handles unclassified information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies.  The Department of Defense (DOD) is an agency within the Executive branch of the U.S. government. 

Critical unclassified information is being exfiltrated from Defense contractor networks by malicious cyber actors who seek to damage our national security.  Safeguarding CUI is the impetus behind the Cybersecurity Maturity Model Certification (CMMC) and the DFARS Clause 52.204-7012.  Proper safeguarding of CUI begins with identifying CUI in your network.  Identification of CUI begins with understanding the types of CUI your company receives or generates on behalf of the DOD.  

Check out the new podcast!

The podcast is available on Spotify, Amazon Music, and Apple Podcasts!

What is CUI?

Controlled Unclassified Information (CUI) is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. However, CUI does not include classified information or information a non-executive branch entity possesses and maintains in its own systems that did not come from, or was not created or possessed by or for, an executive branch agency or an entity acting for an agency. Law, regulation, or Government-wide policy may require or permit safeguarding or dissemination controls in three ways: Requiring or permitting agencies to control or protect the information but providing no specific controls, which makes the information CUI Basic; requiring or permitting agencies to control or protect the information and providing specific controls for doing so, which makes the information CUI Specified; or requiring or permitting agencies to control the information and specifying only some of those controls, which makes the information CUI Specified, but with CUI Basic controls where the authority does not specify.

Source: 32 CFR § 2002.4

Why is protecting CUI important?

The loss of confidentiality, integrity, or availability of sensitive unclassified information could be expected to have a serious adverse effect on national security. Loss of aggregated CUI is one of the most significant risks to national security, directly affecting the lethality of our warfighters.

Click on the CUI Cover Sheet (SF901-18a) above to download it for FREE!  You do not need to purchase any special coversheets or stickers to be compliant with DODI 5200.48 or any other law or policy.

What is the DOD CUI program?

Department of Defense Instruction (DODI) 5200.48 Controlled Unclassified Information establishes the DOD CUI Program and establishes policy, assigned responsibilities, and prescribes procedures for CUI throughout the DoD in accordance with Executive Order (E.O.) 13556; Part 2002 of Title 32, Code of Federal Regulations (CFR); and Defense Federal Acquisition Regulation Supplement (DFARS) Sections 252.204-7008 and 252.204-7012. 

DoDI 5200.48 implements the DOD CUI program as required by EO 13556.

DoDI 5200.48

Free CUI Handbook

Click the button below to download our free CUI Handbook.  This CUI handbook aggregates CUI guidance from the National Archives and Records Administration (NARA) as the Executive Agent of the CUI program, the Information Security Oversight Office (ISOO) as the designated CUI oversight office, as well as from 32 CFR which establishes CUI laws and from and the DoD Instruction 5200.48, which establishes the DoD CUI Program. The guidance in this handbook is relevant and updated as of May 2020. When guidance from the ISOO, 32 CFR, and DOD are different this guide provides the strictest requirement to facilitate the widest compliance.


Where can I find additional DOD CUI resources?

For additional DoD CUI resources you can also check out 

Schedule CUI Advisory Services

The DoD CUI Mandatory Training is now available!

Take the CDSE E-learning course to satisfy the mandatory training requirement 

CDSECUI Training

National Archives CUI Registry

The CUI Registry is the Government-wide online repository for Federal-level guidance regarding CUI policy and practice. However, agency personnel and contractors should first consult their agency's CUI implementing policies and program management for guidance.

NARA CUI Registry

Executive Order 13556

This order establishes an open and uniform program for managing information that requires safeguarding or dissemination controls pursuant to and consistent with law, regulations, and Government-wide policies-known as CUI.

Executive Order

32 Code of Federal Regulations Part 2002

This describes the executive branch’s Controlled Unclassified Information (CUI) Program and establishes policy for designating, handling, and decontrolling information that qualifies as CUI. 

32 CFR

DFARS 252.204-7012  

Defense Federal Acquisition Regulation Supplement (DFARS) Safeguarding Covered Defense Information and Cyber Incident Reporting. 


Want to learn more about CUI? We can help!

Contact Us