CUIControlled Unclassified Information
Government-created or -owned information that requires safeguarding controls per law, regulation, or government-wide policy, but is not classified.
In-Depth
CUI replaced a patchwork of agency-specific markings (FOUO, SBU, LES, etc.) with a single standardized system under Executive Order 13556 and 32 CFR Part 2002. The CUI Registry maintained by NARA defines over 100 categories and subcategories. For defense contractors, CUI protection requirements are specified in NIST SP 800-171 and enforced through DFARS 252.204-7012. Mishandling CUI can result in contract termination, False Claims Act liability, and debarment.
Related Terms
FCI
Information not intended for public release that is provided by or generated for the government under a contract to develop or deliver a product or service.
NIST SP 800-171
The NIST standard specifying 110 security requirements for protecting CUI in non-federal systems. Forms the basis of CMMC Level 2 and DFARS 252.204-7012 compliance.
DFARS
DoD-specific supplement to the FAR that implements defense acquisition policies, including cybersecurity clauses like DFARS 252.204-7012 for CUI protection.
CUI Registry
The official online repository maintained by NARA listing all CUI categories, subcategories, and the laws or policies authorizing their protection.
CUI Marking
The required banner and portion marking standards for CUI documents, including category indicators, dissemination controls, and designation indicators.