The Department of Defense CUI Registry

The DoD CUI Registry provides an official list of the Indexes and Categories used to

identify the various types of DoD CUI. The DoD CUI Registry mirrors the National CUI

Registry, but provides additional information on the relationships to DoD by aligning each Index

and Category to DoD issuances.

CUI Index

Category

Description

Basic or Specified

Critical Infrastructure


DoD: Systems and assets, whether physical or virtual, so vital the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction. Possession of system types (vendor, model/serial #, year, etc.) allows for malicious actors to narrow attack vectors to systems that support the Defense Critical Infrastructure potentially causing degradation or mission failure. DCI comprises Defense Critical Assets and Task Critical Assets.

This is not a CUI category 


Ammonium Nitrate 

Related to registration information of those who own and operate ammonium nitrate facilities, purchasers of ammonium nitrate, and the regulation of sales and transfers of ammonium nitrate.

Specified


Chemical-terrorism Vulnerability Information

In accordance with Section 550(c) of the Department of Homeland Security Appropriations Act of 2007, the following information, whether transmitted verbally, electronically, or in written form, shall constitute CVI, see (1) - (9).

Basic // Specified


Critical Energy Infrastructure Information

Critical energy infrastructure information means specific engineering, vulnerability, or detailed design information about proposed or existing critical infrastructure that: (i) Relates details about the production, generation, transportation, transmission, or distribution of energy; (ii) Could be useful to a person in planning an attack on critical infrastructure;... and (iii) Does not simply give the general location of the critical infrastructure.

Specified


Emergency Management

Related to information concerning the continuity of executive branch operations during all-hazards emergencies or other situations that may disrupt normal operations. // DoD applies this to Continuity of Operations Planning (COOP) and Mission Assurance.

Basic  


General Critical Infrastructure Information

Systems and assets, whether physical or virtual, so vital that the incapacity or destruction of such may have a debilitating impact on the security, economy, public health or safety, environment, or any combination of these matters, across any Federal, State, regional, territorial, or local jurisdiction.

Basic


Geodetic Product Information 

   

Related to imagery, imagery intelligence, or geospatial information.

Basic  


Information Systems Vulnerability Information

Related to information that if not protected, could result in adverse effects to information systems. Information system means a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

Basic


Physical Security

Related to protection of federal buildings, grounds or property.

Basic // Specified


Protected Critical Infrastructure Information

As defined by 6 USC 131-134, and 6 CFR 29, PCII relates to threats, vulnerabilities, or operational experience related to the national infrastructure. PCII offers protection to private sector infrastructure information voluntarily shared with government entities for purposes of homeland security. // Possession of system types (vendor, model/serial #, year, etc.) allows for malicious actors to narrow attack vectors to systems that support the Defense Critical Infrastructure potentially causing degradation or mission failure. DCI comprises Defense Critical Assets and Task Critical Assets.

Specified


SAFETY Act Information

Defined as “SAFETY Act Confidential Information” in 6 CFR Part 25, the regulations implementing the Support Anti-terrorism by Fostering Effective Technologies Act of 2002, SAFETY Act Information includes any and all information and data voluntarily submitted to the Department of Homeland Security under this part (including Applications, Pre-Applications, other forms, supporting documents and other materials relating to any of the foregoing, and responses to requests for additional information), including, but not limited to, inventions, devices, Technology, know-how, designs, copyrighted information, trade secrets, confidential business information, analyses, test and evaluation results, manuals, videotapes, contracts, letters, facsimile transmissions, electronic mail and other correspondence, financial information and projections, actuarial calculations, liability estimates, insurance quotations, and business and marketing plans.

Basic


Toxic Substances

Health, safety, and exposure information related to chemical substances, chemical mixtures, and articles as defined under the Toxic Substances Control Act (TSCA).

Specified


Water Assessments

Vulnerability Assessments on the risks and security of public drinking water systems, to include, but not be limited to, a review of pipes and constructed conveyances, physical barriers, water collection, pretreatment, treatment, storage and distribution facilities, electronic, computer or other automated systems which are utilized by the public water system, the use, storage, or handling of various chemicals, and the operation and maintenance of such system.

Basic

Defense



This is not a CUI category 


Controlled Technical Information

Controlled Technical Information means technical information with military or space application subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination. Controlled technical information is to be marked with one of the distribution statements B through F, in accordance with Department of Defense Instruction 5230.24, "Distribution Statements of Technical Documents." The term does not include information that is lawfully publicly available without restrictions. "Technical Information" means technical data, technology, software, or computer software, including technology and software subject to the Export Administration Regulations (EAR), technical data subject to the International Traffic in Arms Regulations (ITAR), and technical information in Defense Federal Acquisition Regulation Supplement clause 252.227-7013, "Rights in Technical Data - Noncommercial Items" (48 CFR 252.227-7013). Examples of technical information include research and engineering data, engineering drawings, and associated lists, specifications, standards, process sheets, manuals, technical reports, technical orders, catalog-item identifications, data sets, studies and analyses and related information, and computer software executable code and source code.

Basic // Specified


DoD Critical Infrastructure Security Information

Information, if disclosed, would reveal vulnerabilities in the DoD critical infrastructure and, if exploited, would likely result in the significant disruption, destruction, or damage of or to DoD operations, property, or facilities, including information regarding the securing and safeguarding of explosives, hazardous chemicals, or pipelines, related to critical infrastructure or protected systems owned or operated on behalf of the DoD, including vulnerability assessments prepared by or on behalf of the DoD, explosives safety information (including storage and handling), and other site-specific information on or relating to installation security.

Basic


Naval Nuclear Propulsion Information 

 Related to the safety of reactors and associated naval nuclear propulsion plants, and control of radiation and radioactivity associated with naval nuclear propulsion activities, including prescribing and enforcing standards and regulations for these areas as they affect the environment and the safety and health of workers, operators, and the general public.

Basic // Specified


Unclassified Controlled Nuclear Information - Defense

 Relating to Department of Defense special nuclear material (SNM), equipment, and facilities, as defined by 32 CFR 223.

Basic // Specified

Export Control


DoD primarily uses Export Control as a dissemination/distribution control rather than a category.

This is not a CUI category


Export Controlled

Unclassified information concerning certain items, commodities, technology, software, or other information whose export could reasonably be expected to adversely affect the United States national security and nonproliferation objectives. To include dual use items; items identified in export administration regulations, international traffic in arms regulations and the munitions list; license applications; and sensitive nuclear technology information.

Basic // Specified


Export Controlled Research

Related to the systematic investigation into and study of materials and sources in order to establish facts and reach new conclusions.

Basic

Financial



This is not a CUI category


Bank Secrecy

Information that is provided to the government pursuant to the Bank Secrecy Act, including but not limited to, suspicious activity reports (SAR), currency transaction reports (CTR), reports of international transportation of currency or monetary instruments (CMIR), reports of cash payment over $10,000 received in trade or business, and reports of foreign bank and financial accounts (FBAR). Reports filed under the Bank Secrecy Act (BSA), codified in relevant part at 31 U.S.C. § 5311 et seq, are specifically exempt from disclosure under the Freedom of Information Act, codified at 5 U.S.C. § 552, and also may not be disclosed under any State, local, tribal, or territorial “freedom of information,” “open government,” or similar law. See 31 U.S.C. § 5319; 5 U.S.C. § 552(b)(3). These reports (BSA Reports), are maintained in a system of records containing information compiled for law enforcement investigative purposes that has been exempted from the access provisions of the Privacy Act in accordance with 5 U.S.C. §§ 552a(j)(2) and (k)(2). BSA Reports may only be re-disseminated in strict accordance with guidelines established by the Financial Crimes Enforcement Network (FinCEN), the Treasury bureau that administers the BSA. Suspicious Activity Reports, one of the types of required reports filed under the BSA, are required to be kept confidential in accordance with 31 U.S.C. § 5318(g)(2) and implementing regulations. To the extent information falling under the purview of the BSA is collected, accessed, or used for any Federal tax administration purpose, it is also subject to the confidentiality provisions of the Internal Revenue Code, codified at 26 U.S.C. § 6103.

Basic // Specified


Budget

Related to information concerning the federal budget, including authorizations and estimates of income and expenditures.

Specified


Comptroller General

Concerning the Officer of the United States Government who is charged with duties relating to fiscal affairs, including auditing, examining accounts, and reporting the financial status of the United States Government.

Basic // Specified


Consumer Complaint Information

Related to information concerning consumer complaints or inquiries concerning financial institutions or consumer financial products and services, and responses to them.

Specified


Electronic Funds Transfer

Relating to the computer-based systems used to perform financial transactions electronically.

Basic  


Federal Housing Finance Non-Public Information

Related to information that the Federal Housing Finance Agency (FHFA) has not made public that is created by, obtained by, or communicated to an FHFA employee in connection with the performance of official duties, regardless of who is in possession of the information, including confidential supervisory information. Confidential supervisory information includes FHFA reports of examination, inspection and visitation, confidential operating and condition reports, and any information derived from, related to, or contained in such reports, or gathered by FHFA in the course of any investigation, suspicious activity report, cease-and- desist order, civil money penalty enforcement order, suspension, removal or prohibition order, or other supervisory or enforcement orders or actions taken under the Federal Housing Enterprises Financial Safety and Soundness Act of 1992, and other conditions as set forth in 12 CFR Part 1214.1.

Basic


Financial Supervision Information

Related to information connected to an agency's responsibilities to supervise, examine, and evaluate a financial institution.

Basic


General Financial Information

Related to the duties, transactions, or otherwise falling under the purview of financial institutions or United States Government fiscal functions. Uses may include, but are not limited to, customer information held by a financial institution.

Basic // Specified


International Financial Institutions

Relating to entities that provide financial services for its clients or members, and were established (or chartered) by more than one country, and hence are subjects of international law.

Basic


Mergers

Relating to methods by which corporations legally unify ownership of assets formerly subject to separate controls.

Basic


Net Worth

Related to the net worth of an individual and/or their affiliates in certain administrative proceedings.

Specified


Retirement

Related to post-employment funding provided by an employer.

Basic

Immigration



This is not a CUI category


Asylee

Related to refugee applications and associated hearings to grant asylum to foreign nationals in the United States to be recognized as asylees.

Basic


Battered Spouse or Child

Related to information within applications and associated hearings provided by, or that could identify, a battered spouse or child of a US citizen or US permanent resident seeking independent protected status within the United States.

Basic


Permanent Resident Status

Related to applications and associated hearings to grant permanent residency to foreign nationals living in the United States.

Basic


Status Adjustment

Related to applications for the adjustment of immigration status.

Basic


Temporary Protected Status

Related to findings that conditions in a given country pose a danger to personal safety due to ongoing armed conflict or an environmental disaster and persons should receive special temporary status to remain in the United States.

Basic


Victims of Human Trafficking

Related to identifiable information of persons who have been victims of human trafficking and their family members.

Basic


Visas

Related to applications or permits to enter the United States.

Basic

Intelligence



This is not a CUI category


Agriculture

Information related to the agricultural operation, farming or conservation practices, or the actual land of an agricultural producer or landowner.  

Specified


Foreign Intelligence Surveillance Act

 Related to unclassified and declassified information that is collected from unconsenting individuals under the authority of the Foreign Intelligence Surveillance Act (FISA).

Specified


Foreign Intelligence Surveillance Act Business Records

Related to books, records, papers, documents, and other items produced for an investigation to obtain foreign intelligence information.

Specified


General Intelligence

Related to intelligence activities, sources, or methods.

Basic // Specified


Geospatial Intelligence (GEOINT) 

This type of CUI relates to special imagery, imagery intelligence, or geospatial intelligence information produced by or on behalf of the National Geospatial-Intelligence Agency (NGA). The NGA identifies a select group of sensitive, unclassified intelligence imagery or geospatial intelligence information and data created or distributed by NGA or information, data, and products derived from such information.  

Basic // Specified


Intelligence Financial Records

Related to financial records obtained for intelligence or counterintelligence activity, investigation, or analysis.

Specified


Internal Data

Refers to a category of information that is not intended to be disseminated beyond CIA channels that involves intelligence activities, sources, or methods. This information may also relate to the CIA's organization, functions, names, official titles, salaries, or numbers of personnel.

Basic // Specified

International Agreements



This is not a CUI category


International Agreement Information

Information provided by, otherwise made available by, or produced in cooperation with, a foreign government or international organization that requires protection pursuant to an existing treaty, agreement, bilateral exchange or other obligation under the requirements stipulated in 10 USC 130c(b), when not subject to classification under Executive Order 13526. Title 10 USC 130c(b) may exempt this class of foreign government information from the safeguard provisions otherwise required by Executive Order 13526. Per Title 10 USC 130c(h) the following national security officials are the only ones defined by statute as able to determine such information requires control: (A) The Secretary of Defense, with respect to information of concern to the Department of Defense. (B) The Secretary of Homeland Security, with respect to information of concern to the Coast Guard, as determined by the Secretary, but only while the Coast Guard is not operating as a service in the Navy. (C) The Secretary of Energy, with respect to information concerning the national security programs of the Department of Energy, as determined by the Secretary.

Specified

Law Enforcement



This is not a CUI category


Accident Investigation

Related to information obtained during the course of an accident or incident investigation. Including but not limited to information related to wreckage, records, mail, or cargo. 

Specified


Campaign Funds

Related to information obtained in connection to an investigation into campaign finance and disclosure laws. Usage may include but is not limited to notification or investigation pertaining to financial support of a candidate for election.

Specified


Committed Person

Related to information concerning the mental condition of a person committed to a psychiatric facility.

Basic


Communications

Related to the contents of any wire, oral, or electronic communication.

Basic


Controlled Substances

Information obtained by the Drug Enforcement Administration (DEA) or in DEA investigative reports related to controlled substances.

Specified


Criminal History Records Information

Related to information collected by criminal justice agencies on individuals consisting of identifiable descriptions and notations of arrests, detentions, indictments, information, or other formal criminal charges, and any disposition arising therefrom, including acquittal, sentencing, correctional supervision, and release.

Specified


DNA

Related to hereditary material in humans that is used for law enforcement purposes.

Specified


General Law Enforcement

Related to techniques and procedures for law enforcement operations, investigations, prosecutions, or enforcement actions.

Basic


Informant

Related to the identity of a human source.

Basic // Specified


Investigation

Related to information obtained during the course of a law enforcement investigation or action, civil or criminal.

Basic // Specified


Juvenile

Related to the identity of individual juvenile youths.

Basic


Law Enforcement Financial Records

Related to financial records obtained for law enforcement purposes.

Specified


National Security Letter

Related to administrative orders sent to compel the recipients of the letters to provide information to federal investigators.

Basic


Pen Register/Trap & Trace

Related to devices used to identify incoming and outgoing telephone numbers.

Basic


Reward

Related to the identity of a recipient of a reward.

Basic


Sex Crime Victim

Related to the identity of a victim of a sex offense.

Basic


Terrorist Screening

Related to information gathering and analysis concerning possible threats or acts of a destructive nature.

Basic


Whistleblower Identity

Identity of anyone providing information relating to a legal violation or illicit or unsafe activity, including information provided by a whistleblower which could reasonably be expected to reveal the identity of a whistleblower.

Basic // Specified

Legal



This is not a CUI category


Administrative Proceedings

Adjudication of agency-related matters including, but not limited to, dispute resolution, settlements, and issuances of orders.

Basic // Specified


Child Pornography

From 18 USC 2256(8) "child pornography" means any visual depiction, including any photograph, film, video, picture, or computer or computer-generated image or picture, whether made or produced by electronic, mechanical, or other means, of sexually explicit conduct, where— (A) the production of such visual depiction involves the use of a minor engaging in sexually explicit conduct; (B) such visual depiction is a digital image, computer image, or computer-generated image that is, or is indistinguishable from, that of a minor engaging in sexually explicit conduct; or (C) such visual depiction has been created, adapted, or modified to appear that an identifiable minor is engaging in sexually explicit conduct

Specified


Child Victim/Witness

Information pertaining to a minor who was a victim, witness, or potential witness to a criminal act.

Basic  


Collective Bargaining

Defining agencies' and representatives' duty to negotiate in good faith to include disclosure of certain labor relations training and guidance materials and limiting the issuance of certain subpoenas.

Basic


Federal Grand Jury

Material obtained pursuant to a federal grand jury subpoena, which includes (1) any reference to a specific sitting grand jury; (2) any documentation or data obtained by a grand jury subpoena if disclosure of such material tends to reveal what transpired before or at the direction of the federal grand jury; (3) documentation prepared specifically for the federal grand jury; and (4) transcripts or other recordings of testimony presented to the federal grand jury.

Basic // Specified


Legal Privilege

Per 12 USC 78x: The term "privilege" includes any work-product privilege, attorney-client privilege, governmental privilege, or other privilege recognized under Federal, State, or foreign law. Per 502(g): (1) "attorney-client privilege" means the protection that applicable law provides for confidential attorney-client communications; and (2) "work-product protection" means the protection that applicable law provides for tangible material (or its intangible equivalent) prepared in anticipation of litigation or for trial.

Basic


Legislative Materials

Data related to Congress’s legislative, investigatory or oversight responsibilities of the Executive branch of the Federal government. This includes data related to proposed or pending legislation as well as inquiries submitted by Congress to Federal agencies, agency responses to those inquiries and any other information which, if disclosed, would reveal the nature and scope of Congressional inquiries.

Basic  


Presentence Report

A report, generally prepared to assist the court in determining the most appropriate sentence for a defendant. It can include an assessment of the nature and seriousness of the offense and should contain details summarizing the background information of the defendant and the crime.

Basic


Prior Arrest

Information related to previous instances of law enforcement official's apprehension and formal processing of a suspect.

Basic 


Protective Order

Stipulation that certain information that would normally fall under discovery rules will not be disclosed for specifically stated reason.

Basic // Specified


Victim

Information requiring protection of the name or other details that may identify one who was the victim of a crime.

Basic  


Witness Protection

Information related to the secretive details associated with one who has testified or may testify under circumstances that require secrecy of that individual and details pertaining to that person.

Basic // Specified

Natural and Cultural Resources



This is not a CUI category


Archaeological Resources

Related to information about the nature and location of any archaeological resource for which the excavation or removal requires a permit or other permission.

Specified


Historic Properties

Related to the location, character, or ownership of historic property.

Specified


National Park System Resources

Related to information concerning the nature and specific location of a National Park System resource that is endangered, threatened, rare, or commercially valuable, of mineral or paleontological objects within System units, or of objects of cultural patrimony within System units.

Specified

North Atlantic Treaty Organization (NATO)



This is not a CUI category


NATO Restricted

Per the United States Security Authority for NATO, Instruction 1-07, information classified as ""NATO Restricted"", the fourth level of classification under the North Atlantic Treaty, requires safeguards and protection from public release and disclosure. This category does not apply to information classified NATO Confidential, NATO SECRET or NATO COSMIC TOP SECRET.

Specified


NATO Unclassified

Per the United States Security Authority for NATO, Instruction 1-07, this is information classified as "NATO Unclassified", which may only be used for official NATO purposes and may carry administrative or dissemination limitation markings.

Specified

Nuclear



This is not a CUI category


General Nuclear

Application for patent filed under 35 U.S.C. 111(a) that includes all types of patent applications (i.e., utility, design, plant, and reissue) except provisional applications. The nonprovisional application establishes the filing date and initiates the examination process. A nonprovisional utility patent application must include a specification, including a claim or claims; drawings, when necessary; an oath or declaration; and the prescribed filing fee.

Basic // Specified


Nuclear Recommendation Material

Related to recommendations to the Secretary of Energy with respect to Department of Energy defense nuclear facilities as determined necessary to ensure adequate protection of public health and safety.

Basic


Nuclear Security-Related Information

Related to information that could be useful, or could reasonably be expected to be useful, to a terrorist in a potential attack that does not qualify as Safeguards or classified information, including the exact location and quantities of radioactive material, certain detailed design drawings, information on nearby facilities, emergency planning information, and certain assessments of vulnerability and safety analyses.

Basic // Specified


Safeguards Information

Pursuant to 42 USC 2011, et seq., and as defined in 10 CFR 73.2, SGI relates to security related information concerning the physical protection of source, byproduct or special nuclear material and the detailed security measures for facilities and information contained within security plans.

Specified


Unclassified Controlled Nuclear Information - Energy

Relating to certain design and security information concerning nuclear facilities, materials, and weapons, specific to the Department of Energy.

Basic // Specified

Patent



This is not a CUI category


Patent Applications

Application for patent filed under 35 U.S.C. 111(a) that includes all types of patent applications (i.e., utility, design, plant, and reissue) except provisional applications. The nonprovisional application establishes the filing date and initiates the examination process. A nonprovisional utility patent application must include a specification, including a claim or claims; drawings, when necessary; an oath or declaration; and the prescribed filing fee.

Basic // Specified


Inventions

An invention is any art or process (way of doing or making things), machine, manufacture, design, or composition of matter, or any new and useful improvement thereof, or any variety of plant, which is or may be patentable under the patent laws of the United States, in which the federal government owns or may own a right, title, or interest.

Basic  


Secrecy Orders

An order by the Commissioner of Patents that an invention be kept secret and to withhold the publication of an application or the grant of a patent due to national security concerns.

Basic

Privacy



This is not a CUI category


Contract Use

Stipulations for a contractor to meet before material may be used in performance of certain contracts.

Specified


Death Records

 Related to information contained within an official document issued by a public registry verifying that a person has died, with information such as the date and time of death, the cause of death, and the signature of the attending or examining physician.

Basic  


General Privacy

Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7).

Basic // Specified


Genetic Information

The term "genetic information" means, with respect to any individual, information about-- (i) such individual's genetic tests, (ii) the genetic tests of family members of such individual, and (iii) the manifestation of a disease or disorder in family members of such individual.

Basic // Specified


Health Information

As per 42 USC 1320d(4), "health information" means any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual.

Basic // Specified


Inspector General Protected

Related to the identity of a person making a report to the Inspector General of any Executive agency.

Basic // Specified


Military Personnel Records

Any member or former member of the armed forces or affiliated organization of the Department of Defense.

Basic


Student Records

 As per 20 USC 1232g, the Family Educational Rights and Privacy Act of 1974, an education record which is comprised of those records which are directly related to a student.

Basic // Specified

Procurement and Acquisition 



This is not a CUI category


General Procurement and Acquisition

Material and information relating to, or associated with, the acquisition and procurement of goods and services, including but not limited to, cost or pricing data, contract information, indirect costs and direct labor rates.

Specified


Small Business Research and Technology

Relating to certain "Small Business Innovation Research Program" and "Small Business Technology Transfer Program" information in a government database, as referenced in 15 USC 638(k)(2).

Specified


Source Selection

Per FAR 2.101: any of the following information that is prepared for use by an agency for the purpose of evaluating a bid or proposal to enter into an agency procurement contract, if that information has not been previously made available to the public or disclosed publicly: (Items 1-10).

Basic // Specified

Proprietary Business Information



This is not a CUI category


General Proprietary Business Information

Material and information relating to, or associated with, a company's products, business, or activities, including but not limited to financial information; data or statements; trade secrets; product research and development; existing and future product designs and performance specifications.

Basic // Specified


Ocean Common Carrier and Marine Terminal Operator Agreements

Relating to agreements between or among ocean common carriers and marine terminal operators as referenced in 46 USC 40301 and 40306.

Basic 


Ocean Common Carrier Service Contracts

Relating to an agreement for the provision of services filed with the Federal Maritime Commission as referenced in 46 USC 40502(b), 46 CFR 530.4, and/or 46 CFR 531.4(a).

Basic


Proprietary  Manufacturer

Relating to the production of a consumer product to include that of a private labeler.

Specified


Proprietary Postal

Concerning or related to the course of business of the United States Postal Service.

Basic


System for Award Management

Relating to the primary United States Government system for contractor registration and awards.

Basic 

Provisional - DHS



This is not a CUI category


Homeland Security Agreement Information

 Information DHS receives and is required to protect pursuant to an agreement with state, local, tribal, territorial, and private sector partners. DHS receives this information in furtherance of the missions of the Department, including but not limited to, support of the Fusion Center Initiative and activities for cyber information sharing consistent with the Cybersecurity Information Security Act.

Basic


Homeland Security Enforcement Information

Unclassified information of a sensitive nature lawfully created, possessed, or transmitted by DHS in furtherance of its immigration, customs, and other civil and criminal enforcement missions, the unauthorized disclosure of which could adversely impact the mission of the Department. 

Basic


Information Systems Vulnerability Information - Homeland

"a. DHS information technology internal systems data revealing infrastructure used for servers, desktops, and networks; applications name, version and release; switching, router, and gateway information; interconnections and access methods; mission or business use/need. Examples of information are systems inventories and enterprise architecture models. Information pertaining to national security systems and eligible for classification under Executive Order 13526, will be classified as appropriate.

b. Information regarding developing or current technology, the release of which could hinder the objectives of DHS, compromise a technological advantage or countermeasure, cause a denial of service, or provide an adversary with sufficient information to close, counterfeit, or circumvent a process or system. "

Basic 


International Agreement Information - Homeland

Information DHS receives and is required to protect pursuant to an information sharing agreement or arrangement with a foreign government, an international organization of governments or any element thereof, an international or foreign public or judicial body, or an international or foreign private or non-governmental organization.

Basic


Operations Security Information

Unclassified information that could constitute an indicator of U.S. Government intentions, capabilities, operations, or activities or otherwise threaten/compromise operations security. 

Basic


Personnel Security Information

Information that could result in physical risk to DHS personnel or other individuals that DHS is responsible for protecting.

Basic


Physical Security - Homeland

Assessments or reports illustrating or disclosing facility infrastructure or security vulnerabilities related to the protection of federal buildings, grounds, or property, such as threat assessments, system security plans, contingency plans, risk management plans, business impact analysis studies, and certification and accreditation documentation. 

Basic 


Privacy Information

Information referred to as Personally Identifiable Information (PII). PII embodies information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. 

Basic


Sensitive Personally Identifiable Information

"A subset of PII that, if lost, compromised or disclosed without authorization could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. Some forms of PII are sensitive as stand-alone elements.

a. Examples of stand-alone PII include: Social Security Numbers (SSN), driver's license or state identification number; Alien Registration Numbers; financial account number; and biometric identifiers such as fingerprint, voiceprint, or iris scan.

b. Additional examples of SPII include any groupings of information that contain an individual's name or other unique identifier plus one or more of the following elements:

1) Truncated SSN (such as last four digits)

2) Date of birth (month, day, and year)

3) Citizenship or immigration status

4) Ethnic or religious affiliation

5) Sexual orientation

6) Criminal history

7) Medical information

8) System authentication information such as mother's maiden name, account passwords, or personal identification numbers.

c. Other PII may be ""sensitive"" depending on its context, such in as a list of employees and their performance rating(s) or an unlisted home address or phone number. In contrast, a business card or public telephone directory of agency employees contains PII, but is not sensitive. "

Basic

Statistical



This is not a CUI category


Investment Survey

Information reported to Treasury, the Federal Reserve Board of Governors, or the Federal Reserve Banks as part of the Treasury International Capital (TIC) data reporting system.

Basic 


Pesticide Producer Survey

Related to the data gathered regarding the production of pesticides that specifies the non-disclosure of the identity and location of individual producers.

Basic


Statistical Information

Refers to information collected by a Federal statistical agency, unit, or program for statistical purposes or used for statistical activities; under law, regulation, or Government-wide policy such 'Statistical' CUI requires: (1) protection from unauthorized disclosure; (2) special handling safeguards; and/or (3) prescribed limits on access or dissemination.y employees contains PII, but is not sensitive. 

Basic // Specified


US Census

Related to information gathered by the Bureau of the Census during the process of collecting, compiling, evaluating, analyzing of demographic, economic, and social data pertaining at a specified time to any or all persons in the United States and dissemination is limited to those with special sworn status, who may only use the data for statistical purposes and only for those statistical purposes for which the data was supplied. 

Specified

Tax



This is not a CUI category


Federal Taxpayer Information

Related to returns and return information which are submitted, gathered or generated in conjunction with taxpayers’ responsibilities to comply with federal tax provisions in the United States Code. “Returns” includes information that is provided to the government pursuant to Title 26, including tax or information returns, declarations of estimated tax or claims for refund. “Return information” includes a taxpayer’s identity, the nature, source or amount of income or any information received by, recorded by, prepared by or furnished to Internal Revenue Service relevant to the determination of tax liability including whether the taxpayer is the subject of investigation. This protection extends to such items as medical, financial and other personal information submitted to the IRS by taxpayers. Standards (typically tolerances, audit criteria and law enforcement techniques) related to the selection of returns for examination should only be disclosed to the extent their disclosure would not impair assessment, collection or enforcement under the internal revenue laws. Tax data originating with the IRS generally retains its confidential status even when it resides with agencies other than the IRS.

Specified


Tax Convention

Related to any--(A) agreement entered into with the competent authority of one or more foreign governments pursuant to a tax convention, (B) application for relief under a tax convention, (C) background information related to such agreement or application, (D) document implementing such agreement, and (E) other information exchanged pursuant to a tax convention which is treated as confidential or secret under the tax convention. Tax convention information originating with the IRS generally retains its confidential status even when it resides with agencies other than the IRS.

Basic


Taxpayer Advocate Information

A local taxpayer advocate (LTA) has the discretion to not disclose to the IRS contact with, or information provided by, a taxpayer. Such discretion may result in declinations of requests for information by IRS personnel including cases involving criminal tax investigations or those where the failure to provide information to the IRS would be beneficial to the taxpayer but to the detriment of the IRS. Such discretion does not extend to cases where the LTA believes a taxpayer is using the Taxpayer Advocate’s office to perpetuate a fraud on the government or in cases where the information is sought in litigation.

Basic


Written Determinations

Rulings, determination letters, technical advice memoranda or Chief Counsel Advice, as those terms are defined in Treasury Regulation 301.6110-2, which are made available for public inspection subject to the withholding of certain types of data as enumerated in Treasury Regulation 301-6110.

Specified

Transportation



This is not a CUI category


Railroad Safety Analysis Records

Related to the establishment, implementation, or modification of a railroad safety risk reduction program or pilot program, if the record is: (1) Supplied to the Secretary (of Transportation) pursuant to that safety risk reduction program or pilot program; or (2) made available for inspection and copying by an officer, employee, or agent of the Secretary pursuant to that safety risk reduction program or pilot program.

Basic


Sensitive Security Information

As defined in 49 C.F.R. Part 15.5, Sensitive Security Information is information obtained or developed in the conduct of security activities, including research and development, the disclosure of which DOT has determined would constitute an unwarranted invasion of privacy, reveal trade secrets or privileged or confidential information, or be detrimental to transportation safety. As defined in 49 C.F.R. Part 1520.5, Sensitive Security Information is information obtained or developed in the conduct of security activities, including research and development, the disclosure of which DHS/TSA has determined would, among other things, be detrimental to the security of transportation.

Specified

Operation Security (OPSEC)

*DoD Added*





Security Classification & Declassification Guides

This Defense CUI type addresses the information related to identification, safeguarding, dissemination, and decontrol requirements covered in the security classification guides (SCG) through its classification and declassification determination processes. It provides the necessary protection measures and particular levels of security classification for the DoD Components to protect and control CUI identified in the SCGs, including information on known capabilities, limitations, and vulnerabilities, limited dissemination controls, and decontrol measures, and procedures to ensure DoD’s enhanced capabilities and superiority within the warfighter realm. General or some specific processes applied, system/network monitoring techniques, DoD specific materials or equipment, and the overarching CUI procedures used in the development, maintenance, or upgrading of DoD resources, supplies, and apparatuses. This type of information is subject to export control regulations.

Basic


Agricultural & Health Operations

Information related to the agricultural operation, farming or conservation practices, or the actual land of an agricultural producer or landowner. Additionally, information about nutritional requirements, immmunizations, vaccines, service providers/suppliers, veternary services, MRE information, & others.

Basic


Applied Research & Development

This Defense CUI type consists of information resulting from the extension of fundamental theories, designs, and data from purely theoretical or experimental investigation into possible defense applications. This type of CUI moves concepts and ideas from the imagination into the realm of the possible. It includes the actual research, construction, and testing of prototypes and such design changes affecting qualitative performance as may be required during service life of the item. Engineering data, general operational requirements, various notional drawings, project and model concepts as well as the military features required to adopt the item for prototyping and production. The authorities establish export-controlled technical data/technology associated with this category. 

Basic


Combined Military Operations, Planning, and Readiness 

This Defense CUI type addresses the information related to policies and procedures necessary to the organization, training, and employment of military, paramilitary, or irregular forces within the information operations realm to include: Joint Operations, Coalition Operations, and other related areas. It includes non-specific technical data and procedures necessary to conduct individual and organization level activities supporting these types of missions and functions. General or some specific methodologies and techniques used, overarching strategy and doctrine, and the principal procedures used by commands for force deployments. Example 1: Agreements with host-nation hospitals or medical centers to ensure members of the Armed Forces and covered beneficiaries have access, within a reasonable distance, to quality healthcare, including case management and translation services. Data about installations located within a territory under the jurisdiction of, or of a direct concern to, a recipient foreign government or international organization, and information contained in unclassified training manuals and most joint publications.This information is subject to export control regulations.

Basic


CyberSecurity // Defense Information and Systems Vulnerability Information

This Defense CUI type addresses the information related to tactics, techniques, and tactical necessary to protect (secure and defend) the DoD information network and systems. It includes only non-specific technical data, the specific documents used in conducting assessments and inspections of systems and networks (Command Cyber Readiness Inspections – CCRIs; Network Scans; CMMC; etc.), training techniques, and tactical procedures necessary to operate and maintain individual and networks, systems, and supporting software. General or some specific methodologies, system/network monitoring techniques, and the overarching procedures used in assessment and certification of cyber components contained in unclassified training manuals and joint publications, and authorities assume there is export-controlled technical data/technology associated with this category. May also include incident handling procedures, information relating to cyber security incidents, etc. 

Basic


Defense Critical Infrastructure and Mission Assurance Security Information

This Defense CUI type would include information, if disclosed, would reveal vulnerabilities in the DoD critical infrastructure and mission assurance security posture and practices, if exploited, would likely result in the significant disruption, decontrolling, or damage of or to DoD operations, property, or facilities. Information regarding the securing and safeguarding of explosives, hazardous chemicals, or pipelines, related to critical infrastructure or protected systems owned or operated on behalf of the DoD. Some examples would include policies and practices related to COG, High Value personnel, and COOP.

Basic


DoD Critical Infrastructure Protection Program (DCIP)

This Defense CUI type would include information, if disclosed, would reveal threats, hazards, and known vulnerabilities within the DoD to assets, systems, and capabilities, if exploited, would likely have a significant impact resulting in a substantial degradation or failure of or to DoD operations and functions. Information gathered from open sources on threats, historical hazard data, publicly available imagery, etc. This also include names, locations, or other open source data or information related to defense critical assets - not directly linked to missions supported.  

Basic


DoD Mission Assurance Information (MA)

This Defense CUI type would include information, if disclosed, would reveal risk management strategies applied to DoD Mission Assurance posture and practices, if exploited, would likely result in the significant impact or damage to DoD operations or functions resulting in mission or function degradation or failure. Proposed response measures taken to mitigate or remediate vulnerability assessment findings and intelligence collected to include those prepared by or on behalf of the DoD and other site-specific or asset-specific information without direct disclosure of correlated missions or functions; (e.g. benchmarks used in assessment; the criteria applied during Command Cyber Readiness Inspections (CCRI); self-inspection forms; Joint Mission Assurance Assessments); NIST SP 800-171 Compliance Inspections and processes (e.g., CMMC). 

Basic


DoD National Security Review, Recommendation Information, and Other Department's CUI Related to: International Transfers, Export Control Violations, and Foreign Investments in the U.S. 

This Defense CUI relates to information generated during the Department's national security review of international transfers of emerging technologies, dual use, and military items (articles, information, and services), export control violations, and Committee on Foreign Investments in the U.S. (CFIUS) cases. Information generated through the Department's review of: 1) export license applications & other export authorization or advisory requests for dual use and munitions items, commodity jurisdictions, voluntary and involuntary disclosures; 2) international transfers (including, but not limited to transfers through security cooperation and assistance, defense institution building,research, development and production cooperation); 3) export controls; 4) assessments supporting law enforcement and prosecution of export control violations; 5) technology security, and disclosure policy reviews; and, 6) CFIUS cases. Such CUI includes Agency and Department deliberations and positions, information regarding: U.S. warfighter, foreign partner, individual company, or U.S. industrial base vulnerabilities; foreign and national security policy deliberations that could impact foreign partner relationships; export-controlled technology and technical data; and business competition-sensitive or business proprietary information. Export authorization requests and CFIUS case information are protected by statute.               

Basic


Enterprise Force Structure

This Defense CUI type addresses electronic or digitized or any other graphical hierarchical representation of DoD organizations, both military and civilian, to include points of contact data and information generated and shared from the organizational servers for DoD-wide integration and use. It must be in compliance with and documented in accordance with DoD governance. Composition of DoD organizations, both military and civilian, comprising and supporting U.S. defense forces as specified by the National Defense Authorization Acts of current and applicable previous years, and defines the organizational hierarchy through which leadership authorities are exercised. 

Basic


Foreign Humanitarian Assistance

This Defense CUI type would include information, if disclosed, would reveal threats, hazards, and known vulnerabilities within the DoD to assets, systems, and capabilities, if exploited, would likely have a significant impact resulting in a substantial degradation or failure of or to DoD operations and functions. Information gathered from open sources on threats, historical hazard data, publicly available imagery, etc. This also include names, locations, or other open source data or information related to defense critical assets - not directly linked to missions supported.  

Basic


Geodetic Product Information   

Related to imagery, non-intelligence imagery, or other geospatial information.

Basic


Information Operations

This Defense CUI type addresses the information related to tactics, techniques, and tactical doctrine necessary to the organization, training, and employment of military, paramilitary, or irregular forces within the information operations realm to include: PSYOPS; MILDECEP; SPECWAR; Interrogation; Rules of Engagement; Cyberspace operations; Electronic Warfare; Military information support operations; OPSEC; Intelligence; Influence activities; and other related areas. It includes non-specific technical data, training techniques, and tactical procedures necessary to conduct individual and organization level activities supporting these types of missions and functions. General or some specific methodologies and techniques used, overarching strategy and doctrine, and the principal procedures used by commands contained in unclassified training manuals and joint publications and May include information operations in OCONUS MTFs. Example 1: Agreements with host-nation hospitals or medical centers to ensure that members of the Armed Forces and covered beneficiaries have access, within a reasonable distance, to quality healthcare, including case management and translation services. 

Basic


International Transfers and Foreign Investment 

This CUI category is information generated during the Department's development, negotiations, conclusion, and review of DoD, and other USG international agreements with one or more foreign governments or international organizations (including their agencies, instrumentalities, or political subdivisions). The concluded (signed) unclassified agreement itself is not CUI unless it contains Foreign Government Information that is requested by the originating authorities to remain protected, or is marked "RESTRICTED," and therefore not releasable to the public. This CUI category does not include information generated during implementation of the international agreement. Such information may be CUI described in other categories, for example, Foreign Government Information, or export-controlled technical data or technology. This CUI includes Department and other USG agency deliberations, positions, and recommendations, such as: vulnerabilities of U.S. warfighters, the USG, the foreign partners, individual companies, or the U.S. industrial base; foreign and national security policy deliberations that could impact foreign partner relationships; and export-controlled technology and technical data.  

Basic


Materiel, Armaments, Vehicles, Equipment, & Munitions

This Defense CUI type covers the information related to unclassified specific numbers and types of defense materiel, armaments, vehicles, equipment, and munitions procured and controlled by the U.S. military for equipage, operation, maintenance, training, and support of its military forces or military, irregular, or paramilitary forces of its allies. Scientific, technical, or engineering data and training information necessary to operate, maintain, or support specific defense materiel, armaments, vehicles, equipment, or munitions. Numbers and types of items developed by U.S. private interests as a result of U.S Government contracts or derived from technology paid for by or under the control of the U.S. Government are included within this Defense CUI type. There is export-controlled technical data/technology associated with this category.  

Basic


Military Intelligence

This Defense CUI type relates to unclassified intelligence activities, sources, and methods used in gathering data and information of a military nature. Initial or general information gathered, raw data, and non-specific or processed intelligence collected related to military operations. Additionally, this applies to funding sources for intelligence or special activities.

Basic


Patent Applications with Secrecy Orders

This Defense CUI addresses information related to patent applications with Secrecy Orders. A Secrecy Order is an order by the Commissioner of Patents requiring an invention be kept secret and the application or grant of a patent be withheld from publication due to national security concerns. Unclassified patent applications might (in the case of DoD patent applications) or would (in the case of third party applications) be detrimental to national security if disclosed.  

Basic


Personnel Security Screening Requirements and Procedures 

This Defense CUI type relates to evaluating eligibility or screening individuals for national security or occupancy of a sensitive position. The DoD CAF relies on many databases when evaluating eligibility or screening individuals for national security or occupancy of a sensitive position. The CAF also adjudicates special populations requiring addition vetting. In addition to databases, the CAF also used independent medical evaluations to vet and screen personnel as warranted.  

Basic


Production

This Defense CUI type addresses manufacturing, construction, and assembly data and information including know-how, techniques, and processes required to produce or substantially upgrade defense materiel, armaments, and munitions. It includes information related to the engineering processes or techniques resulting in the sets of instructions for transforming natural substances into useful materials (metals, plastics, combustibles, etc.) or fabricating materials into aerodynamic, mechanical, electronic, hydraulic, or pneumatic systems, subsystems and components. Drawings, process sheets, wiring diagrams, procedural instructions, test protocols, testing results, and other supporting documentation.

Basic


Tactics, Techniques, Procedures, and Tactical Doctrine

This Defense CUI type contains the information related to tactics, techniques, and tactical doctrine necessary to the organization, training, and employment of military, paramilitary, or irregular forces from a general basis to include rules of engagement, interrogation methods, etc. It includes only non-specific technical data, training techniques, and tactical procedures necessary to operate and maintain individual and organizational items of military materials, armaments, vehicles, and munitions. Operational specific methodologies, sequencing of events, and strategy information contained in unclassified training manuals and most joint publications and subject to export control.

Basic

Official DoD CUI Registry (you must have a DOD issued CAC to access)

 https://intelshare.intelink.gov/sites/ousdi/hcis/sec/icdirect/information/CUI/Forms/AllItems.aspx